Pop quiz: What’s the difference between vulnerable and exploitable?
As we’ve written before, a vulnerability is a weakness in a software system. And an exploit is an attack that leverages that vulnerability. So while vulnerable means there is theoretically a way to exploit something (i.e., a vulnerability exists), exploitable means that there is a definite path to doing so in the wild. Naturally, attackers want to find weaknesses that are actually exploitable. As a defender, being vulnerable isn’t great, but you should be especially worried about being exploitable.
There are a few main reasons why something that is theoretically vulnerable is not actually exploitable:
- There may be insufficient public information to enable attackers to exploit the vulnerability.
- Doing so may require prior authentication or local system access that the attacker does not have.
- Existing security controls may make it hard to attack.
Below, we’ll explain why this matters and how you can use it to improve your security posture.