Is a vulnerability with a CVSS score greater than 4.0 automatically considered failing?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards

From $9.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

Is a vulnerability with a CVSS score greater than 4.0 automatically considered failing?

CVSS is a standardized way to gauge how severe a vulnerability is so we can prioritize fixes. But a vulnerability with a score above four isn’t automatically a failure in PCI scanning. Whether it counts as a failure depends on context: is the affected asset in scope, could an attacker reach cardholder data through that vulnerability, and are there compensating controls or an approved risk acceptance in place? If the vulnerability is on an out-of-scope asset, or if there are effective mitigations and it’s not exploitable in the live environment, it may not cause a failure. So, a higher CVSS score signals higher risk and a need for remediation, but it does not automatically fail the assessment.

Is a vulnerability with a CVSS score greater than 4.0 automatically considered failing?

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Is a vulnerability with a CVSS score greater than 4.0 automatically considered failing?

Get the latest from Examzify