A vulnerability scan finds a critical flaw on an internet-facing SFTP gateway with public exploit code, and a high-severity flaw on an internal lab server that is only reachable from a restricted subnet. Which should be remediated first?

The internal lab server, because every high-severity finding should be fixed first.

Severity matters, but exposure and exploit availability also affect real-world urgency.

Both systems can wait until the next scheduled maintenance window.

Delaying both ignores the fact that one system is actively exposed to attack.

Neither system needs urgent action because the lab server is isolated.

Isolation reduces risk for the lab server, but it does not make the gateway safe.

What does this SY0-701 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: The internet-facing SFTP gateway, because it has higher immediate risk. — The internet-facing SFTP gateway should be remediated first because exposure and public exploit code make it the highest immediate risk. A vulnerable system that attackers can reach from the internet is far more likely to be exploited than an internal server behind a restricted subnet. Security+ prioritization is not just about severity scores; it also considers attack surface, accessibility, and whether exploitation is already practical in the real world. Why others are wrong: Fixing the lab server first ignores the fact that it has much lower exposure and lower likelihood of immediate exploitation. Delaying both is risky because the public service may already be targeted. Saying the isolated lab server makes everything safe is incorrect; the internet-facing gateway still presents a direct opportunity for attackers.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.