nerdexam
(ISC)2

CISSP · Question #447

In organization discovers that its secure file transfer protocol (SFTP) server has been accessed by an unauthorized person to download an unreleased game. A recent security audit found weaknesses in s

The correct answer is A. Buffer overflow. The audit identified weaknesses in software change control and security patch management, pointing to an unpatched vulnerability as the likely attack vector. Buffer overflow exploits are classic unpatched software vulnerabilities addressed through patch management.

Submitted by satoshi_tk· Mar 5, 2026Security Architecture and Engineering

Question

In organization discovers that its secure file transfer protocol (SFTP) server has been accessed by an unauthorized person to download an unreleased game. A recent security audit found weaknesses in some of the organization's general information technology (IT) controls, specifically pertaining to software change control and security patch management, but not in other control areas. Which of the following is the MOST probable attack vector used in the security breach?

Options

  • ABuffer overflow
  • BWeak password able to lack of complexity rules
  • CDistributed Denial of Service (DDoS)
  • DCross-Site Scripting (XSS)

How the community answered

(55 responses)
  • A
    69% (38)
  • B
    5% (3)
  • C
    9% (5)
  • D
    16% (9)

Why each option

The audit identified weaknesses in software change control and security patch management, pointing to an unpatched vulnerability as the likely attack vector. Buffer overflow exploits are classic unpatched software vulnerabilities addressed through patch management.

ABuffer overflowCorrect

Buffer overflow attacks exploit unpatched software vulnerabilities where input validation flaws allow attackers to overwrite memory and execute arbitrary code. The audit specifically flagged weak software change control and patch management - these are precisely the controls that would prevent buffer overflow exploits from being present in production systems. An unpatched SFTP server with a known buffer overflow vulnerability would allow unauthorized access without needing valid credentials.

BWeak password able to lack of complexity rules

Weak passwords due to lack of complexity rules would indicate a failure in access control or account management policies, but the audit found weaknesses only in software change control and patch management, not in other control areas such as identity and access management.

CDistributed Denial of Service (DDoS)

A DDoS attack is designed to overwhelm and deny availability of a service to legitimate users, not to gain unauthorized access and exfiltrate data such as downloading a game file.

DCross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a web application attack that injects malicious scripts into web pages viewed by other users, which is unrelated to unauthorized access to an SFTP server and does not align with the identified patch management weaknesses.

Concept tested: Exploiting unpatched vulnerabilities via buffer overflow attacks

Source: https://learn.microsoft.com/en-us/security/engineering/patch-management

Topics

#attack vectors#buffer overflow#patch management#vulnerability exploitation

Community Discussion

No community discussion yet for this question.

Full CISSP Practice