The Most Common IT Security Vulnerabilities and How to Fix Them

Over the past several years, the ExColo team has conducted dozens of IT security audits in Polish organizations — from small companies to large enterprises and public institutions. In every environment we encounter the same security vulnerabilities, recurring with remarkable regularity regardless of industry, organization size, or IT budget. This article describes the seven most common vulnerabilities, their real-world consequences, and concrete remediation steps that can be implemented today.

Vulnerability 1: Weak Passwords and No MFA

Compromised credentials are responsible for over 80% of data breaches according to the Verizon DBIR 2024 report. Despite widespread awareness of the problem, weak passwords and lack of multi-factor authentication remain the most common vulnerability we find during audits. Credential stuffing attacks (attempting to log in with lists of credentials stolen from other services), dictionary brute force against accounts without lockout, and phishing for passwords — all of these methods are technically trivial and highly effective when an organization does not enforce MFA.

Particularly dangerous is the phenomenon of password reuse: users employ the same password for corporate systems as for personal portals that have already been compromised. Databases of stolen credentials (available on the dark web for a few dollars) contain billions of login-password pairs. Attackers automatically test them against corporate VPNs, email systems, and corporate portals.

How to fix it:

• Deploy MFA for all users without exception. Minimum: an authenticator app (Microsoft Authenticator, Google Authenticator). For administrative accounts: FIDO2 only (YubiKey security keys or Windows Hello for Business) — the only phishing-resistant method.
• Enable "number matching" and "additional context" in Microsoft Authenticator to prevent MFA fatigue attacks (attacks that flood users with approval requests, counting on an accidental acceptance).
• Deploy a corporate password manager (1Password Teams, Bitwarden for Business) — it eliminates password reuse and allows users to use strong, unique passwords without memorization.
• Disable mandatory periodic password rotation — counterintuitively, forcing frequent password changes leads to weaker passwords (Password1!, Password2!). Per NIST SP 800-63B guidelines, passwords should be changed only upon suspected compromise, not on a schedule.
• Check user accounts against known breach databases (Have I Been Pwned API, Entra ID Password Protection feature).

Vulnerability 2: Unpatched Systems

Unpatched systems are an open invitation to attackers. According to Mandiant data, the average time from CVE publication to active exploitation in attacks is just 15 days. For critical CVSS 9.0+ vulnerabilities, this window shrinks to a few days. Organizations without a defined patch management process often operate with vulnerabilities months or even years old.

The most commonly neglected areas are: Windows servers without current updates (especially those "critical" for business that IT is afraid to touch), network devices (routers, switches, firewalls) with firmware 2-3 years old, third-party applications (Adobe, Java, VLC, backup tools), and OT/ICS systems running on Windows XP or Server 2003. Particularly dangerous are vulnerabilities on domain controllers — their compromise gives an attacker immediate full control over the entire infrastructure.

How to fix it:

• Deploy centralized patch management: WSUS/SCCM for on-premises environments, Microsoft Intune for mobile and remote devices. Automate patch deployment for workstations — they should not require manual intervention.
• Define SLAs for patch deployment: critical (CVSS 9.0+): 24-48 hours; high (CVSS 7.0-8.9): 7 days; medium and low: up to 30 days. SLAs must be enforced, not just documented in policy.
• Regularly scan the environment with vulnerability detection tools (Nessus, OpenVAS, Qualys) — this identifies systems that have fallen out of the patch management process.
• Create an exception register for systems that cannot be updated (legacy OT, vendor systems without support) with documentation of compensating security controls (network isolation, monitoring, access restriction).

Vulnerability 3: Active Directory Misconfigurations

Active Directory is the primary target of every advanced attacker — it controls access to all organizational resources. AD misconfigurations are extremely common and often represent a straightforward path from a regular user to full domain control (Domain Admin). During audits we almost always find at least several of the following issues.

Service accounts vulnerable to Kerberoasting — accounts with registered SPNs (Service Principal Names) and weak passwords, whose hashes can be downloaded without administrative privileges and cracked offline. AS-REP Roastable accounts — users with the "Kerberos pre-authentication required" flag disabled, allowing their hashes to be downloaded without knowing the password. Excessive ACL permissions — users or groups with rights to reset passwords, modify privileged groups, or write to GPO objects without business justification. AdminSDHolder abuse — historical modifications to the access control list of the protected AdminSDHolder container that propagate via SDProp to grant unexpected permissions to accounts or groups.

How to fix it:

• Run Ping Castle (free tool) — generates an Active Directory health score from 0 to 100 and a prioritized list of specific issues. Start by eliminating items classified as "Critical." Target score: above 85.
• Run BloodHound with data collected by SharpHound — it will graphically show attack paths from a regular user to Domain Admin. Each identified path should be systematically eliminated.
• Conduct an SPN audit — identify service accounts vulnerable to Kerberoasting. Change these accounts' passwords to strong ones (minimum 30 random characters) or migrate services to gMSA (Group Managed Service Accounts), which have automatic password rotation.
• Enable AD change auditing (Event ID 4728, 4732, 4756 — privileged group changes; 4670 — ACL changes) and forward logs to SIEM or Microsoft Defender for Identity.
• Conduct quarterly AD reviews using Ping Castle — track score improvement and eliminate new issues before they are exploited.

Vulnerability 4: No Network Segmentation

A flat network — one where all devices can communicate freely with each other — is an attacker's dream and a security administrator's nightmare. When an attacker gains a foothold in one system (e.g., through employee phishing), they can freely scan the entire network, search for vulnerable systems, exfiltrate data, and spread ransomware to hundreds of devices. Without segmentation, one compromised system means the potential compromise of all systems.

In the environments we audit, an administrative employee's workstation can often connect directly to domain controllers, financial servers, backup systems, and network management — which is architecturally unacceptable. Ransomware such as LockBit, BlackCat, and others actively scans the local network for SMB shares and sensitive systems before initiating encryption.

How to fix it:

• Deploy VLAN-based network segmentation as a minimum: separate server networks from user networks, management networks from production networks, guest networks from corporate networks, and OT/ICS systems from IT networks.
• Add firewall ACL rules between segments — inter-segment communication should be blocked by default and require explicit permission. Minimum rule: users should not be able to directly connect to domain controllers or backup servers on administrative ports.
• For critical assets (financial servers, databases, ERP systems), consider deploying microsegmentation — granular workload-level control independent of VLANs.
• Review firewall rules — many organizations have "temporary" rules from years ago that inadvertently leave open pathways to critical systems.

Vulnerability 5: Excessive Permissions

The principle of least privilege is one of the fundamental principles of IT security and simultaneously one of the most frequently violated in practice. Typical issues we find during audits: service accounts with Domain Admin rights (because "it was easier during deployment"), all users having local administrator rights on their computers (because "IT didn't want to deal with every installation"), employees who left the company six months ago but whose accounts are still active, and developers with access to production databases without an approval process.

Excessive permissions are a multiplier problem: compromising one account with excessive permissions gives an attacker access to resources the compromised account should never have been able to reach. A service account with Domain Admin is a ready-made path to complete infrastructure takeover.

How to fix it:

• Deploy LAPS (Local Administrator Password Solution) — Microsoft LAPS generates and stores unique, rotated local administrator passwords for each workstation and server. It eliminates the shared local admin password problem, where a leaked password grants access to hundreds of systems simultaneously.
• Deploy PAM (Privileged Access Management) for privileged accounts — service accounts and administrative accounts should be stored in a password vault, with credentials rotated regularly. Every use of a privileged account should be logged.
• Conduct quarterly access reviews — systematic checking that every account has permissions appropriate to the user's current role. Remove accounts of people who have left the organization or changed roles.
• Configure automatic account disabling after a defined period of inactivity (90 days) or after contract end date.
• Review service accounts — any service account with Domain Admin is a critical risk. Migrate services to accounts with minimum necessary permissions or gMSA.

Vulnerability 6: No Monitoring or Detection

You cannot stop an attack you cannot see. The median attacker dwell time before detection is 16 days according to DBIR 2024 — for over two weeks an attacker can freely gather information, escalate privileges, establish backdoors, and prepare the actual strike. In Polish organizations we audit, monitoring is often completely absent or limited to reviewing logs on demand after an incident — equivalent to installing a security camera and never watching the recordings.

Lack of monitoring is not only a technical problem — it is a procedural one. Even if tools generate alerts, without defined processes and accountability for handling them, they go unnoticed.

How to fix it:

• Enable advanced auditing on domain controllers: logging events 4624 (successful logon), 4625 (failed logon), 4728/4732/4756 (privileged group changes), 4740 (account lockout), 4768/4769 (Kerberos ticket requests).
• Deploy Microsoft Defender for Identity (MDI) — a sensor on domain controllers that analyzes AD traffic in real time and detects attacks such as Pass-the-Hash, Kerberoasting, DCSync, and AD reconnaissance. Available within Microsoft 365 E5 licences or as a standalone product.
• Enable Entra ID Protection — automatic risk assessment of sign-ins and users with alerts on anomaly detection (impossible travel, anonymous IP, compromised device). Configure automated response policies: require MFA or block the account when high risk is detected.
• Centrally collect logs from key systems (domain controllers, critical servers, firewalls, VPN) in a SIEM. Even a simple solution (Microsoft Sentinel, Wazuh) with a few correlation rules is vastly better than no monitoring.
• Define processes and accountability: who receives alerts, in what timeframe must they respond, how are unresolved incidents escalated.

Vulnerability 7: Unprotected Backups

Backup is the last line of defence against ransomware — but only when properly protected. Modern ransomware groups (LockBit, BlackCat/ALPHV, Akira) actively seek and destroy backup systems before triggering encryption. Attackers know that if a backup is available, the victim will not pay the ransom. Therefore the backup server and Volume Shadow Copy (VSS) mechanisms are often the first target.

Typical mistakes we see: backups on SMB shares accessible from the production network (ransomware encrypts them together with production data), no offline or offsite backups (the only data copy is in the same location as production data), backups never tested for restorability (the organization discovers the problem only during an incident), and backup accounts with excessively high privileges.

How to fix it:

• Implement the 3-2-1-1 backup rule: 3 copies of data, on 2 different media types, 1 copy offsite, 1 copy offline or immutable (unmodifiable by the production system). An immutable copy (object storage with WORM enabled, magnetic tapes) is critical — even if an attacker has Domain Admin, they cannot modify an immutable backup.
• Regularly test recovery — at least once per quarter, perform a full restore test of a critical system from backup. Document the recovery time (RTO) and recovery point objective (RPO). A backup that has never been tested is a hypothesis, not a guarantee.
• Isolate backup infrastructure — the backup server should not be accessible from user networks or production server networks on ports other than those necessary for data collection. The backup agent account should have minimum permissions (not Domain Admin).
• Disable or protect Volume Shadow Copy — enable VSS protection through Microsoft Defender for Endpoint or restrict access to shadow copy deletion tools (vssadmin, wmic shadowcopy) through AppLocker or Windows Defender Application Control.
• Store at least one copy of data in a cloud service with immutability enabled (Azure Blob Storage with immutable storage, AWS S3 Object Lock) — such a copy is resistant to ransomware encryption operating on the local network.

Action Plan: Where to Start

The seven vulnerabilities described may seem like an overwhelming list of tasks. In practice, fixing them all simultaneously is impossible — prioritization and a phased approach are essential.

Quick wins — Week 1:

• Enable MFA for all administrative accounts and accounts with email access (priority: Microsoft 365/Entra ID).
• Run Ping Castle and review the critical AD issues list — many can be fixed within hours (e.g., disabling insecure GPO settings, changing service account passwords).
• Verify backup integrity — check the date and completeness of the most recent copies of critical systems. If backup has not been tested, conduct a restore test in a test environment.

Month 1:

• Deploy MFA for all users (not just administrators).
• Run vulnerability scanning (Nessus/OpenVAS) — identify missing patches and critical vulnerabilities.
• Conduct a permissions review: remove inactive accounts, identify service accounts with Domain Admin.
• Assess network segmentation: can workstations connect to domain controllers on administrative ports? If yes — this is a priority to fix.

Quarter 1:

• Full Active Directory hardening based on BloodHound and Ping Castle results.
• LAPS deployment for all workstations and servers.
• SIEM deployment with correlation rules for identity security events.
• Patch management process deployment or review with defined SLAs.
• Assessment of PAM deployment need for privileged accounts.

How ExColo Can Help

ExColo conducts comprehensive IT security audits covering all the areas described — identity and Active Directory, network security and segmentation, privilege management, backup system status, and monitoring maturity. The audit output is a prioritized list of vulnerabilities with risk ratings and concrete remediation steps — not generic recommendations, but a detailed action plan tailored to your environment.

Depending on organizational needs, we can conduct a full infrastructure audit, focus on an Identity Security and Active Directory audit, assess network security and segmentation, or design a microsegmentation implementation for critical assets.

If you are unsure where to start improving your IT infrastructure security, start with a conversation. Contact ExColo — the first diagnostic consultation is at no charge.