A penetration tester identifies a vulnerable API in a cloud workload. Which action BEST helps the tester leverage this vulnerability?

Exploiting a vulnerable API to achieve Remote Code Execution demonstrates turning a flaw into direct control of the target environment. When an API mishandles input or processes requests insecurely, it can be tricked into running code that the tester provides. Gaining code execution means the tester can run commands, access data, and potentially move laterally within the cloud workload, which is the highest-impact outcome of a vulnerability assessment because it shows concrete and actionable access. This is why the action of injecting a payload that leads to RCE is the best choice: it directly demonstrates the vulnerability’s impact and how it could be misused in real-world attack scenarios. The other actions don’t exploit the flaw to gain control. Enumerating user accounts is purely reconnaissance to map privileges; patching the API is a defensive remediation rather than an attack step; and capturing logs is focused on auditing or forensics after an incident, not on leveraging the vulnerability itself.