During a vulnerability assessment, a security analyst discovers that a legacy application is running on port 8080 with a known critical CVE that has no patch available. What should be the analyst's FIRST course of action?

  1. Document the finding and escalate to management for risk decision ✓
  2. Immediately shut down the application to prevent exploitation
  3. Implement a web application firewall (WAF) to block exploit attempts
  4. Request the vendor to provide an emergency patch

Correct answer: Document the finding and escalate to management for risk decision

When a vulnerability has no available patch, the analyst's first obligation under a sound risk management process is to document the finding and escalate to management so leadership can make an informed risk-acceptance or risk-treatment decision, making Option A correct. Option B (immediately shutting down the application) may be an eventual outcome but is a business decision, not a unilateral analyst action; abruptly halting a production application without authorization can cause unacceptable operational disruption. Option C (deploying a WAF) is a valid compensating control but it is a technical remediation step that should follow a risk decision, not precede management notification. Option D (requesting an emergency vendor patch) is not actionable when the CVE is stated to have no patch available, making it an ineffective first step.

Topic: · vulnerability management, risk escalation, unpatched cve, cysa+

Practice CompTIA CySA+ (CS0-003) Questions Free