ELI5: What are Vulnerability Types?
Every building has weak spots — maybe a window that doesn’t lock, a door with a flimsy hinge, or a fence with a hole in it. Computers have weak spots too, and those are called vulnerabilities. Some happen because someone forgot to change the default settings (like leaving the factory password on a router). Others are mistakes in the software itself, like a bug. And sometimes, the weak spot is actually a person who gets tricked into opening a bad email. Knowing what the weak spots are is the first step to fixing them.
Overview
Vulnerabilities are weaknesses in systems, software, processes, or configurations that can be exploited by threat actors to gain unauthorized access or cause harm. Understanding vulnerability categories helps prioritize security efforts and is fundamental to the Security+ exam. Vulnerabilities exist at every layer — from hardware and firmware to applications and human behavior.
Key Concepts
- Misconfigurations: Default settings, open ports, unnecessary services, overly permissive access rules — the most common vulnerability type
- Unpatched software: Known vulnerabilities with available fixes that have not been applied
- Zero-day vulnerabilities: Flaws unknown to the vendor with no available patch — exploits are highly valued by attackers
- Default credentials: Factory-set usernames and passwords that are publicly documented and easily exploited
- Insecure protocols: Using unencrypted protocols (Telnet, FTP, HTTP, SNMPv1/v2) that expose data in transit
- Weak encryption: Using deprecated algorithms (DES, MD5, SHA-1, RC4) or insufficient key lengths
- Race conditions: Timing-dependent flaws where concurrent processes can interfere with each other
- Memory vulnerabilities: Buffer overflows, use-after-free, memory leaks that can be exploited for code execution
- supply chain risks: Vulnerabilities in vendor software, libraries, or dependencies (e.g., Log4Shell)
- Human factors: Lack of training, social engineering susceptibility, insider threats
- Hardware vulnerabilities: Side-channel attacks, firmware flaws (Spectre, Meltdown), end-of-life hardware
- VM sprawl — uncontrolled proliferation of virtual machines, increasing attack surface and management complexity
Exam Tips
Remember
Misconfigurations are the #1 vulnerability type — more common than code flaws. Zero-day = no patch exists yet. Always check for: default creds, open ports, unpatched software, insecure protocols, excessive permissions.
- Supply chain vulnerabilities are increasingly important — compromised updates or libraries affect all downstream users
- Know the difference: vulnerability (weakness) vs. threat (actor/event) vs. risk (likelihood x impact)
- End-of-life (EOL) systems receive no patches and are inherently vulnerable
Connections
- Discovered through vulnerability-management scanning and assessment programs
- Exploited during penetration-testing to demonstrate real-world impact
- mitigation-techniques provide specific strategies for addressing each vulnerability category
- Feeds into risk-management for prioritized remediation based on business impact
Practice Questions
Q-Bank: Vulnerability Types (4 Questions)
Q1. A security auditor discovers that a newly deployed web server is running with the manufacturer’s default administrator credentials and has several unnecessary services enabled. Which vulnerability category does this BEST represent?
A. Zero-day vulnerability B. Misconfiguration C. Third-party/supply chain risk D. Race condition
Show Answer B. Misconfiguration
default-credentials and unnecessary services are classic examples of misconfigurations — the most common vulnerability type. Zero-day (A) refers to unknown vulnerabilities with no available patch, not configuration issues. Third-party risk (C) involves vulnerabilities in vendor software or dependencies. Race conditions (D) are timing-dependent flaws in concurrent processes, unrelated to default settings.
Q2. A critical vulnerability is being actively exploited in the wild, but the software vendor has not yet released a patch. Which vulnerability type does this describe?
A. Unpatched software B. Insecure protocol C. Zero-day vulnerability D. Weak encryption
Show Answer C. Zero-day vulnerability
A zero-day is a flaw unknown to or unpatched by the vendor — exploits exist before any fix is available. Unpatched software (A) means a patch exists but has not been applied, which is different from no patch being available. Insecure protocol (B) refers to using unencrypted protocols like Telnet or FTP. Weak encryption (D) involves deprecated algorithms, not missing patches.
Q3. An organization’s application was compromised because a widely used open-source logging library contained a critical remote code execution vulnerability. Which vulnerability category does this BEST illustrate?
A. Human factors B. Memory vulnerability C. Third-party/supply chain risk D. Default credentials
Show Answer C. Third-party/supply chain risk
A vulnerability in an open-source dependency (similar to Log4Shell) represents supply chain risk, where compromised libraries affect all downstream users. Human factors (A) involve social engineering or insider threats. Memory vulnerability (B) refers to buffer overflows and similar flaws, not library dependency issues. Default credentials (D) are unchanged factory passwords, not dependency vulnerabilities.
Q4. A security team is prioritizing remediation efforts. They have identified: (1) servers using Telnet for remote management, (2) workstations with default admin passwords, and (3) an end-of-life operating system receiving no security updates. Which vulnerability should be addressed FIRST?
A. Telnet usage, because it exposes credentials in transit B. Default passwords, because they are publicly documented and trivially exploited C. End-of-life OS, because no future patches will be available D. All three are equal priority and should be addressed simultaneously
Show Answer B. Default passwords, because they are publicly documented and trivially exploited
default-credentials require zero skill to exploit — they are published in vendor documentation and exploit databases, making them the most immediately exploitable. Telnet (A) exposes credentials in transit but requires an attacker to be positioned to intercept traffic. End-of-life OS (C) is serious but existing patches may still be applied for known vulnerabilities. While all three need remediation, default passwords present the lowest barrier to exploitation and should be addressed FIRST.
Scenario
See case-vulnerability-types for a practical DevOps scenario applying these concepts.