What Is an Exploit?
TL;DR: An exploit is a piece of code, a sequence of commands, or a technique that takes advantage of a vulnerability in software, hardware, or a system to cause unintended behavior, typically granting an attacker unauthorized access, elevated privileges, or the ability to execute arbitrary code. Exploits are the mechanism that turns a known or unknown weakness into an active attack.
The distinction between a vulnerability and an exploit matters: a vulnerability is a flaw that exists in a system; an exploit is what weaponizes that flaw. A vulnerability without a known exploit is a risk to be managed. A vulnerability with a working public exploit is an urgent remediation priority.
Types of Exploits
Exploits are categorized by where they're executed, what they target, and whether the underlying vulnerability is publicly known:
Remote exploits can be triggered from a network connection without requiring prior access to the target system. They represent the highest-severity category because they eliminate the need for an attacker to have any foothold on the target. A network path and a vulnerable service are sufficient. The EternalBlue exploit (CVE-2017-0144) is one of the most damaging examples, enabling unauthenticated remote code execution across Windows SMB services.
Local exploits require the attacker to already have some form of access to the target system, such as a low-privilege user account. They're typically used for privilege escalation: turning limited access into full administrative or root control.
Web application exploits target vulnerabilities in web applications, like SQL injection, cross-site scripting, authentication bypasses, insecure deserialization, and similar flaws. These are among the most commonly encountered in bug bounty programs and penetration tests, because web applications are both widely deployed and frequently under-tested.
RCE exploits specifically achieve remote code execution, the ability to run arbitrary commands on a target system from a remote location. RCE is the most severe outcome of a successful exploit, typically scoring 9.0–10.0 on the CVSS scale.
Client-side exploits target software running on the victim's machine: browsers, document readers, media players, usually delivered through malicious files or links. The attacker doesn't need a vulnerable server; they need the victim to open something.
What Is a Zero-Day Exploit?
A zero-day exploit targets a vulnerability that is not yet publicly known, meaning the software vendor has had zero days to develop and release a patch. Zero-days are particularly dangerous because there's no CVE, no patch, and no scanner signature to detect them. Defenders are blind to the risk by definition.
The term "zero-day" is sometimes used loosely to describe any novel or previously unknown attack, but strictly speaking it refers specifically to the window between when a vulnerability is discovered (by an attacker or researcher) and when it becomes publicly known and patched.
Zero-day exploits move through a defined lifecycle:
- Discovery. A researcher or attacker finds an unknown vulnerability.
- Development. A working exploit is built against the flaw.
- Use or sale. The exploit is either deployed in an attack, sold on private markets, or held for future use.
- Disclosure. The vulnerability becomes publicly known — either through responsible disclosure, accidental discovery by another researcher, or detection of an active attack.
- Patching. The vendor releases a fix, at which point the zero-day becomes an n-day — a known vulnerability with a patch available.
Zero-day exploits targeting high-value software (operating systems, browsers, enterprise platforms) command significant prices on both legitimate vulnerability markets and criminal ecosystems. Nation-state threat actors are the primary buyers and users of sophisticated zero-days. The cost and complexity of developing them puts them beyond most financially motivated criminal groups.
For organizations, the realistic defense against zero-days isn't detection (you can't detect what you don't know exists) but reduction of blast radius: network segmentation, least-privilege access controls, and behavioral monitoring that can flag anomalous activity even when the specific exploit isn't recognized.
What Is an Exploit Kit?
An exploit kit is a prepackaged, automated toolkit that scans a victim's browser and plugins for known vulnerabilities and automatically delivers the appropriate exploit for whatever weakness it finds. Exploit kits lower the skill floor for launching web-based attacks dramatically. An attacker with no technical knowledge can rent access to an exploit kit and direct traffic toward it.
The typical exploit kit attack chain:
- A victim is redirected to a malicious or compromised landing page — through malvertising, a phishing link, or a compromised legitimate site.
- The kit's profiling script fingerprints the victim's browser, operating system, and plugins (Flash, Java, PDF readers) to identify potential vulnerabilities.
- The appropriate exploit is silently delivered and executed if a vulnerable component is found.
- A malware payload — ransomware, a banking trojan, a RAT — is dropped on the victim's machine.
Exploit kits peaked in prevalence around 2014–2016 when browser plugin ecosystems (particularly Flash and Java) provided a wide, poorly maintained attack surface. The decline of Flash and the shift toward auto-updating browsers significantly reduced their effectiveness. Modern exploit kits target browser and OS-level vulnerabilities rather than plugins, and while less prevalent than their peak, they remain an active threat, particularly against organizations running outdated software.
Well-known historical exploit kits include Angler, Nuclear, Magnitude, and RIG — all of which were responsible for distributing significant volumes of ransomware and banking malware at their peak.
How Exploits Work in Attacks
A working exploit is rarely the end goal — it's the entry point. Understanding how exploits fit into the broader attack lifecycle helps explain why vulnerability remediation timelines matter so much:
- Vulnerability discovery. A flaw is found — through security research, fuzzing, code review, or attacker reconnaissance. If it's a zero-day, no patch exists. If it's an n-day, a patch may already be available but undeployed.
- Weaponization. A working exploit is developed that reliably triggers the vulnerability to produce a useful outcome — code execution, privilege escalation, authentication bypass.
- Delivery. The exploit is delivered to the target — through a network service, a malicious file, a phishing link, or physical access.
- Execution. The exploit triggers the vulnerability in the target environment.
- Post-exploitation. The attacker pursues their actual objective — installing persistence, escalating privileges, moving laterally, exfiltrating data, or deploying ransomware.
The window between a vulnerability being disclosed and an exploit being publicly available has narrowed significantly over the past decade. Research consistently shows that functional exploits for critical CVEs appear within days of public disclosure — meaning the patching window before exploitation begins is much shorter than most organizations' patch cycles.
Conclusion
An exploit is what closes the gap between a theoretical vulnerability and an active compromise. The difference between an organization that gets breached and one that doesn't is often not whether vulnerabilities exist — they always do — but how quickly exploitable ones are found and remediated, and whether the discovery happens internally or by an attacker. Bug bounty programs exist precisely to put researchers with the skills to find and weaponize exploits on the defensive side of that equation.