210-255 · Question #2
Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or manipulate the vulnerable component?
The correct answer is B. physical. The CVSSv3 Physical attack vector is the only metric value requiring an attacker to physically touch or manipulate the vulnerable component to exploit it.
Question
Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or manipulate the vulnerable component?
Options
- Alocal
- Bphysical
- Cnetwork
- Dadjacent
How the community answered
(30 responses)- B90% (27)
- C7% (2)
- D3% (1)
Why each option
The CVSSv3 Physical attack vector is the only metric value requiring an attacker to physically touch or manipulate the vulnerable component to exploit it.
The Local attack vector requires the attacker to have a local account or command-line access but does not require physically touching or manipulating the hardware component itself.
CVSSv3 defines the Physical (P) attack vector as requiring the attacker to physically touch or manipulate the vulnerable component - examples include cold boot attacks, hardware implants, or exploiting a device only accessible via direct connection. This is the most restrictive attack vector in the CVSSv3 specification because exploitation cannot be performed remotely or across a network.
The Network attack vector means the component is exploitable from any remote network location with no physical proximity or local access required.
The Adjacent attack vector requires the attacker to share the same network segment or broadcast domain as the target but does not require physical contact with the device.
Concept tested: CVSSv3 Physical Attack Vector metric definition
Source: https://www.first.org/cvss/v3.0/specification-document
Topics
Community Discussion
No community discussion yet for this question.