What is an exploit in cybersecurity?
Last reviewed June 2, 2026
An exploit is a piece of code, a sequence of commands, or a technique that takes advantage of a specific vulnerability to make a system do something it should not, such as running attacker-supplied code, escalating privileges, or leaking data. The vulnerability is the weakness; the exploit is the act of using it.
What an exploit is
An exploit turns a theoretical weakness into a practical attack. Where a vulnerability describes what is wrong with a system, an exploit is the concrete method that abuses that flaw to achieve a goal: gaining a shell, bypassing authentication, reading memory, or crashing a service.
Exploits range from a single crafted input typed into a form, to a polished tool with a reliable payload, to a full chain that strings several vulnerabilities together. The more reliable and automated an exploit is, the more dangerous the underlying vulnerability becomes in practice.
Exploit maturity
Not all exploits are equal. Security teams care a great deal about how mature and weaponized an exploit is, because that changes how urgently a flaw must be fixed. CVSS even captures this idea in its Exploit Maturity metric.
- Theoretical: experts believe exploitation is possible but no code exists.
- Proof-of-concept: code demonstrates the flaw is real but is not weaponized.
- Functional: a working exploit exists that an attacker can use.
- Weaponized or in-the-wild: reliable exploits are being used in real attacks.
Exploits and zero-days
When attackers use an exploit against a vulnerability that the vendor does not yet know about or has not patched, it is called a zero-day exploit. These are especially dangerous because no fix is available when the attacks begin.
Once a vulnerability is known to be exploited in real attacks, catalogs like the CISA KEV list flag it so defenders know to prioritize it immediately, regardless of its CVSS score.
Why exploit availability drives prioritization
A high-severity vulnerability with no known exploit may be less urgent than a medium-severity one that attackers are already using. This is why modern programs combine severity (CVSS) with exploitation signals such as EPSS probability and the KEV catalog to decide what to fix first.
Keep exploring
- What is a vulnerability?The weakness an exploit takes advantage of.
- What is a zero-day?Exploitation before a patch exists.
- What is a proof-of-concept exploit?A harmless demonstration that a flaw is exploitable.
- What is the CISA KEV?The catalog of vulnerabilities exploited in the wild.
- How to prioritize vulnerabilitiesUse exploit signals to decide what to fix first.
- What is Metasploit?The framework for authorized penetration testing.
- What is Exploit-DB?Public archive of exploits and proof-of-concept code.
Frequently asked questions
- What is the difference between an exploit and a vulnerability?
- A vulnerability is the underlying weakness in a system. An exploit is the code or technique that takes advantage of it. A vulnerability can exist with no exploit, and a single vulnerability can have many different exploits.
- Is an exploit the same as malware?
- Not quite. An exploit is the technique that breaks into a system through a vulnerability. Malware is malicious software that may be delivered after an exploit succeeds. Exploits are often the door; malware is what walks through it.
- What is a zero-day exploit?
- A zero-day exploit targets a vulnerability that the vendor does not yet know about or has not patched, so defenders have had zero days to fix it before attacks begin.
- Is publishing exploit code legal?
- Publishing proof-of-concept exploit code for legitimate research is common and often legal, but using an exploit against systems you do not own or have permission to test is illegal in most jurisdictions.
