Every penetration test ends up uncovering a familiar set of problems. Different companies, different industries, but the same issues keep showing up. They’re the basics that attackers love because they work over and over again.
Weak Passwords and a lack of MFA
Passwords like Winter2025! still show up everywhere, because every year in penetration test, you see the same lazy seasonal-password pattern. It’s predictable, meets most “complexity rules,” and people think it’s clever. Attackers know it, so it’s one of the first things thrown into brute force lists. Subsequently, add in reused credentials across services, and attackers have an easy entry point. Although MFA adoption is improving, too often it’s limited to webmail or VPN, leaving everything else unprotected. The fix would be to enforce strong password policies and mandate MFA across critical services.
Forgotten and Stale Accounts
Dormant accounts, especially old admin or contractor accounts, are low-hanging fruit. They’re rarely monitored, often overprivileged, and can provide direct access into security systems. The fix would be to hold regular account reviews and automated deprovisioning when employees leave. Least privilege should be the rule, not the exception.
Unpatched Systems
Unpatched systems are the classic “open door” in almost every penetration test. Think internet-facing gear like VPN appliances or web servers running old firmware, internal servers such as domain controllers and file servers missing months of security updates, or business apps built on outdated frameworks like WordPress or PHP with public exploits available. It usually takes nothing more than version fingerprinting, mapping it to a known CVE, and running an exploit to gain a foothold.
Overly Permissive Cloud Storage
Overly permissive cloud storage is another repeat finding in penetration tests. Exposed S3 buckets, Azure blob containers, or GCP storage buckets often end up world-readable or world-writable because someone left the default setting open or rushed a deployment. It’s shockingly common to stumble on sensitive data, backups, credentials, or even full databases just sitting there without authentication. Attackers don’t need sophisticated tooling for this; they can discover exposed storage through simple enumeration or automated scanners. For a pentester, it’s usually a quick win that proves real business risk with minimal effort.
Insecure Web Applications
Insecure web applications remain a goldmine during penetration tests. Even in 2025, vulnerabilities like SQL injection, cross-site scripting (XSS), authentication bypasses, and insecure direct object references (IDOR) show up in production apps. The risk isn’t abstract, a single injection flaw can expose customer data or give direct access to backend systems. Many of these bugs slip in because of rushed development cycles, missing input validation, or relying solely on automated scanners that don’t catch business logic flaws.
Closing Thoughts
The point of a penetration test isn’t to show off obscure exploits, it’s to highlight where real attackers would succeed today. And the reality is, the most common gaps aren’t sophisticated. They’re simple, well-known problems that just haven’t been fixed.
The good news? Fixing the basics dramatically raises the bar. Patch consistently, lock down credentials, reduce exposure, and watch your logs. If penetration testers (and attackers) keep hitting the same weaknesses, it’s worth putting the effort there first.