CompTIA PenTest+ (PT0-003) · Domain 3 · 17% of exam

Vulnerability Discovery and Analysis

Drill 20 practice questions focused entirely on Vulnerability Discovery and Analysis for the CompTIA PT0-003 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

During a web application assessment, your Burp Suite active scan flags a high-severity SQL injection vulnerability on a login form's username parameter. Before including it in your report, you want to confirm the finding is not a false positive with the least intrusive verification method. Which action best confirms the vulnerability?

Reviewed for accuracy · Report an issue
Question 2 of 20

During an internal engagement, your credentialed scan reports three findings on separate hosts: (1) a low-severity information-disclosure flaw on a web app that leaks internal hostnames and a service account name, (2) a medium-severity SMB signing-not-required setting on a file server, and (3) a low-severity anonymous LDAP bind on a domain controller. Individually each rates below the client's remediation threshold. The client asks why you flagged these as a single high-priority item in your report. Which analysis best justifies elevating the combined risk?

Reviewed for accuracy · Report an issue
Question 3 of 20

A penetration tester merges vulnerability scan results from three subnets and receives 4,200 individual findings. Analysis shows that 3,100 of them are variations of 'Missing security patch' reported per-host, and most trace back to a single unpatched base image used across the environment. The tester must present actionable results to a client with a limited remediation window. What is the MOST effective way to analyze and prioritize these findings for the report?

Reviewed for accuracy · Report an issue
Question 4 of 20

During an internal engagement, your vulnerability scanner flags a Windows file server as vulnerable to a critical RCE (CVE-2023-XXXX) affecting a specific print spooler version. The scanner scored it CVSS 9.8. Before adding it to the report as an exploitable critical finding, you want to determine whether the vulnerability is truly present and reachable without crashing the production server. Which action BEST validates this finding while minimizing operational risk?

Reviewed for accuracy · Report an issue
Question 5 of 20

During a credentialed authenticated scan of a client's Linux web server, your scanner flags CVE-2021-44228 (Log4Shell) as a high-severity finding based on the Apache HTTP Server banner. Before including it in your report, you must validate whether it is a true positive. Which action provides the strongest evidence that this finding is a false positive?

Reviewed for accuracy · Report an issue
Question 6 of 20

During analysis of a scan report, you find two findings on an internal application server: (1) a CVE with a CVSS base score of 9.8 that requires the attacker to already have local administrative access and for which no public exploit or proof-of-concept exists, and (2) a CVE with a CVSS base score of 7.5 that is remotely exploitable over the network, unauthenticated, and has a weaponized Metasploit module publicly available. Given limited time in the engagement, which finding should you prioritize for exploitation first and why?

Reviewed for accuracy · Report an issue
Question 7 of 20

During an internal assessment, your vulnerability scanner returns two CVSS 9.8 findings: (1) an unauthenticated RCE on a lab print server that has no network route to production and stores no data, and (2) an unauthenticated RCE on a domain controller that hosts Active Directory for the entire organization. Both have public, weaponized exploits. Your remediation report must prioritize the findings. Which approach correctly reflects vulnerability prioritization for this engagement?

Reviewed for accuracy · Report an issue
Question 8 of 20

During analysis of a vulnerability scan for an internet-facing web application server, a penetration tester finds several high and critical CVSS-rated findings. The client has limited remediation capacity and asks the tester which vulnerability should be addressed first. All findings have similar CVSS base scores. Which additional data source should the tester consult to identify vulnerabilities that are being actively exploited in the wild by threat actors?

Reviewed for accuracy · Report an issue
Question 9 of 20

During an internal assessment, a penetration tester runs an unauthenticated network vulnerability scan against a fleet of Windows workstations. The report shows only a handful of network-service findings, yet the client insists their patch management is inconsistent and many local application vulnerabilities likely exist. The tester wants the most accurate view of missing OS and third-party patches (e.g., outdated Adobe Reader, unpatched local privilege-escalation flaws) without deploying agents. What should the tester do next?

Reviewed for accuracy · Report an issue
Question 10 of 20

A penetration tester completes an authenticated scan of a client's environment and must prioritize remediation guidance. Four validated (non-false-positive) findings remain. Given the tester's goal of prioritizing by real-world exploitability and business impact, which finding should be ranked highest?

Reviewed for accuracy · Report an issue
Question 11 of 20

During the reconnaissance phase of an authorized physical and social-engineering assessment, a penetration tester reviews recovered documents from an unsecured recycling bin behind the client's corporate office. Among the papers are internal org charts, a printout of a project schedule with employee names and phone extensions, and an expired network diagram. Which conclusion best describes the value of this discovery to the engagement?

Reviewed for accuracy · Report an issue
Question 12 of 20

During analysis of a large scan report, a penetration tester must recommend which vulnerability to prioritize for remediation. Two findings stand out: Finding X has a CVSS base score of 9.8 but an EPSS (Exploit Prediction Scoring System) score of 0.4% and no public exploit; Finding Y has a CVSS base score of 7.5, an EPSS score of 92%, and is actively being weaponized in the wild against internet-facing hosts identical to the client's exposed web server. Which recommendation best reflects risk-based prioritization?

Reviewed for accuracy · Report an issue
Question 13 of 20

During an authenticated vulnerability scan of a Debian-based web server, the scanner flags OpenSSH as vulnerable to a critical CVE, citing the reported version banner of 8.4p1. The client insists the system is fully patched via their standard apt update process. Before including this finding in the report, what is the MOST accurate way for you to determine whether this is a false positive?

Reviewed for accuracy · Report an issue
Question 14 of 20

During an internal engagement, you run both an unauthenticated and a credentialed OpenVAS scan against the same Windows workstation. The unauthenticated scan reports a critical remote code execution vulnerability in an outdated version of a service, but the credentialed scan does not list that finding at all. Local patch records confirm the relevant update was installed last month. Which conclusion best explains the discrepancy, and what should you do?

Reviewed for accuracy · Report an issue
Question 15 of 20

During the social-engineering discovery phase of an authorized engagement, a penetration tester is preparing a spear-phishing campaign against a company's finance department. The tester has already collected employee names, job titles, and email addresses. To maximize the credibility of the pretext before launching the campaign, which additional discovery activity provides the MOST value?

Reviewed for accuracy · Report an issue
Question 16 of 20

During a physical security assessment of a corporate headquarters, a penetration tester observes that employees enter the building by tapping proximity badges against a reader near an unmonitored side entrance. The tester wants to identify a low-cost attack vector that would let them gain unauthorized entry while gathering intelligence for the report. Which discovery activity BEST supports identifying an exploitable physical weakness at this entrance?

Reviewed for accuracy · Report an issue
Question 17 of 20

During an internal network assessment, you produce four validated findings: (1) an unauthenticated remote code execution vulnerability on an isolated lab host with no network route to production, (2) a stored XSS on the internal HR portal used by 400 employees, (3) a plaintext credential set found in a world-readable file share that includes a domain administrator password, and (4) a missing HTTP security header on a public marketing site. Management asks you to rank the single finding that should be remediated first based on realistic exploitability and business impact. Which finding do you place at the top?

Reviewed for accuracy · Report an issue
Question 18 of 20

During an internal network assessment, your credentialed scan returns four confirmed findings. Management asks which one to remediate first based on real-world risk, not just base score. Given the following, which vulnerability should be prioritized for immediate exploitation and remediation?

Reviewed for accuracy · Report an issue
Question 19 of 20

During an internal engagement, your version scan reveals a host running vsftpd 2.3.4 on TCP 21. Before attempting any exploitation, you want to determine whether a public exploit exists for this exact software version and understand the attack vector it uses. Which action most directly accomplishes this research step?

Reviewed for accuracy · Report an issue
Question 20 of 20

During an internal assessment, your automated scanner reports that a web server on port 8443 is vulnerable to a critical POODLE (CVE-2014-3566) SSLv3 downgrade attack. The client is skeptical because they claim SSLv3 was disabled last year. Before including this in the report, which action MOST reliably confirms whether the finding is a genuine vulnerability or a false positive?

Reviewed for accuracy · Report an issue

More PT0-003 practice

Keep going with the other CompTIA PenTest+ (PT0-003) domains, or take a full timed mock exam.

← Back to PT0-003 overview