Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attacks
Would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, VulnCheck said in a report released Wednesday, but only 1% of those defects, just 422, were exploited in the wild.
As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks.
“The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. “Prioritization is still a huge problem.”
Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi reliable, now no longer are.”
The technologies exploited by attackers are developed and sold by many repeat offenders. Some of the vendors on VulnCheck’s list of the most routinely targeted vulnerabilities enjoy large market shares.
Other vendors, especially those in network edge device space, have been inundated with malicious activity for years and remain the preferred intrusion point for all attacks.
Network edge devices were responsible for 191 of the 672 products impacted by new known exploited vulnerabilities last year, representing 28% of the top targeted technologies in 2025, according to VulnCheck.
“Anything that’s in that position of being at the network edge, guarding access to corporate networks, often in a privileged place for secure communication,” is naturally a large target, Condon said.
This problem is exacerbated by the fact many network devices are running on code bases that haven’t been radically changed in about a decade. Meanwhile, attackers have copies of that software and use fully automated analysis pipelines to quickly identify new vulnerabilities.
“Threat actors are much more organized presently than we all collectively are on defense,” Condon said. Defenders have to assume there’s going to be a new zero-day in any network edge device at any time, and patches will be reversed for exploit development in short order, she added.
Each of the top 50 vulnerabilities VulnCheck flagged in its report were exploited in the wild last year with at least 20 working public exploits, attacks originating from at least two state-sponsored or cybercrime threat groups. The top exploited vulnerabilities were also linked to least one ransomware variant and appeared in at least two instances of known botnet activity.
Four of the 10 most routinely targeted vulnerabilities last year — CVE-2025-53770 and CVE-2025-53771, which are variants of previously disclosed vulnerabilities CVE-2025-49706 and CVE-2025-49704 — were contained in Microsoft SharePoint. All four of the zero-day vulnerabilities were exploited en masse and initially compromised more than 400 organizations, including the Departments of Energy, Homeland Security and Health and Human Services.
VulnCheck confirmed a combined 69 known exploits for the quartet of SharePoint vulnerabilities. Researchers attributed the exploited vulnerabilities to a collective 29 threat groups and 18 ransomware variants, yet the attackers involved likely targeted more than one of the zero-days, resulting in some overlap.
Microsoft topped the list with nine of the 50 routinely targeted vulnerabilities appearing in its products last year. Ivanti was responsible for five, or 10% of the most targeted vulnerabilities last year. Fortinet ranked third on VulnCheck’s list with four vulnerabilities, followed by VMware with three, while SonicWall and Oracle each ranked high on the list with two exploited defects.
The most targeted vulnerability of 2025 belongs to React2Shell, a maximum-severity defect in React Server Components that racked up 236 valid public exploits before the end of the year, less than a month after it was publicly disclosed by Meta and React.
More than 200 of those public exploits were validated by VulnCheck by mid-December, as Palo Alto Networks Unit 42 confirmed more than 60 organizations were impacted by an initial wave of attacks.
VulnCheck’s research underscores that technology, ultimately in all of its forms, is the problem.
“We are at a point here where we’re not talking about a single vendor or technology. We are talking about writ large, we are getting creamed. We’ve got to start assessing ruthlessly and immediately how technology needs to evolve to be more resilient to these attacks over the long term,” Condon said.
“We need to start being much more realistic about the state of our tech and what that means for cybersecurity.”
