PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CVA Practice Questions

Pass your Mile2 Certified Vulnerability Assessor (CVA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A Nessus scan report shows a vulnerability with Plugin ID 10863 - 'SSL Certificate Cannot Be Trusted'. What does this finding indicate?

A
B
C
D
to track
Same family resources

Explore More Mile2 Cybersecurity Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Mile2 Certified AI Cybersecurity Officer (CAICSO)

Practice Questions

Mile2 Certified Cloud Security Officer (CCSO)

Practice Questions

Mile2 Certified Digital Forensics Examiner (CDFE)

Practice Questions

Mile2 Certified Disaster Recovery Engineer (CDRE)

Practice Questions

Mile2 Certified Information Systems Risk Manager (CISRM)

Practice Questions

Mile2 Certified Information Systems Security Officer (CISSO)

Practice Questions
2026 Statistics

Key Facts: CVA Exam

100 MCQ

Exam Length

Mile2

70%

Passing Score

Mile2

7 modules

Course Modules

Mile2

2 hours

Exam Duration

Mile2

3 years

Certification Validity

Mile2

2 attempts

Included in Exam Combo

Mile2

The Mile2 C)VA is a 100-question online MCQ exam requiring 70% to pass, delivered through Mile2's MACS platform in approximately 2 hours. It covers 7 modules of vulnerability assessment knowledge including CVE/CVSS/NVD, Nessus and OpenVAS, network enumeration (Nmap), web application assessment (OWASP Top 10), remote services, and output analysis and reporting. Certifications are valid for 3 years.

Sample CVA Practice Questions

Try these sample questions to test your CVA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What is the PRIMARY purpose of a vulnerability assessment?
A.To identify, quantify, and prioritize security weaknesses in a system
B.To exploit discovered weaknesses and gain unauthorized access
C.To document an organization's complete network topology
D.To replace penetration testing in compliance audits
Explanation: A vulnerability assessment is designed to identify, quantify, and prioritize security weaknesses before attackers can exploit them. It is a proactive, non-exploitative evaluation of an organization's security posture. The goal is to produce an actionable list of vulnerabilities so they can be remediated in order of risk.
2Which vulnerability management lifecycle phase involves applying patches and configuration changes after vulnerabilities are identified?
A.Discovery
B.Prioritization
C.Remediation
D.Verification
Explanation: The Remediation phase is where identified and prioritized vulnerabilities are actually fixed—through patching, configuration hardening, workarounds, or compensating controls. After remediation, the Verification phase rescans to confirm that the fixes were effective.
3Which regulatory framework requires organizations to conduct vulnerability scans of cardholder data environments at least quarterly?
A.HIPAA Security Rule
B.NIST SP 800-53
C.PCI DSS Requirement 11
D.ISO/IEC 27001 Annex A
Explanation: PCI DSS Requirement 11 mandates quarterly vulnerability scans of the cardholder data environment (CDE) by an Approved Scanning Vendor (ASV) as well as annual penetration testing. This is one of the most specific, prescriptive vulnerability scanning mandates in any compliance framework.
4An organization discovers a zero-day vulnerability with no available patch. What is the BEST immediate response within the vulnerability management process?
A.Remove all affected systems from the network permanently
B.Wait for the vendor to release an official patch before taking any action
C.Apply compensating controls such as network segmentation and increased monitoring
D.Reclassify the vulnerability as informational until a patch is available
Explanation: When no patch exists, applying compensating controls is the correct immediate response. This includes network segmentation to limit exposure, enhanced logging and monitoring to detect exploitation attempts, temporary disabling of the affected feature if possible, and user awareness. Waiting for a vendor patch without any protective action leaves the organization fully exposed.
5Which of the following BEST describes the difference between a vulnerability assessment and a penetration test?
A.A vulnerability assessment exploits vulnerabilities; a penetration test only identifies them
B.A vulnerability assessment is performed externally; a penetration test is always internal
C.A vulnerability assessment requires written authorization; a penetration test does not
D.A vulnerability assessment identifies and prioritizes weaknesses; a penetration test actively exploits them to demonstrate impact
Explanation: A vulnerability assessment identifies, enumerates, and prioritizes security weaknesses without exploiting them. A penetration test goes further by actively exploiting vulnerabilities to demonstrate real-world impact, lateral movement, and the extent of a potential breach. Both require explicit written authorization.
6What does a CVE (Common Vulnerabilities and Exposures) identifier provide?
A.A numerical risk score from 0.0 to 10.0 for a specific vulnerability
B.A vendor-specific patch identifier for applying software updates
C.A unique reference number for a publicly known cybersecurity vulnerability
D.A remediation timeline mandated by the issuing organization
Explanation: A CVE identifier (e.g., CVE-2021-44228) provides a unique, standardized reference number for a specific publicly known vulnerability. Maintained by MITRE and sponsored by DHS CISA, CVE entries are the foundation of vulnerability databases and allow security tools, advisories, and databases to reference the same vulnerability unambiguously.
7A CVSS v3.1 Base Score of 9.8 is classified under which severity rating?
A.High
B.Informational
C.Medium
D.Critical
Explanation: CVSS v3.1 defines five severity ratings: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0). A score of 9.8 falls in the Critical range and should be prioritized for immediate remediation. Critical CVSS scores typically reflect network-exploitable vulnerabilities requiring no authentication.
8Which CVSS v3.1 metric describes whether a vulnerability can be exploited without interacting with a user?
A.User Interaction
B.Attack Complexity
C.Scope
D.Privileges Required
Explanation: The User Interaction (UI) metric in CVSS v3.1 indicates whether exploitation requires some action from a human user other than the attacker (UI:Required) or can occur without any user action (UI:None). A UI:None rating increases the CVSS Base Score and indicates higher severity because no social engineering is needed.
9A vulnerability is exploitable only by a user on the same local network segment. Which CVSS v3.1 Attack Vector (AV) value applies?
A.AV:Network
B.AV:Physical
C.AV:Local
D.AV:Adjacent
Explanation: AV:Adjacent (A) applies when exploitation requires the attacker to be logically adjacent to the target—on the same network segment, shared L2 network, or VLAN. AV:Network is for internet-reachable vulnerabilities, AV:Local requires an attacker with local system access (e.g., logged-in user or local process), and AV:Physical requires physical hardware access.
10What is the primary difference between a software vulnerability and a misconfiguration vulnerability?
A.Software vulnerabilities always have a higher CVSS score than misconfigurations
B.Misconfigurations require patches to fix; software vulnerabilities can be resolved through configuration changes
C.Software vulnerabilities are flaws in code or design; misconfigurations result from incorrect settings or deployment choices
D.Software vulnerabilities only affect web applications; misconfigurations affect network devices
Explanation: A software vulnerability is a flaw in the code or design of an application or OS that allows unintended behavior (e.g., buffer overflow, SQL injection). A misconfiguration vulnerability results from incorrect or insecure settings applied during deployment or operation (e.g., default credentials, unnecessary open ports, unrestricted S3 buckets). Misconfigurations are often resolved through configuration hardening rather than patching.

About the CVA Exam

The Mile2 CVA (Certified Vulnerability Assessor) certifies practitioners in the complete vulnerability assessment lifecycle: planning, scanning, analysis, and reporting. The course covers 7 modules including vulnerability types, Nessus/OpenVAS tooling, CVSS scoring, network and web application assessment, remote services evaluation, and professional report writing. It is suitable for IT engineers, analysts, and security practitioners entering vulnerability management.

Questions

100 scored questions

Time Limit

2 hours

Passing Score

70% (70/100)

Exam Fee

Varies by package; Exam Combo approximately $595 (Mile2 Cybersecurity Institute)

CVA Exam Content Outline

~12%

Why Vulnerability Assessment

VA lifecycle, compliance drivers (PCI DSS, NIST RMF), legal authorization, and VM program fundamentals

~18%

Vulnerability Types

CVE, CWE, CVSS v3.1 metrics, severity ratings, software flaws (SQLi, XSS, SSRF, XXE), zero-days, and malware classes

~18%

Assessing the Network

Nmap scan types and flags, host discovery, port states, OS fingerprinting, NetBIOS/SNMP/DNS enumeration, credentialed scanning

~15%

Assessing Web Servers and Applications

OWASP Top 10 (2021), IDOR, XSS/SQLi/path traversal, security headers, SAST/DAST, TLS configuration review

~10%

Assessing Remote and VPN Services

VPN protocol security (PPTP, IPSec, WireGuard), SSH hardening, RDP/BlueKeep, NLA, Telnet risks, IKEv1 aggressive mode

~15%

Vulnerability Assessment Tools

Nessus (plugins, safe checks, agent scanning, CIS compliance), OpenVAS NVT, Metasploit check modules, OWASP ZAP, testssl.sh, Shodan, Qualys WAS

~12%

Output Analysis and Reporting

CVSS + EPSS + CISA KEV prioritization, MTTR metrics, executive/technical report structure, risk acceptance, compensating controls, verification scanning

How to Pass the CVA Exam

What You Need to Know

  • Passing score: 70% (70/100)
  • Exam length: 100 questions
  • Time limit: 2 hours
  • Exam fee: Varies by package; Exam Combo approximately $595

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CVA Study Tips from Top Performers

1Know CVSS v3.1 severity bands: Critical (9.0–10.0), High (7.0–8.9), Medium (4.0–6.9), Low (0.1–3.9)
2Master Nmap flags: -sS (SYN stealth), -sT (TCP connect), -sU (UDP), -sV (version detection), -O (OS detection), -sC (default scripts), -p (port range)
3Understand Nessus port states: open (responds), closed (RST returned), filtered (packet dropped/no response)
4Know the OWASP Top 10 2021 rankings: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A06 Vulnerable/Outdated Components, A09 Security Logging Failures
5Remember PPTP is insecure (MS-CHAPv2 vulnerable to offline cracking); recommend OpenVPN, IPSec/IKEv2, or WireGuard
6For prioritization: combine CVSS Base Score + EPSS (exploitation probability) + CISA KEV listing for risk-based remediation order
7Credentialed scanning reduces false positives by inspecting local patch levels vs. version-only banner matching

Frequently Asked Questions

What is the Mile2 CVA exam format?

The Mile2 CVA exam consists of 100 multiple-choice questions with a 70% passing score (70 correct answers required). It is delivered online through Mile2's Assessment and Certification System (MACS) in approximately 2 hours. Two exam attempts are included in the CVA Exam Combo package. Both standard and ANSI/DoD 8140 proctored formats are available.

What domains does the Mile2 CVA cover?

The CVA covers 7 modules: Why Vulnerability Assessment (VA lifecycle, compliance), Vulnerability Types (CVE, CVSS, CWE, software flaws), Assessing the Network (Nmap, enumeration, credentialed scanning), Assessing Web Servers and Applications (OWASP Top 10, XSS, SQLi), Assessing Remote and VPN Services (SSH, RDP, VPN protocols), Vulnerability Assessment Tools (Nessus, OpenVAS, ZAP, Shodan), and Output Analysis and Reporting (CVSS prioritization, EPSS, MTTR, report writing).

Is the Mile2 CVA DoD 8140 approved?

Mile2 certifications including the CVA are available in ANSI/DoD 8140 proctored format. Candidates requiring DoD 8140 compliance should select the appropriate proctored exam variant when purchasing through Mile2.

What tools should I know for the Mile2 CVA exam?

Candidates should be familiar with Nessus (plugin families, safe checks, credentialed scanning, severity ratings), OpenVAS/Greenbone (NVT feed, open-source licensing), Nmap (scan types: -sS, -sT, -sU, -sV, -O, NSE scripts including smb-vuln-ms17-010), OWASP ZAP (DAST web scanning), testssl.sh (TLS/SSL configuration testing), Shodan (external attack surface discovery), Metasploit (false-positive verification using check command), and Hydra (credential brute-force testing).

How does CVSS v3.1 scoring work for the CVA exam?

CVSS v3.1 Base Score ranges: Critical (9.0–10.0), High (7.0–8.9), Medium (4.0–6.9), Low (0.1–3.9), None (0.0). Key Base metrics include Attack Vector (Network/Adjacent/Local/Physical), Attack Complexity (Low/High), User Interaction (None/Required), Scope (Unchanged/Changed), and impact metrics for Confidentiality, Integrity, and Availability. The Temporal Score adds exploit availability and patch status; the Environmental Score adds organizational context.

What is the best way to prepare for the Mile2 CVA?

Candidates should study all 7 course modules, with extra focus on CVSS v3.1 metrics and severity bands, Nmap scan flags and NSE script categories, OWASP Top 10 (2021) vulnerability classes, Nessus plugin families and safe checks configuration, VPN protocol security comparisons (PPTP vs. OpenVPN vs. WireGuard), and CVSS + EPSS + CISA KEV-based prioritization for reporting. Practice questions with detailed explanations reinforce applied knowledge.