nerdexam
(ISC)2

CISSP · Question #459

Which of the following findings would MOST likely indicate a high risk in a vulnerability assessment report?

The correct answer is D. End of life system detected. In a vulnerability assessment, an end-of-life (EOL) system represents a high risk because it no longer receives security patches or vendor support, leaving known vulnerabilities permanently unmitigated.

Submitted by minji_kr· Mar 5, 2026Security Assessment and Testing

Question

Which of the following findings would MOST likely indicate a high risk in a vulnerability assessment report?

Options

  • ATransmission control protocol (TCP) port 443 open
  • BNon-standard system naming convention used
  • CUnlicensed software installed
  • DEnd of life system detected

How the community answered

(31 responses)
  • A
    6% (2)
  • B
    19% (6)
  • C
    26% (8)
  • D
    48% (15)

Why each option

In a vulnerability assessment, an end-of-life (EOL) system represents a high risk because it no longer receives security patches or vendor support, leaving known vulnerabilities permanently unmitigated.

ATransmission control protocol (TCP) port 443 open

TCP port 443 is the standard port for HTTPS traffic and its presence is expected and normal in most environments, representing legitimate encrypted web communication rather than a vulnerability.

BNon-standard system naming convention used

A non-standard system naming convention is an administrative or compliance concern related to asset management hygiene, but it does not directly introduce a security vulnerability or exploitable attack surface.

CUnlicensed software installed

Unlicensed software is primarily a legal and compliance risk (software licensing violation) rather than a direct security vulnerability, and would typically appear in a compliance audit rather than as a high-risk security finding.

DEnd of life system detectedCorrect

An end-of-life system is no longer supported by its vendor, meaning critical security patches and updates are no longer issued. Any newly discovered vulnerabilities in that system will remain unpatched indefinitely, making it a prime target for exploitation. This is classified as high risk in vulnerability assessments because the exposure cannot be remediated through patching alone.

Concept tested: Identifying high-risk findings in vulnerability assessments

Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Topics

#vulnerability assessment#risk assessment#end-of-life systems#patch management

Community Discussion

No community discussion yet for this question.

Full CISSP Practice