A vulnerability is a weakness in software, configuration, process, or design that could be used to compromise security.
A vulnerability is a weakness that could allow a system, application, process, or user to be harmed or misused. In plain language, it is something that makes a security problem easier to cause, whether that weakness comes from code, configuration, access design, patching gaps, or operational process.
Vulnerabilities matter because they create openings that threats can use. A system may have strong intentions and documented policies, but a weak implementation or a missing control can still expose sensitive data, allow unauthorized access, or interrupt essential services.
They also matter because not all vulnerabilities look dramatic. Some are severe software flaws, but others are routine issues such as excessive permissions, default credentials, poor secrets handling, or an unprotected admin interface. Security teams need a broad view of vulnerability, not just a list of famous software bugs.
The term appears in code review, architecture review, vulnerability scanning, penetration testing, bug triage, asset management, and patch planning. A SOC may monitor for exploitation attempts tied to a known vulnerability, while engineering teams may prioritize fixes based on exposure and business impact.
Vulnerability also appears in governance work. Risk registers, audit findings, and remediation plans often describe where important weaknesses exist, what assets are affected, and what Mitigation is required.
An internal administrative panel is reachable from the internet and still uses an outdated authentication flow. Even if the organization has written security policies, that exposed admin path is a vulnerability because it gives attackers a direct opportunity to target a sensitive function.
A vulnerability is not the same as an Exploit. The vulnerability is the weakness itself. An exploit is a way to take advantage of that weakness. A flaw can exist even before someone has a reliable exploit for it.
It is also not identical to Risk. A vulnerability contributes to risk, but the full risk picture also depends on exposure, threat activity, business impact, and existing controls.