External vulnerability scan results are considered passing when which condition is met?

External vulnerability scan pass criteria hinge on the severity of what is found externally. The scan is considered passing when there are no vulnerabilities with a CVSS base score of 4.0 or higher and the scanner does not report any automatic failure. This means medium, high, and critical issues must not be present at the time of the scan, while lower-severity findings (below 4.0) can exist if there are no auto-fail results. It’s about the current risk level, not that every issue must already be fixed. The other options don’t fit because having any vulnerability would breach the 4.0+ threshold; requiring all vulnerabilities to be fixed is more stringent than the standard; and scanning scope isn’t limited to just network devices.