How Attackers Chain Vulnerabilities: Why Individual Findings Miss the Point
A penetration test report comes back with fourteen medium-severity findings and two low-severity findings. No criticals, no highs. The security team briefs leadership: the environment is in reasonable shape, there are no major issues. The findings go into a remediation backlog. Six months later, an actual attacker works through three of those medium findings in sequence, escalates from an unauthenticated network position to domain administrator, and exfiltrates two years of customer records.
This scenario is not hypothetical. It is the pattern behind most significant breaches we see described in post-incident reviews. The problem is not that the penetration test failed to identify the weaknesses. It is that the report presented findings as individual items rather than as components of an attack path. Individual severity scores are a starting point, not a conclusion.
How Attack Chains Actually Work
An attacker approaching a target does not stop at the first vulnerability they find. They map the environment, identify which weaknesses are reachable from their current position, and look for combinations that move them closer to their objective. A vulnerability that looks unremarkable in isolation -- an information disclosure finding that exposes internal network topology, for instance -- becomes highly valuable when it is the first step in a chain that leads to a more significant compromise.
A typical chain might look like this: an unauthenticated user reaches a web application and finds a verbose error message that reveals the internal IP addressing scheme and the software version running on the application server. That information is medium severity on its own. They then find an authenticated endpoint that is accessible without valid credentials due to a missing authorisation check, another medium finding. Using the access that provides, they reach a configuration panel that still carries the default administrator credentials, a medium finding. Three medium findings, sequentially exploited, give an attacker authenticated administrative access to the application server.
Why CVSS Scores Do Not Capture This
The Common Vulnerability Scoring System assigns scores to individual vulnerabilities based on the characteristics of that vulnerability in isolation: how it is accessed, whether it requires privileges or user interaction, and what the potential impact is if exploited alone. It does not account for the specific context of your environment, the presence of compensating controls, or whether the vulnerability is the first step in a chain rather than the final step.
This is not a flaw in CVSS -- it is the intended scope of the scoring system. The problem arises when organisations use CVSS scores as their primary prioritisation mechanism without considering attack paths. Two findings both scored at 5.5 might represent very different levels of actual risk depending on whether they are independent issues or two links in the same chain. A report that presents scores without attack path analysis is leaving the most important question unanswered.
What Good Attack Path Analysis Looks Like
A penetration test report that includes meaningful attack path analysis does several things that a standard finding list does not. It describes the sequence of steps the tester took to move from their starting position to each significant impact. It labels each finding with the chain it contributes to, so a reader can see that the three medium findings described above are connected rather than independent. It identifies the weakest link in each chain, because that is often the most cost-effective place to break the attack path.
When we conduct penetration tests, we structure findings in two layers. The first is a standard technical findings list for engineering remediation. The second is an attack path narrative that walks through the significant chains we identified and describes what an attacker could achieve by following each one. These two views together give the organisation both the detail they need to fix individual issues and the context they need to understand which combinations matter most.
Prioritising Remediation Using Attack Paths
Once you understand the attack paths in your environment, prioritisation becomes more straightforward. The criteria shift from individual CVSS scores to the following questions:
- Does this finding appear in an attack path that leads to a high-impact outcome, such as access to sensitive data, administrative control of a critical system, or the ability to move laterally into a more sensitive network segment?
- Is this finding the entry point for a chain -- if fixed, does it break the entire chain rather than just removing one step?
- Is this finding the weakest control in a chain -- the point that requires the least attacker skill or access to exploit?
- Does fixing this finding break multiple chains simultaneously?
A medium finding that answers yes to the first two questions should be treated as a high priority regardless of its CVSS score. A medium finding that answers no to all four can wait. This kind of analysis requires a report that presents attack paths, not just individual findings. When commissioning a penetration test, ask the testing firm how they will present attack path information in the report. The answer tells you a great deal about the quality of the engagement you will receive.
To discuss attack path analysis and how we approach penetration test reporting, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







