🔥 3-day streak
CompTIA PenTest+ (PT0-003)21 / 175
Question 21 of 175

During analysis of a scan report, you find two findings on an internal application server: (1) a CVE with a CVSS base score of 9.8 that requires the attacker to already have local administrative access and for which no public exploit or proof-of-concept exists, and (2) a CVE with a CVSS base score of 7.5 that is remotely exploitable over the network, unauthenticated, and has a weaponized Metasploit module publicly available. Given limited time in the engagement, which finding should you prioritize for exploitation first and why?

Reviewed for accuracy · Report an issueNext question