A Vulnerability is a weakness in a system, application, or process that could be exploited by a threat to cause harm. Vulnerabilities exist in software (unpatched code, buffer overflows), configurations (default passwords, open ports), processes (lack of access reviews), and people (susceptibility to phishing).
Vulnerability management involves continuous scanning, assessment, prioritization based on exploitability and business impact, and remediation through patching, configuration changes, or compensating controls.
CISSP Relevance
Vulnerability concepts span Domain 1 (risk assessment), Domain 6 (Security Assessment and Testing), and Domain 7 (Security Operations). Exam questions test understanding of vulnerability scanning versus penetration testing, how to prioritize remediation, and the relationship between vulnerabilities and risk. Know common vulnerability scoring systems like CVSS.
The National Vulnerability Database at NVD.NIST.gov tracks publicly disclosed vulnerabilities.
Related terms: Threat, Penetration Testing