Despite developers' goal of delivering a productsystem thatadministrator's worksbest entirely as intendedefforts, virtually all [[software bugs|software]]hardware and [[hardware bug|hardware]]software contain bugs.{{sfn|Ablon|Bogart|2017|p=1}} If a bug creates a security risk, it is called a vulnerability.{{sfn|Ablon|Bogart|2017|p=2}}{{sfn|Daswani |Elbayadi|2021|p=25}}{{sfn|Seaman|2020|pp=47-48}} [[Software patch]]espatches are often released to fix identified vulnerabilities, but those that remain unknown ([[Zerozero-day (computing)|zero daydays]]s) as well as those that have not been patched are still liable for exploitation.{{sfn|Daswani |Elbayadi|2021|pp=26-27}} Vulnerabilities vary in their ability to be [[Exploit (computer security)|exploitexploited]]ed by malicious actors,{{sfn|Ablon|Bogart|2017|p=2}} and the actual risk is dependent on the nature of the vulnerability as well as the value of the surrounding system.{{sfn|Haber |Hibbert|2018|pp=5-6}} Although some vulnerabilities can only be used for [[denial of service]] attacks, more dangerous ones allow the attacker to perform [[code injection|inject]] and run their own code (called [[malware]]), without the user's being aware of itawareness.{{sfn|Ablon|Bogart|2017|p=2}} Only a minority of vulnerabilities allow for [[privilege escalation]], which is typically necessary for more severe attacks.{{sfn|Haber |Hibbert|2018|p=6}} Without a vulnerability, thean exploit typically cannot gain access.{{sfn|Haber |Hibbert|2018|p=10}} It is also possible for [[malware]] to be installed directly, without an exploit, if the attacker usesthrough [[Social engineering (security)|social engineering]] or implantspoor the[[physical malwaresecurity]] insuch legitimateas softwarean thatunlocked isdoor or downloadedexposed deliberatelyport.{{sfn|Haber |Hibbert|2018|pp=13–14}}
