LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What is the relationship between Vulnerability, Exploit, and Malware?

Vulnerability = the weakness, Exploit = the technique that abuses it, Malware = optional software the exploit may deliver. The chain is typical, not mandatory.

A Vulnerability → Exploit → Malware (optional) → Payload chain with examples and a dashed "malware not required" shortcut.

* The typical Vulnerability → Exploit → Malware → Payload chain — with the dashed shortcut showing malware is optional. *

Think of three distinct things:

  1. Vulnerability — a weakness in the system (a code bug, a design flaw, a misconfiguration)
  2. Exploit — a technique that takes advantage of that weakness to breach the system
  3. Malware — malicious software an exploit can deliver, which then runs a payload (the actual damage)

The typical chain: Vulnerability → Exploit → Malware → Payload

  • Buffer overflow bug (vulnerability)
  • Code-injection technique (exploit)
  • Ransomware dropped (malware)
  • Files encrypted (payload)

But malware is not required. Many attacks stop after the exploit: an authentication-bypass exploit might just let the attacker read a database (data exfiltration), and Heartbleed leaked private keys with no malware at all. So the right mental model is: the exploit gets the attacker in; whether malware follows depends entirely on the goal.

Defense: Fix the vulnerability and you break the chain at its root — no exploit, no malware, no payload.

From Quiz: SPRG / Security Fundamentals | Updated: Jun 20, 2026