Question 4 - CompTIA (CYSA+) Analyst+ CS0-003 Real Exam Questions [Jan 2026 Update]

Q: 4

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

Options

Correct Answer:

Explanation

The primary differentiator for prioritization among the given options is the Attack Vector (AV) metric within the CVSSv3 string. The AV:N (Network) vector indicates that the vulnerability is exploitable remotely from the internet. This represents the broadest attack surface and the highest immediate risk, as an attacker requires no prior access to the local or adjacent network. When other metrics like Attack Complexity (AC:L), Privileges Required (PR:L), and Impact (C:H/I:H/A:H) are identical, the vulnerability that can be exploited from anywhere on the network should always be remediated first.

Why Incorrect

A. AV:P (Physical) requires physical access to the target system, representing the lowest level of risk and therefore the lowest priority for remediation.

B. AV:A (Adjacent) requires the attacker to be on the same local network, which is a more limited attack surface than a network-exploitable vulnerability.

D. AV:L (Local) requires the attacker to have existing access to the system, making it a lower priority than a remotely exploitable vulnerability.

References

1. FIRST.org

Inc. (2019). Common Vulnerability Scoring System v3.1: Specification Document. Section 2.1.1

Attack Vector (AV). The document states

"The Base Score is highest for a vulnerability that can be exploited remotely (AV:N)... This is because the attacker does not require any local or physical access to the vulnerable component." This directly supports prioritizing AV:N.

2. Mell

& Scarfone

K. (2005). The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems (NISTIR 7435). National Institute of Standards and Technology. Section 3.1

"Base Metrics

" discusses how the Attack Vector metric captures the context by which vulnerability exploitation is possible

with Network being the most critical.

3. Purdue University. CS 42600: Computer Security

Lecture 18 - Vulnerabilities. Course materials discuss vulnerability analysis and CVSS. The lectures emphasize that the Attack Vector is a critical component for prioritization

with network-based vectors (AV:N) posing a significantly higher risk than local

adjacent

or physical vectors due to the vast number of potential remote attackers.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE