How we chained three low-severity findings into domain admin

On a recent external engagement, our scanner flagged three issues every tool would rank as “low”. On their own, none would earn a ticket. Together, they handed us domain admin in under an hour. This is why Element validates exploitability instead of trusting severity scores.

The findings, individually

An exposed staging subdomain leaking a build path. A verbose error page disclosing an internal hostname. A self-service portal that accepted weak passwords. Three findings, three different owners, three “we’ll get to it” responses.

$ element chain --target acme-staging.example.com
[+] discovered build path   → /var/www/_next
[+] internal host leaked    → vault-01.corp.local
[+] weak credential reused  → portal → vault-01
[✓] chained 3 exposures     → DOMAIN ADMIN (00:47)

Chaining them together

The build path revealed the internal hostname. The error page confirmed it was reachable through the portal. The weak-password policy let us authenticate as a service account — which, predictably, had been over-permissioned. Each step was mundane. The chain was not.

“Attackers don’t exploit severity scores. They exploit the path of least resistance.”

Why exploitability beats severity

A CVSS score describes a finding in isolation. Real risk lives in the relationships between findings. Element’s exploit engine walks those relationships the way an attacker would — safely — so your team spends its time on the handful of chains that actually lead somewhere.