Which statement describes a major vulnerability of SMTP?

The major vulnerability centers on confidentiality of mail in transit. SMTP was designed without built‑in encryption by default, so messages can travel in the clear across the Internet. That means anyone who can observe the network path between mail servers or intermediate devices can potentially read the email content, including sensitive data and attachments. Encryption is possible through TLS (STARTTLS or SMTPS), but it isn’t guaranteed or enforced across all hops, so if encryption isn’t negotiated or is downgraded, the content remains exposed. This is why the statement describing a lack of encryption by default best captures SMTP’s vulnerability. The other options aren’t accurate: SMTP can handle attachments via MIME, bandwidth isn’t the security issue here, and encryption isn’t enforced by default.