3.3.2. Hardware, OS, and Misconfiguration Vulnerabilities

💡 First Principle: Not all vulnerabilities live in application code. Hardware design flaws, OS weaknesses, and simple misconfigurations create exploitable conditions that no amount of application-level security can fix.

Hardware vulnerabilities — firmware flaws, side-channel attacks (Spectre, Meltdown), and embedded system weaknesses. Hardware vulnerabilities are particularly dangerous because they often can't be fully patched — mitigations degrade performance and may not eliminate the risk. Firmware attacks persist across OS reinstalls and are difficult to detect with traditional endpoint tools.

Operating system vulnerabilities — privilege escalation flaws, kernel exploits, and authentication bypasses in the OS itself. OS-level compromise gives attackers the highest privilege, making it the most impactful target. End-of-life operating systems (Windows Server 2012, older Linux kernels) no longer receive security patches and represent permanent, growing risk.

Misconfiguration vulnerabilities are the most common and preventable: open permissions, default credentials, unnecessary services running, debug modes enabled in production, overly permissive firewall rules, and unsecured cloud storage buckets. Misconfiguration is the leading cause of cloud breaches. Automated configuration scanning tools (CIS Benchmarks, cloud security posture management) catch these before attackers do.

Side loading — installing applications from unofficial sources, bypassing the app store's security review process. Common on mobile devices and a vector for malware distribution.

Jailbreaking/rooting — removing manufacturer security restrictions on mobile devices. This disables built-in protections like code signing, sandboxing, and forced encryption. A jailbroken device cannot be trusted to enforce corporate security policies, which is why MDM solutions typically detect and flag jailbroken devices, blocking them from accessing corporate resources. Memory-resident vulnerabilities (like buffer overflows and race conditions) allow attackers to exploit running processes without writing malicious files to disk, making them harder to detect with traditional file-based scanning.

⚠️ Exam Trap: Misconfiguration is a vulnerability, not a threat. If a question asks "which type of vulnerability?" and describes an open S3 bucket or default credentials, the answer is misconfiguration — not "hacking" or "unauthorized access" (those are threats exploiting the vulnerability).