How the vulnerability can be exploited 

What is exploitation?

An exploit is a computer program, data, or code execution that exploits a vulnerability to

produce unexpected behavior or obtain unauthorized access to sensitive data.

Once vulnerabilities have been found, they are reported to the Common Vulnerabilities and

Exposures database (CVE).

CVE is one comprehensive vulnerability database available in free that aims to enhance

global cyber security and cyber resiliency by defining a standard identifying number for each

vulnerability or exposure.

How the Exploitation behave?

Exploits seek a security hole in an operating system, software application, computer system,

Internet of Things (IoT) device, or another security issue. When an exploit has been used,

mostly it gets aware to the software authors of the affected system or application, and it is

frequently patched and rendered useless. That's the reason why all those

cybercriminals, military, and government organizations, prefer not to post vulnerabilities to

CVE but instead keep them secret. The vulnerability is identified as a zero-day vulnerability

or zero-day exploit when it occurred.

EternalBlue is a well-known instance of a public authority (NSA) keeping a software

vulnerability secret. Eternal Blue targeted outdated editions of the Windows Operating

system which used the Server Message Block (SMB) protocol. Before Eternal Blue was

fixed, cybercriminals created the WannaCry ransomware worm which attacked EternalBlue.

This spread toward an approximated 200,000+ machines in 150 countries, it caused hundreds

of millions to billions of dollars in losses. Regardless of the fact that software developers

have issued a patch to solve EternalBlue, this reported weakness remains a significant

cybersecurity risk since users have been slow to implement the patch.

Different Types of Exploits

There are 5 main types of vulnerabilities can be exploited

1)Hardware- Inadequate encryption, lack of configuration management, or firmware

weakness. 

 
2) software-The following are examples of input validation errors: buffer overflow, overread,

dangling pointers, buffer overflow, cross-site scripting (XSS), SQL injection and etc. 

 

3)Network- Man-in-the-middle attacks (MIMA), domain hijack, 

 inadequate network security, absence of authentication, typosquatting, or default passwords are all examples of unencrypted communication lines. 

 

4)Personnel- Poor recruitment policy and procedure, shortage of security awareness training, poor compliance of information security policy, lower-level password management, or falling victim to popular social engineering attacks such as phishing, smishing, spear phishing,

honey traps, pretexting, water holing, and whaling. 

5)Physical- Lack of physical security like fences, CCTV, Security guards, walls as well as

lack of access control keycard.

Exploits can be further divided into two categories as follows.

•  Known Vulnerabilities- Cybersecurity researchers are aware of and have identified exploits. Exploits which target known vulnerabilities are frequently previously fixed but remain a concern due to the delayed patching process.
• Zero Day Vulnerabilities- Vulnerabilities which have not been disclosed publicly or registered on CVE. This indicates that hackers discovered the exploit before developers could release a fix; in certain circumstances, the developer might not have been aware of the weakness.

How the Exploit Acquire?

There are several ways to acquire the exploit as follows.

• Client Exploits - Existing client application exploits often include customized servers that transmit an exploit when a client application is visited. They may also demand user participation and depend on social engineering tactics including such phishing or spear phishing or on adware to propagate.
• Remote Exploits- Works across a network and exploits the weakness without requiring previous system access.
• Local Exploits- Requires previous access to the susceptible system and grants the attacker more privileges than any of those given by the security specialist.

Exploits are often intended to attack the confidentiality, integrity, or availability (CIA triad)

underlying application or a infrastructure. Numerous fraudsters accomplish this by addressing

various attacks channels, first getting restricted access and then exploiting a second

vulnerability to elevate privileges until attaining root access. Those entrusted with defending

information assurance, network security, and data protection must deploy defense in depth for

this reason. An attacker could, for instance, compromise the confidentiality of a workstation

by installing malware on it, the integrity of a web page by injecting malicious script into the

search engine, or even the availability of a service by launching a spread denial of service

(DDoS) attack using a botnet of trojans.

What is Exploit kit and used for?

An exploit kit is a tool that hackers may use to execute attacks against frequently installed

software with known vulnerabilities exist, such as, Microsoft Silverlight, Java language, and

Flash Player. A standard exploit kit includes a management panel, vulnerabilities aimed at

various programs, and a number of plug-ins which make it simpler to launch a cyberattack.

Exploit kits are a popular approach for propagating various sorts of malware and making revenue because of its automatic behavior. Developers of exploit kits may sell their exploit

kit as either a service or as a standalone product.

if you interest please refer more details here 

•  What is a Vulnerability?

• How to Check the Hard disk Health(HDD/SSD health)