Back to Glossary

Security Misconfiguration

What is Security Misconfiguration?

Security misconfiguration is one of the most prevalent and consistently exploited vulnerability classes in modern IT environments — ranked #5 in the OWASP Top 10 for web applications and a leading cause of cloud data breaches. It refers to insecure default configurations, unnecessary features or services left enabled, incomplete or incorrect security hardening, overly permissive access controls, and failure to apply security patches to the configuration layer of applications, frameworks, servers, and cloud services. Unlike code vulnerabilities that require a developer error, misconfigurations often arise from default vendor settings that prioritize usability over security — and require deliberate hardening effort to remediate.

Description

Security misconfiguration manifests across every layer of the technology stack. At the application layer: default admin credentials not changed; debug mode enabled in production (exposing stack traces and internal paths); verbose error messages revealing server technology, database schema, or source code paths; and sample applications left deployed alongside production systems. At the server layer: unnecessary ports and services exposed; default service accounts with default passwords; missing security headers (lacking security headers like HSTS, X-Frame-Options, and CSP); and unencrypted management interfaces exposed to the internet. At the cloud layer: publicly readable S3 buckets; overly permissive IAM roles; disabled CloudTrail logging; and unrestricted security groups — the misconfiguration classes that Cloud Security Posture Management (CSPM) tools are designed to detect continuously. Misconfigurations frequently cluster: an organization that defaults to permissive settings in one area tends to have the same pattern across their environment, creating compounding attack paths where multiple misconfigurations chain together into high-impact exploitation. The principle of security by default — shipping products in a hardened state with security features enabled rather than disabled — is a CISA-endorsed approach to addressing misconfiguration at the vendor level rather than the customer level.

Usage and Examples

During an external network penetration test, a tester discovers a forgotten server running an older version of Apache Tomcat with the management console exposed on port 8080 and default credentials (admin/admin) unchanged. The management console allows deploying WAR files — the tester uploads a JSP webshell and achieves remote code execution on the server within 10 minutes of identifying the misconfiguration. The server, discovered during the asset enumeration phase, was not in the organization's authorized asset inventory — illustrating how attack surface management gaps allow misconfigurations on forgotten assets to persist indefinitely. In cloud environments, a similar pattern: a publicly accessible S3 bucket containing application configuration files with database credentials provides an attacker everything needed for direct database access — no vulnerability exploitation required.

How Does This Relate to Penetration Testing?

Security misconfigurations are among the most common findings across all penetration testing engagement types. External network assessments frequently identify internet-exposed management interfaces, default credentials, and unnecessary service exposure. Cloud penetration testing systematically evaluates cloud service configurations against security baselines. Application penetration testing identifies application-layer misconfigurations including debug mode exposure, verbose errors, and missing security headers. Evolve Security reports on misconfigurations include specific remediation steps — hardening guidance, configuration examples, and references to CIS Benchmarks — not just vulnerability descriptions. Evolve Security's full suite of penetration testing services identifies security misconfigurations across network, application, and cloud environments — with actionable hardening guidance that development and operations teams can implement.

Access control

Advanced Persistent Threat

Adversarial Machine Learning

Adversary-in-the-Middle (AiTM) Attack

Agentic AI Security

AI-Powered Social Engineering

AI Red Teaming

AI Security

Anthropic Fable (Claude Fable 5)

Anthropic Mythos (Claude Mythos Preview)

API Security

Application Penetration Testing

Assumed Breach

Attack Surface

Attack Surface Management (ASM)

Botnet

Broken Access Control

Business Email Compromise (BEC)

BYOD

CIS Controls

CIS RAM

Cloud computing

Cloud Security

Cloud Security Posture Management (CSPM)

COBIT

Command and Control (C2)

Container Escape

Continuous Threat Exposure Management (CTEM)

Credential Stuffing

Cryptocurrency

Cryptojacking

Cyber Attack

Cyber Maturity Model Certification (CMMC)

Cyber Resilience

Cyber Threat Intelligence

Darknet

Data Breach

Data Loss Prevention

Data Poisoning

DDoS Attack

Declaration of Conformity

Deepfake

Detection Engineering

DMZ

Encryption

Endpoint

Endpoint Detection and Response

Ethical Hacking Tools

Exposure Management

Firewall

Firmware Security

FISMA

Gap analysis

GDPR

Hacker

HIPAA

Hypervisor (VMM)

Identification

Identity Theft

Identity Threat Detection and Response (ITDR)

Incident Response

Infrastructure-as-a-Service (IaaS)

Initial Access Brokers

Insider Threat

Internal Penetration Testing

Intrusion detection system (IDS)

Intrusion Prevention System (IPS)

ISO 27001

Keyboard logger

Lateral Movement

LLM Jailbreak

Macro virus

Malicious Apps

Malware

Managed Detection and Response (MDR)

Managed Detection and Response (MDR)

MCP Security

Memory Safety Vulnerabilities

MTTD and MTTR

Multi-Factor Authentication (MFA)

Network Detection and Response (NDR)

Network Firewall

Network Penetration Testing

Network Security

Network Security Assessment

NIS2 and DORA Compliance

NIST Cybersecurity Framework

Non-Human Identity (NHI) Security

Offensive Security

OpenAI Daybreak

Operational Technology (OT) Security

Password

Password Cracking

Patch Management

PCI DSS

Penetration Testing

Phishing

Phishing-Resistant Authentication

Platform-as-a-Service (PaaS)

Post-Quantum Cryptography (PQC)

Previous term
No previous terms!
Next term
No next terms!

Start Playing Offense to Play Better Defense

Copyright © 2026 Evolve Security. Evolve Security is trademarked in the United States.
312-957-5682
123 N. Waker Dr., Suite: 2125 Chicago, IL 60606
info@evolvesecurity.com
Connect
Contact UsRequest a demo
Services
Services OverviewAI Penetration TestingApplication Penetration TestingCloud Penetration TestingNetwork Penetration TestingEmbedded SystemsRed TeamAdvisory
Platform
Darwin Attack OverviewRisk ScoringAsset & Threat IntelligenceHuman-In-The-LoopDashboards & ReportingPlatform Integrations
Resources
BlogsEventsVideosPodcasts
Company
AboutCareersEvolve AcademyPartner Program
Privacy PolicyTerms of ServiceVulnerability Disclosure PolicyReport Issue
AICPA SOC logo with text 'SOC for Service Organizations | Service Organizations' and website aicpa.org/soc4so.