Angriffsvektor (Attack Vector)
The method or mechanism through which an attacker gains access to a system or exploits a vulnerability—e.g., email, the network, physical access, or compromised software.
The attack vector is the path an attacker uses to penetrate a system or exploit a vulnerability. It describes not what the attacker does, but how they gain access.
Attack Vectors According to CVSS
The CVSS scoring system classifies attack vectors into four categories:
| Attack Vector | Description | CVSS Weight |
|---|---|---|
| Network (N) | Exploitable remotely over the network – no physical proximity required | Highest severity |
| Adjacent (A) | Requires access to the same network segment (LAN, Wi-Fi) | Medium |
| Local (L) | Requires local access to the system (SSH, terminal access) | Low |
| Physical (P) | Requires physical access to the device | Lowest |
Practical example: An RCE vulnerability with a "Network" attack vector (such as Log4Shell) receives a higher CVSS score than the same vulnerability that can only be exploited locally.
Common Attack Vectors in Practice
Email (Phishing): Most common initial access vector—over 90% of all ransomware attacks start with a phishing email.
Exposed Services (RDP, VPN, SSH): Publicly accessible services with weak credentials or unpatched vulnerabilities—a key attack vector since COVID-19 (remote work).
Web Applications: SQL injection, XSS, IDOR—attack vectors via public web applications.
Supply Chain: Compromised software updates or libraries as an attack vector (SolarWinds, Log4Shell).
Physical Access: USB drives, direct hardware manipulation, tailgating into server rooms.
Social Engineering: Deceiving employees as an attack vector for credentials or access.
Insider Threats: Legitimate users with malicious intent or compromised accounts.
Attack Vector vs. Attack Surface
| Term | Definition |
|---|---|
| Attack Vector | Specific path/mechanism for a specific attack |
| Attack Surface | The totality of all possible entry points (all potential attack vectors) |
Attack Surface Reduction is a fundamental principle of security: Every unnecessary interface, every open port, every publicly accessible application is a potential attack vector and increases the attack surface.
Implications for Penetration Tests
Professional penetration tests categorize findings by attack vectors:
Network vectors (highest priority):
- Critical: VPN with unpatched vulnerability (CVE-2024-XXXX)
- High: RDP publicly accessible (Port 3389/tcp)
- Medium: Admin panel without MFA over HTTPS
Adjacent vectors (with physical access):
- High: Guest Wi-Fi and corporate Wi-Fi on the same segment
An attack vector determines how many potential attackers could exploit the vulnerability: Network vectors are accessible to anyone in the world—physical vectors are only accessible to someone physically on-site.
