Pop quiz: What’s the difference between vulnerable and exploitable?
As we’ve written before, a vulnerability is a weakness in a software system. And an exploit is an attack that leverages that vulnerability. So while vulnerable means there is theoretically a way to exploit something (i.e., a vulnerability exists), exploitable means that there is a definite path to doing so in the wild. Naturally, attackers want to find weaknesses that are actually exploitable. As a defender, being vulnerable isn’t great, but you should be especially worried about being exploitable.
There are a few main reasons why something that is theoretically vulnerable is not actually exploitable:
- There may be insufficient public information to enable attackers to exploit the vulnerability.
- Doing so may require prior authentication or local system access that the attacker does not have.
- Existing security controls may make it hard to attack.
Below, we’ll explain why this matters and how you can use it to improve your security posture. Read more “Vulnerable vs. Exploitable: Why These are Different & Why it Matters”