Vulnerability Management

During a security audit, an assessor finds that a newly deployed network storage appliance still uses the factory default administrator credentials "admin/admin" and has unnecessary Telnet ports open to the internet. Which description BEST explains what caused this situation to occur?

A threat actor compromises a control panel in a public-facing web server and forces it to reconfigure itself to accept connections using TLS 1.0 and 1.1 instead of TLS 1.3. Which type of action is being described?

A legacy application written in the C++ language processes user input without bounds checking, allowing an attacker to write data into a memory location that exceeds the variable size of this memory location allocated by the host operating system. This leads to the attacker being able to execute arbitrary code. Which type of attack is involved AND which secure development practice would have prevented this vulnerability?

Following a series of successful cyber attacks on a company's web applications, like SQL injection and directory traversal attacks, the CISO asks for two suggestions to mitigate these attacks in the future. Which TWO solutions are the BEST approaches?

An attacker who has gained access to the internal network sends a command to the legitimate Windows process lsass.exe to harvest credential hashes from memory. The attacker then uses the stolen NTLM hashes to authenticate to the Windows backend authentication service without knowing the user's plaintext password. Which type of attack is this?

An application checks if a user has write permissions to a configuration file, then opens the file 200 milliseconds later. During that time, an attacker replaces the file with a symlink pointing to a critical system file. Which vulnerability type does this describe?

An employee, frustrated by corporate Mobile Device Management restrictions, downloads a productivity app APK from a third-party website instead of the official app store, accidentally installing malware that bypasses the organization's Acceptable Use Policy. Which risk is this?

An attacker posts a comment on a public social media page that contains a malicious JavaScript payload. When other users view the comment, their session cookies are sent to the attacker's server. Which type of XSS is this?

A web application's search function constructs queries by concatenating user input directly into the query string: query = "SELECT * FROM products WHERE name = '" + userInput + "'";. An attacker inputs ' OR '1'='1 to extract all data without authorisation. Which vulnerability is present?

An attacker captures a valid authentication request containing encrypted credentials from a legacy system that does not use timestamps or session tokens. The attacker retransmits this exact packet a day later and successfully gains access via a legitimate authenticated session. Which attack type is being described?

An attacker rents a botnet to flood a company's internet connection with 500 Gbps of UDP traffic, saturating the available bandwidth and preventing legitimate users from accessing the company's website. Which is the most accurate description of this attack?

An employee plugs a personal Wireless Access Point into an Ethernet socket in a conference room to get better Wi-Fi coverage, creating an unsecured entry point into the corporate LAN that bypasses the corporate firewall. Which threat is described?

An attacker sets up a Wireless Access Point named "CompanyGuest" that mimics the legitimate "Company-Guest" SSID and captures credentials through a fake captive portal login page. What is the best description for this attack?

An attacker attempts to authenticate to thousands of user accounts using the same common password "Summer2026!" to avoid triggering account lockout policies that would occur by trying to brute force a single account. Which attack is taking place?

After breaching a user database, an attacker exfiltrates the stolen password hashes and uses a GPU-powered cracking setup with rainbow tables and Hashcat to determine the plaintext passwords without interacting with the target system. Which is the BEST description for this attack?

To get accurate patch levels and check for registry configuration issues, a vulnerability scanner logs into target Windows servers using valid domain administrator authentication to inspect installed software and system settings. Which scan type is this?

A security analyst uses publicly available search engines to identify and index webpages belonging to their organization that are exposed to the public internet. Which threat intelligence gathering method is this?

A vulnerability scanner reports that a Linux server is vulnerable to CVE-2019-6572 because the installed OpenSSL version appears to be an old version. However, the organization's security team has manually verified that the vendor applied the correct security patch to the installed version, so the vulnerability does not actually exist. What is this scanner result called?

An organization's vulnerability scanner is configured to only check for CVEs published before 2023. A critical vulnerability in a web application discovered in 2024 is present but not detected by the scan, leaving the organization unaware of the exposure to risk. What is this type of scanning error?