In cyber security a vulnerability is a weakness in a system, application, configuration, or process that an attacker can exploit to compromise confidentiality, integrity, or availability. Vulnerabilities can exist in software code, in how a product is deployed, in how users behave, or in the broader supply chain of components a system depends on.
Categories of vulnerability
Software flaws are coding mistakes such as buffer overflows, SQL injection, cross-site scripting, and insecure deserialisation. These are tracked publicly through the Common Vulnerabilities and Exposures (CVE) catalogue.
Misconfiguration covers safe-by-default products deployed unsafely: default credentials left in place, services exposed to the public internet, overly permissive cloud IAM roles, or storage buckets without access controls.
Logical and design flaws sit above individual lines of code. Examples include broken access control where the application trusts a client-supplied user ID, or a workflow that allows a refund to exceed the original payment.
Human-factor weaknesses include weak passwords, susceptibility to phishing, and undocumented or unenforced security policy.
Severity and scoring
Most organisations use CVSS (Common Vulnerability Scoring System) to rate severity on a 0 to 10 scale, broken into Base, Temporal, and Environmental metrics. Base score captures intrinsic characteristics such as attack vector, complexity, and impact. Environmental adjustment recognises that the same CVE can be critical on an internet-facing payment system and irrelevant on an isolated test lab.
Lifecycle
A typical vulnerability moves from discovery (by a researcher, vendor, or attacker), through coordinated disclosure to the vendor, to a patch or mitigation, and finally to deployment by operators. The window between public disclosure and widespread patching is when attackers move fastest, which is why effective vulnerability management depends on patch cadence as much as on scanning coverage.
Related terms
See also: exploit, vulnerability assessment, risk, and penetration testing.
Leave a Reply