A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch...

According to CEH v13 Security Operations and Incident Response, zero-day vulnerabilities pose one of the highest operational risks because exploits exist before official remediation is available. When active exploitation is observed and no vendor patch exists, immediate compensating controls must be deployed.

The first and most effective action is implementing virtual patching, typically through a Web Application Firewall (WAF) or Intrusion Prevention System (IPS). CEH v13 defines virtual patching as a security measure that blocks exploitation attempts at the network or application layer without modifying the vulnerable software. This approach allows organizations to maintain service availability while reducing exposure.

Shutting down the server (Option A) may prevent exploitation but introduces unacceptable business disruption and is not recommended as a first response. Backups and incident response planning (Option C) are critical but do not actively prevent exploitation. Passive monitoring (Option D) allows attackers to continue exploiting the vulnerability unchecked.

CEH v13 emphasizes that virtual patching is the preferred first response for zero-day threats, especially when systems are mission-critical. It provides immediate risk reduction while allowing time for vendor patch development and controlled deployment.