Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A known security flaw with no applied fix, leaving systems open to exploitation—the root cause behind many breaches and a top attacker entry point.
Unpatched Vulnerability Definition: A known security flaw with no applied fix, leaving systems open to exploitation—the root cause behind many breaches and a top attacker entry point.
An unpatched vulnerability is a known security flaw in software, firmware, or a system for which a fix exists or is needed but has not been applied. Until the patch is installed, the weakness remains exploitable, giving attackers a path to gain unauthorized access, run code, steal data, or disrupt services.
Vulnerabilities are typically disclosed publicly, assigned CVE identifiers, and scored for severity using CVSS. Once a vendor releases a patch, the technical details and often proof-of-concept exploit code become widely available, narrowing the window before attacks begin. The gap between disclosure or patch release and actual remediation—driven by testing requirements, change windows, legacy dependencies, or simple oversight—is the exposure window during which the system is an unpatched, soft target. Vulnerability scanners and asset inventories help organizations find these gaps across their environment.
This matters because unpatched vulnerabilities are among the most common causes of breaches. Attackers and automated worms actively scan the internet for systems missing recent patches, and high-profile incidents such as the Equifax breach (an unpatched Apache Struts flaw) and the WannaCry outbreak (the EternalBlue SMB flaw, patched months earlier) show the scale of damage. CISA's Known Exploited Vulnerabilities catalog highlights flaws confirmed to be under active attack, prioritizing what must be patched first.
For example, a vendor publishes a critical CVE in a widely used VPN appliance and releases a patch the same day. An organization delays the update for a maintenance window two weeks later. Within days, attackers scanning for the flaw exploit the still-vulnerable appliance, establish a foothold, and move laterally into the internal network. A timely patch—or at least a compensating control such as restricting management access—would have closed the exposure window and prevented the intrusion.
Unpatched Vulnerability is one of the topics you'll master in the Security+ Boot Camp.
Security+ Boot Camp →