A security analyst is reviewing server configurations in an organization during a vulnerability assessment. The analyst finds that someone left the default vendor passwords active on a critical server holding customer data. Additionally, someone is running unnecessary services on the server, and no one has patched it for several months. In this scenario, which vulnerability would adversaries MOST likely exploit first to gain unauthorized access to the critical server?