Scenario
A vulnerability report lists several findings. The policy requires vulnerabilities above CVSS 9.0 to be patched within 7 days, above 7.9 to be patched within 14 days for production, and above 5.0 to be patched within 30 days for production.
Your task: Review the evidence and select the best analyst response for each field.
| Evidence | Details |
|---|---|
| 192.168.76.5 | Microsoft IIS unsupported software, CVSS 9.2, DEV |
| 192.168.76.6 | Sensitive cookie without Secure attribute, CVSS 7.4, DEV |
| Policy question | Select a server to patch within 14 calendar days |
| Mitigation target | Unsupported IIS software |
Analyst Decisions
Instructor Answer
- 192.168.76.5 has a critical CVSS 9.2 unsupported software finding.
- A 7-day critical patch requirement is more urgent than 14 days, so it still belongs in a within-14-days selection.
- Unsupported IIS software should be patched or upgraded to a supported current release.
- Certificate uploads or ACL changes do not remediate unsupported IIS software.