What Is an Exploit: Types, CVE, 0-day and Defence

An exploit is the code or technique that takes advantage of a vulnerability to produce an unintended effect on the attacked system. The usual effects: executing commands, reading memory, escalating privileges, evading a security control or taking a service down. The vulnerability is the bug; the exploit is the tool that turns it into a real problem. A vulnerability with no known exploit is a theoretical risk. A working exploit, public or private, is an immediate operational risk.

This guide explains what an exploit actually is, the five types by effect (RCE, LPE, disclosure, DoS, bypass), the precise difference between vulnerability, CVE and exploit, the 0-day and N-day concepts, real examples any security lead should know (EternalBlue, Log4Shell, ProxyShell, Spring4Shell, ConnectWise ScreenConnect), how a professional exploit gets built, where it gets distributed and how an organisation defends with realistic resources.

What an exploit is

An exploit is the set of steps, code or payload that takes advantage of a software flaw (the vulnerability) to produce an effect the developer didn't anticipate. Three key ideas:

1. No vulnerability, no exploit. The exploit is the operational consequence of a prior flaw. If the flaw gets patched, the exploit stops working against that version.
2. No working code, no real risk. A theoretical vulnerability documented in an advisory without public proof of concept is low risk. One with an exploit on GitHub or in Metasploit is high.
3. Exploit isn't the same as full attack. The exploit is the piece that achieves the initial effect (execution, read, evasion). The full attack chains it with persistence, lateral movement, exfiltration.

What it gives the attacker:

• Initial access without credentials if the exploit targets exposed services.
• Privilege escalation when there's already a basic foothold.
• Control evasion (firewall, antivirus, sandbox) when delivering more malware.
• Data access when exploiting an info disclosure.

What limits it:

• Patches neutralise it. Agile patch management policy closes the vector.
• Modern detection (EDR, IDS, sandbox) reduces the useful window of the exploit before it triggers an alert.
• Exploitation mitigations (ASLR, DEP, Control Flow Guard, Stack Canaries) make many classic exploits not work against modern versions without extra work.

Exploit types by effect

The five effects covering practically the whole operational landscape.

Remote Code Execution (RCE)

The most sought-after. Allows executing arbitrary code on the vulnerable system over the network, without prior authentication or with low-privilege credentials. The effect appearing in critical 0-days whose CVSS goes above 9.

Examples: EternalBlue (CVE-2017-0144) against SMBv1, Log4Shell (CVE-2021-44228) in Apache Log4j, ProxyShell (CVE-2021-34473) in Microsoft Exchange, Spring4Shell (CVE-2022-22965) in Spring Framework, ScreenConnect auth bypass (CVE-2024-1709).

Local Privilege Escalation (LPE)

The attacker is already inside as an unprivileged user and elevates to SYSTEM, root, Administrator or equivalent. Combined with a low-privilege RCE, completes the chain up to full host control.

Examples: PrintNightmare (CVE-2021-34527), DirtyPipe (CVE-2022-0847) in the Linux kernel, Win32k vulnerabilities, Windows token abuse.

Information Disclosure

Allows reading data that shouldn't be exposed: process memory, configuration files, database content, cryptographic keys. Doesn't give direct control but feeds the next attack phase.

Examples: Heartbleed (CVE-2014-0160) in OpenSSL, Spectre and Meltdown (CPU vulnerabilities), info disclosure in web applications via verbose error messages or IDORs (Insecure Direct Object References).

Denial of Service (DoS)

Takes the service or system down. Although it looks less sophisticated, in critical contexts (banks, infrastructure, health services) it's severe damage and falls under regulatory scope (NIS2 availability, DORA operational continuity).

Examples: SQL Slammer (CVE-2002-0649), recent protocol vulnerabilities like HTTP/2 Rapid Reset (CVE-2023-44487).

Security control bypass

Skipping authentication, authorisation, MFA or anti-malware controls. Doesn't introduce new executable code but allows operating as another user or avoiding detection.

Examples: authentication bypass in CitrixBleed (CVE-2023-4966), Windows Defender evasion via configuration, abuse of stolen session tokens in MFA bypass. Family that overlaps with Man in the Middle when AitM kits are used.

Vulnerability, CVE and exploit: operational distinction

Confusion between the three terms is frequent.

• Vulnerability. The flaw itself. Can be software (buffer overflow, SQL injection, hardcoded credentials), configuration (exposed service, overly broad permissions) or design (unauthenticated protocol).
• CVE. Unique identifier assigned by MITRE to public vulnerabilities. Serves as common language so multiple sources talk about the same bug. Detail in the what is a CVE guide.
• Exploit. The code or technique that takes advantage of the vulnerability. Can be a didactic PoC, a Metasploit module, a Python script, a commercial kit.

A vulnerability can have zero, one or many associated exploits. Real exploitability depends on the available exploit, not only on CVSS severity. A CVSS 9.8 vulnerability without a working public exploit represents less immediate operational risk than a CVSS 7.0 with a reliable exploit on GitHub.

0-day vs N-day

The most relevant distinction in threat intelligence.

0-day (zero-day)

Vulnerability or exploit only the attacker (or a limited group) knows about. The vendor doesn't know it yet or hasn't published a patch. The defender is blind.

Characteristics: high price in specialised markets (Zerodium, Crowdfense pay six and seven-figure sums for complete iOS/Chrome chains), very selective use to avoid burning it, kept secret for months or years.

Defence: generic mitigations (segmentation, behavioural EDR, threat hunting), zero-trust architecture, critical account protection. No patch possible until the vendor discovers it.

N-day

Public vulnerability with patch available. N represents the number of days since publication. The bigger the N and still unpatched, the worse.

Most incidents in mid-sized enterprises are N-day, not 0-day. ProxyShell, Log4Shell and EternalBlue are still being exploited today in organisations that haven't patched years later.

Defence: agile patch management, vulnerability scanning, prioritisation by CVSS and by active exploitation evidence (CISA KEV catalogue, public exploits, listings like ExploitDB).

Documented real examples

Essential cases for any security lead.

EternalBlue (2017). RCE exploit against Windows SMBv1 developed by the NSA and leaked by Shadow Brokers. Allowed unauthenticated remote execution. Microsoft published the patch (MS17-010) in March. WannaCry used it in May, NotPetya in June, BadRabbit in October. Combined damage over $14 billion.

Heartbleed (2014). OpenSSL vulnerability (CVE-2014-0160). Server memory read through bad TLS heartbeat handling. Allowed stealing private keys, sessions and credentials from approximately 500,000 affected HTTPS servers before the patch.

Log4Shell (2021). Unauthenticated RCE in Apache Log4j (CVE-2021-44228). A Java logging library that executed arbitrary code when logging strings with a special JNDI format. CVSS 10.0. Affected almost any Java enterprise product in production. The remediation phase stretched over months because of the impact's depth.

ProxyShell (2021). Chain of three CVEs (CVE-2021-34473, 34523, 31207) in Microsoft Exchange. RCE on on-premise Exchange servers. Ransomware operators (Conti, BlackByte) and APTs (Hafnium) leveraged it at scale. Still appears in organisations with unpatched Exchange.

Spring4Shell (2022). RCE in Spring Framework (CVE-2022-22965). Vulnerable Spring Boot applications allowed arbitrary execution by manipulating properties in deserialisation.

ConnectWise ScreenConnect (2024). Auth bypass + path traversal (CVE-2024-1709, 1708). Compromise of RMM servers used by thousands of MSPs. Preferred vector for ransomware campaigns against the end client via provider.

Citrix Bleed (2023). CVE-2023-4966 in NetScaler. Allowed stealing legitimate session tokens without authentication. Actively exploited by LockBit and other ransomware operators against large corporations. Paradigmatic case of an N-day with public exploit that caught many unpatched.

How a professional exploit gets built

The real process, simplified.

1. Vulnerability analysis. Reading the advisory, diffing the patch, reverse engineering affected functions.
2. Primitive identification. What victim control allows winning the bug? Pointer overwrite, execution flow control, arbitrary read, heap manipulation.
3. Proof of concept (PoC). Minimum code reproducing the effect in a lab.
4. Weaponisation. Turning the PoC into something reliable and stealthy: bypassing mitigations (ASLR, DEP, CFG), stable shellcode, error handling, encoding.
5. Testing in different environments. Different software versions, patches, operating systems. A serious exploit works on 90% of target configurations.
6. Distribution. Responsible publication in frameworks (Metasploit, Nuclei templates, ExploitDB) or private use in operations.

Legitimate frameworks where exploits appear with defensive and educational purpose:

• Metasploit Framework (Rapid7). Modular exploit and post-exploitation. Standard in pentesting.
• ExploitDB. Historical repository of public PoCs.
• Nuclei (ProjectDiscovery). Templates for at-scale web vulnerability scanning.
• GitHub. Academic and commercial PoCs released after the responsible disclosure period.

Grey or illegal markets where 0-day exploits get bought:

• Zerodium, Crowdfense, Trenchant. Brokers paying researchers and reselling to governments and intelligence services.
• Underground markets. Forums and marketplaces where exploits, RaaS and kits get offered with crypto financing.

How an organisation defends itself

The measures that actually close the door, ordered by impact.

• Agile patch management with prioritisation. SLA by severity: critical in 14 days, high in 30, medium in 60. Real prioritisation by CISA KEV catalogue and observed active exploitation, not only CVSS.
• Complete inventory. You can't patch what you don't know. Updated CMDB, continuous scanning, shadow IT discovery.
• Vulnerability management. Platform that correlates inventory with CVE feeds and prioritises. Products: Tenable, Qualys, Rapid7 InsightVM.
• Threat intelligence. Subscription to feeds indicating which CVEs are being exploited in the field (KEV, Mandiant, CrowdStrike, Recorded Future). More detail in what is threat hunting; the MITRE ATT&CK framework classifies the pattern under technique T1190 Exploit Public-Facing Application.
• Modern EDR / XDR. Detects post-exploitation behaviour (in-memory shellcode, anomalous child processes of web services, calls to sensitive APIs).
• WAF and rate limiting. Layer that mitigates risk in web applications against exploits requiring specific requests, especially useful in the window before patching.
• Network segmentation. Limits blast radius when an exploit works on a specific system.
• Operating system hardening. ASLR, DEP, Control Flow Guard, exploit protection on Windows; SELinux/AppArmor on Linux.
• Periodic pentesting. Empirically validate whether controls detect execution of common exploits in legitimate frameworks.
• Responsible disclosure programme. Have a public channel for researchers to report bugs before attackers find them.

Compliance fit

Exploit risk management covers direct points in current frameworks:

• NIS2 (article 21). Technical vulnerability management, incident management, patching. Without a documented formal programme, the position before the supervisor is indefensible.
• DORA (articles 6, 9, 10). ICT resilience in financial services. Formalised vulnerability management with metrics.
• ISO 27001:2022 (control 8.8). Technical vulnerability management. External audit requires a documented process.
• ENS Royal Decree 311/2022 (op.exp.5). Change and patch management.
• PCI DSS v4.0 (req. 6.3). Vulnerability management for components processing cardholder data.
• GDPR. An exploitation with personal data exfiltration is a notifiable breach within 72 hours.

Frequently asked questions

What's the difference between exploit and malware?

The exploit is the technique that produces an effect on the vulnerable system (execution, read, escalation). The malware is the final malicious code that executes after a compromise. Many malware embed exploits (worms like WannaCry use EternalBlue), but the distinction matters: patching closes exploits; the malware itself still exists and enters through other vectors.

Does having a critical CVE mean I'm compromised?

Not automatically. It means you're exposed if the following holds: the vulnerable system is reachable to the attacker, there are no effective mitigations and a working exploit exists. Having the three factors raises the risk to high and forces urgent patching or mitigation.

How long does an attacker take to exploit a critical CVE after publication?

According to recent reports (Mandiant, Rapid7, Sophos), opportunistic attackers massively scan critical CVEs within 24-48 hours after publication. For exposed environments, patching within a week is the only realistic security window.

What's Metasploit and what's it for?

It's the most-used pentesting framework in the world. Brings together exploits, payloads, auxiliary modules and post-exploitation tools with a consistent interface. Used by defensive teams to validate patches and by red teams for authorised testing. It's legal to possess and use it on own systems or with formal authorisation; using it against third parties without permission is a crime.

Is exploit research legal in Spain?

Researching vulnerabilities on own systems or authorised ones is legal. Responsible research ending in a public advisory is valued by the community. What's illegal: testing exploits against third-party systems without formal authorisation (article 197 bis of the Penal Code), commercialising exploits to criminal actors, distributing digital weapons for criminal purpose (article 197 ter). A structured bug bounty programme is the legitimate way to monetise research.

Does an iOS or Android 0-day cost what they say?

Yes, the public prices published by Zerodium or Crowdfense are real. A full chain for modern iOS or Android in 2024-2026 pays in the millions of dollars range depending on vendor and exclusivity. They reflect difficulty, intelligence market and the opportunity cost for the researcher.

Does generative AI change the exploit economy?

Partly. It accelerates phases of bug analysis and PoC generation in known vulnerable code. Doesn't replace an experienced researcher for complex vulnerabilities in modern systems with mitigations. The 2024-2026 frontier is that AI lowers the cost of exploiting N-days, not the creation of sophisticated 0-days.

Related resources

• What is a CVE: standard identifier for vulnerabilities exploits get built on.
• What is MITRE ATT&CK: framework where public exploitation appears as technique T1190.
• What is ransomware: modern operators integrate N-day exploits into industrialised attack chains.
• Web application pentesting: where defences against common exploits in client software get validated.
• What is a WAF: complementary control that mitigates exploits in web applications.

Exploit management and patch management at Secra

At Secra we work on the client side in three typical situations: review of existing vulnerability management programme (coverage, real SLAs, metrics), Red Team exercises that empirically validate whether defensive controls detect exploitation of fresh N-days in the environment, and consulting on prioritisation by KEV catalogue and sector-specific threat intelligence. If your organisation has large Active Directory, legacy segments unpatched, exposed legacy applications or has never measured how long it takes to patch a critical one from official publication, get in touch via contact or check our Red Team service.