What is the relationship between Vulnerability, Exploit, and Malware?
Vulnerability = the weakness, Exploit = the technique that abuses it, Malware = optional software the exploit may deliver. The chain is typical, not mandatory.
* The typical Vulnerability → Exploit → Malware → Payload chain — with the dashed shortcut showing malware is optional. *
Think of three distinct things:
- Vulnerability — a weakness in the system (a code bug, a design flaw, a misconfiguration)
- Exploit — a technique that takes advantage of that weakness to breach the system
- Malware — malicious software an exploit can deliver, which then runs a payload (the actual damage)
The typical chain: Vulnerability → Exploit → Malware → Payload
- Buffer overflow bug (vulnerability)
- Code-injection technique (exploit)
- Ransomware dropped (malware)
- Files encrypted (payload)
But malware is not required. Many attacks stop after the exploit: an authentication-bypass exploit might just let the attacker read a database (data exfiltration), and Heartbleed leaked private keys with no malware at all. So the right mental model is: the exploit gets the attacker in; whether malware follows depends entirely on the goal.
Defense: Fix the vulnerability and you break the chain at its root — no exploit, no malware, no payload.