Penetration testing is supposed to uncover the unexpected, but some vulnerabilities show up so frequently that they have become predictable. These are the ten issues our team encounters most often across web applications, internal networks, and cloud environments.
1. Outdated Software and Missing Patches
Unpatched systems remain the single most common finding. Whether it is a Windows Server missing critical updates, an Apache Tomcat instance three major versions behind, or a JavaScript dependency with a known CVE, patch management gaps are nearly universal.
2. Weak or Default Credentials
We routinely find services running with default credentials: admin:admin, sa:sa, or vendor-specific defaults that were never changed after deployment. Password spraying with common passwords like Summer2025! or CompanyName1 succeeds in the majority of internal engagements.
3. Excessive Permissions and Privilege Creep
Users and service accounts accumulate permissions over time and rarely have them revoked. Domain admin counts in the double digits, service accounts with full database access, and S3 buckets with overly permissive IAM policies are routine findings.
4. Missing or Misconfigured MFA
Even when MFA is deployed, gaps persist. VPN portals without MFA, admin consoles protected only by passwords, and MFA policies that exclude service accounts create exploitable entry points.
5. SQL Injection
Despite decades of awareness, SQL injection persists in custom applications, particularly in legacy codebases and internal tools that never received the same security scrutiny as customer-facing products. Parameterized queries and ORM frameworks eliminate this class of vulnerability entirely.
6. Insecure Direct Object References (IDOR)
Authorization checks at the object level are frequently missing. Changing an ID parameter in a URL or API call to access another user's data is one of the simplest and most impactful vulnerabilities we exploit. Automated scanners typically miss these because they require business logic understanding.
7. Lack of Network Segmentation
Flat networks allow an attacker who compromises a single workstation to reach database servers, domain controllers, and production infrastructure without restriction. Proper segmentation with firewall rules between zones dramatically slows lateral movement.
8. Exposed Management Interfaces
SSH, RDP, database ports, and admin panels exposed to the internet or accessible from untrusted network segments. These services should be reachable only from hardened jump hosts or through a VPN with MFA.
9. Insufficient Logging and Monitoring
Many organizations collect logs but do not actively monitor them. During our engagements, we frequently complete entire attack chains without triggering a single alert. If you are not detecting brute-force attempts, lateral movement, or data exfiltration during a pentest, you will not detect it during a real attack either.
10. Misconfigured Cloud Services
Public S3 buckets, overly permissive security groups, unencrypted storage, and IAM roles with wildcard permissions are endemic across AWS, Azure, and GCP environments. Cloud misconfigurations have overtaken traditional network vulnerabilities as the leading source of data breaches.
What To Do About It
None of these findings require exotic solutions. Patch management programs, strong authentication policies, least-privilege access models, and regular configuration reviews address the vast majority. The challenge is not knowledge; it is consistent execution across every system, every account, and every deployment.