To determine which system to remediate first using only CVSS vectors, the analyst should prioritize the vulnerability that is most severe and most easily exploitable, especially when it is exploitable over the network and requires no privileges and no user interaction.
The Web server has the most dangerous combination of exploitability and impact:
Privileges Required = None (PR:N) → attacker doesn’t need credentials
User Interaction = None (UI:N) → no user action required
Impact = High for Confidentiality, Integrity, and Availability (C:H / I:H / A:H) → full compromise potential
The Sybex CySA+ Study Guide explains that CVSS provides a 0–10 severity score and that analysts must be able to interpret key metrics like Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Impact.
The All-in-One guide defines Attack Vector and notes that the more remote the vector, the higher the score (Network is remotely exploitable).
And Secbay Press states that organizations use CVSS as a basis for prioritization, typically addressing higher scores first.
Exact extract (Secbay Press): “Organizations often use CVSS scores as a basis for prioritizing vulnerabilities, addressing those with higher scores first.”
Why the other assets are lower priority than the Web server (based on the vectors)
File server (AV:L) is local attack vector, meaning the attacker must already have local access; that generally reduces priority compared to a remotely exploitable (AV:N) issue. (Attack vector definitions and scoring emphasize Network vs Local distinctions.)
Mail server (AC:H) requires high attack complexity, lowering exploitability compared to the Web server’s AC:L.
Domain controller (PR:R, UI:R) requires privileges and user interaction, which lowers exploitability compared to PR:N/UI:N on the Web server.
Bottom line: The Web server is the most immediately dangerous because it is remotely exploitable (AV:N) with low complexity (AC:L), requires no privileges (PR:N) and no user interaction (UI:N), and has high impact across C/I/A—making it the strongest candidate for first remediation under CVSS-based prioritization.
References (CompTIA CySA+ CS0-003 documents / study guides used):
Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): CVSS used to prioritize; higher scores addressed first
Mike Chapple & David Seidl, CompTIA CySA+ Study Guide (CS0-003): CVSS metrics and interpretation (AV/AC/PR/UI/Impact) and severity score concept
Mya Heath et al., CompTIA CySA+ All-in-One Exam Guide (CS0-003): Attack Vector/Attack Complexity definitions; remote vectors score higher
