Which of the following best describes a zero-day vulnerability?

  1. A vulnerability that only impacts end-of-life operating systems
  2. A vulnerability that is unknown to the vendor and has no available patch ✓
  3. A vulnerability that affects systems with zero security controls
  4. A vulnerability that has been known to the vendor for more than 30 days

Correct answer: A vulnerability that is unknown to the vendor and has no available patch

Option B is correct because a zero-day vulnerability is one that is unknown to the software vendor (or has only just been disclosed), meaning no official patch or mitigation exists yet, leaving systems fully exposed until one is developed. Option A is wrong because zero-day vulnerabilities can affect fully supported, modern software and are not limited to end-of-life systems. Option C is wrong because a zero-day refers to the patch-timeline status of the vulnerability, not to the security posture of the affected system. Option D contradicts the definition entirely; once a vendor has known about a flaw for any period and has issued a patch, it is no longer considered a zero-day.

Topic: Threats, Vulnerabilities, and Mitigations · zero-day, vulnerability management, patch management, threat intelligence

Practice CompTIA Security+ (SY0-701) Questions Free