ArticlesCybersecurity
Cybersecurity6 April 2026·6 min

The Most Common Cybersecurity Vulnerabilities: What Attackers Actually Exploit

Most cyberattacks do not rely on sophisticated techniques — they exploit known, repeated and often avoidable errors. SQL injection, weak passwords, unpatched software, cloud misconfiguration and the human factor (phishing) account for the majority of documented intrusion vectors.

01

Why these vulnerabilities persist despite being well-known

SQL injection was first documented in the 1990s. It still appears in the top 3 web application attack vectors today. Teams change, training is insufficient, deadline pressure overrides technical rigour, and legacy systems are never refactored. 60% of breaches exploit vulnerabilities for which a patch was available for more than 6 months.

02

The 8 most exploited vulnerabilities

1. Injections: parameterised queries, strict validation.
2. Phishing: 91% of attacks start with an email. Fix: regular cybersecurity training.
3. Weak/reused passwords: password manager + MFA.
4. Unpatched software: critical CVEs exploited avg. 15 days after publication. Fix: automated patch management.
5. Cloud misconfiguration: public S3 buckets, permissive security groups. Fix: CIS Benchmarks, regular cloud security review.
6. No MFA: without MFA, credential stuffing compromises accounts in hours.
7. XSS: output escaping + Content Security Policy.
8. Exposed secrets: API keys in public Git repos. Fix: secret scanning in CI/CD.

03

How to prioritise remediation

CVSS score (0–10) rates criticality. Above 9 (critical): 24–48 hours. 7–9 (high): 7 days. Below 7: based on available resources and contextual exposure. A moderate vulnerability on an internet-facing server is more urgent than a critical one on an isolated internal system.

04

Vulnerability management mistakes

Scanning without acting on results. Patching only critical systems. Not testing fixes after deployment. Ignoring third-party dependency vulnerabilities. No formalised vulnerability management programme.

05

What experts do

A mature vulnerability management programme combines continuous scanning, contextual prioritisation, formalised remediation workflows and regular executive reporting. Complement with regular penetration tests to validate control effectiveness — scanners cannot see the vulnerability chains attackers construct.

06

Use cases

50-person SME: first vulnerability scan reveals 3 critical CVEs on unpatched servers and a public S3 bucket containing client invoices.
SaaS vendor: automated pipeline detects npm dependency with CVSS 9.8 before production deployment.

Frequently Asked Questions

What is a CVE?
Common Vulnerabilities and Exposures: a unique identifier for each documented security vulnerability. The NVD database lists over 250,000 CVEs with CVSS scores.
What is the difference between a vulnerability and a threat?
A vulnerability is a technical or organisational weakness. A threat is an actor or event that may exploit it. Risk is the intersection of both.
How do I detect my system's vulnerabilities?
Vulnerability scanning, penetration testing, code audits, configuration review. A combination provides the most complete coverage.
Are open source projects more vulnerable?
No — they are often better audited than proprietary software. However, open source dependency management requires heightened vigilance on security updates.

In summary

The most exploited vulnerabilities are not the most sophisticated — they are the most neglected. A structured vulnerability management programme, combined with regular testing and team training, significantly reduces risk exposure without requiring a disproportionate budget.

Discuss your project
Let's talk about your project

Let's define
your needs together

A first no-commitment conversation to frame your needs, identify your priorities and assess whether our expertise matches your context.

France · On-site and remote engagements