Top 10 CVEs of 2025: High-Impact Vulnerabilities & Exploitation Trends

Throughout 2025, vulnerability exploitation remained one of the most reliable paths into enterprise environments. Zero-days, incomplete patches, and insecure defaults were repeatedly leveraged to bypass authentication, deploy ransomware, and steal sensitive data – often before organizations had time to respond.

This list highlights 10 of the most impactful CVEs of 2025, not as a ranking, but as a curated snapshot of the vulnerabilities that dominated headlines and shaped real-world attack activity. Each entry in this top 10 CVEs list reflects a flaw that mattered in practice, whether it was tied to real-world incidents, or exposed systemic weaknesses in widely used technologies.

Understanding how these 2025 vulnerabilities were abused, and why some became operationally significant even without widespread exploitation, provides critical insight into how modern attack chains form and where defensive focus is most needed going forward.

1. React2Shell

• CVE Identifier: CVE-2025-55182, CVE-2025-66478
• Severity: Critical (CVSS 10.0)
• Vendor: Meta (React)
• CISA Alert:Added to KEV – December 2025; Deadline – December 26, 2025

CVE-2025-55182 (SOCRadar Vulnerability Intelligence)

React2Shell became one of the most talked-about vulnerabilities of 2025 largely because of how quietly dangerous it was. The issue affected React Server Components (RSC) in React 19 and popular frameworks like Next.js, opening the door to unauthenticated remote code execution with nothing more than a single crafted HTTP request.

The problem sat deep in the RSC “Flight” protocol. Certain malformed payloads were not handled safely during deserialization, allowing attackers to influence how the server processed component data and ultimately execute arbitrary JavaScript. What made this especially troubling was how easy it was to be exposed. Many applications inherited the vulnerable code paths simply by using RSC-enabled frameworks, even if developers never intended to expose server-side functionality.

Once exploitation was confirmed in the wild, the situation escalated quickly. Automated scans, botnet-driven attempts, and targeted attacks began hitting public-facing services at scale.

2. FortiWeb Authentication Bypass via Path Traversal

• CVE Identifier: CVE-2025-64446
• Severity: Critical (CVSS 9.8)
• Vendor: Fortinet
• CISA Alert:Added to KEV – October 2025; Deadline – November 21, 2025

CVE-2025-64446 (SOCRadar Vulnerability Intelligence)

The second vulnerability in our top 10 CVEs list, CVE-2025-64446, surfaced in early October 2025 after researchers began observing suspicious traffic targeting Fortinet FortiWeb appliances. By October 6, honeypot data showed active exploitation attempts using crafted POST requests designed to bypass authentication and create new administrator accounts.

Fortinet later confirmed the issue as a path traversal and authentication bypass flaw in FortiWeb’s management interface, assigning it a CVSS score of 9.8.

The vulnerability allowed attackers to abuse encoded paths under /api/v2.0/ to reach an internal CGI handler that trusted client-supplied identity data. Once accessed, the handler processed administrative actions without validating credentials. In practice, this meant an unauthenticated attacker could add a persistent admin account in a single request.

Scanning activity increased steadily throughout October, with researchers reporting repeated account-creation attempts and credential rotation across exposed devices. Shodan data identified more than 700 internet-facing FortiWeb instances during this period.

After Fortinet released patches on October 28 and CISA added the CVE to its Known Exploited Vulnerabilities catalog, CVE-2025-64446 was widely treated as an active initial-access risk.

3. Oracle EBS BI Publisher RCE

• CVE Identifier: CVE-2025-61882
• Severity: Critical (CVSS 9.8)
• Vendor: Oracle
• CISA Alert:Added to KEV – October 2025; Deadline – October 27, 2025

CVE-2025-61882 (SOCRadar Vulnerability Intelligence)

CVE-2025-61882 became the front door for one of 2025’s most aggressive extortion waves. The flaw hit Oracle E-Business Suite’s BI Publisher Integration inside the Concurrent Processing module and allowed pre-auth remote code execution over HTTP. In plain terms: if an EBS instance was exposed, an attacker could run code on it without logging in.

The timeline moved fast. The vulnerability was exploited as a zero-day, and on October 4, 2025, Oracle issued an emergency advisory with patch guidance and Indicators of Compromise. Around the same period, Cl0p-linked activity intensified, using compromised email accounts to send data-theft extortion messages.

On October 3, 2025, a separate group calling itself “Scattered Lapsus$ Hunters” leaked exploit materials on Telegram, which raised the risk of copycat abuse beyond the original campaign.

4. Oracle EBS UiServlet Authentication Bypass

• CVE Identifier: CVE-2025-61884
• Severity: High (CVSS 7.5)
• Vendor: Oracle
• CISA Alert:Added to KEV – October 2025; Deadline – November 10, 2025

CVE-2025-61884 (SOCRadar Vulnerability Intelligence)

CVE-2025-61884 played a supporting but still important role in the 2025 Oracle E-Business Suite attack wave. The vulnerability affected the Configurator Runtime UI component and allowed unauthenticated remote access to internal EBS functionality through the UiServlet endpoint.

While it did not provide direct RCE on its own, it enabled attackers to reach sensitive configuration data and trigger internal requests without credentials.

Oracle disclosed the issue on October 11, 2025, but evidence later showed that the flaw had already been abused in the wild. Investigations linked CVE-2025-61884 to exploit chains observed as early as July 2025, overlapping with Cl0p’s broader Oracle EBS extortion campaign. In these cases, the vulnerability was used as an initial access and reconnaissance path, helping attackers enumerate systems, access configuration details, and prepare follow-on actions.

5. GoAnywhere MFT Command Injection

• CVE Identifier: CVE-2025-10035
• Severity: Critical (CVSS 10.0)
• Vendor: Fortra
• CISA Alert:Added to KEV – September 2025; Deadline – October 20, 2025

CVE-2025-10035 (SOCRadar Vulnerability Intelligence)

CVE-2025-10035 stood out because it showed, once again, how secure file transfer platforms remained high-value targets. The vulnerability affected Fortra’s GoAnywhere MFT and stemmed from unsafe deserialization in the License Servlet. By forging a valid license response signature, an attacker could trick the system into loading a malicious object, leading to command injection and full system compromise.

Although Fortra disclosed the issue on September 18, 2025, later analysis revealed it had already been exploited as a zero-day.

Microsoft confirmed that the threat group Storm-1175, affiliated with Medusa ransomware, had been abusing the flaw since at least September 11. In observed attacks, CVE-2025-10035 was used for initial access, followed by deployment of remote management tools, lateral movement via RDP, data exfiltration with Rclone, and eventual ransomware encryption.

Researchers continued to observe hundreds of systems at risk. With active ransomware use and CISA adding the CVE to its KEV catalog, CVE-2025-10035 became another example of how quickly MFT vulnerabilities could translate into real-world breaches.

6. Sitecore ViewState RCE

• CVE Identifier: CVE-2025-53690
• Severity: Critical (CVSS 9.0)
• Vendor: Sitecore
• CISA Alert:Added to KEV – September 2025; Deadline – September 25, 2025

CVE-2025-53690 (SOCRadar Vulnerability Intelligence)

CVE-2025-53690 wasn’t caused by a newly introduced bug, but by legacy deployment practices that lingered for years. It was actively exploited in the wild against real Sitecore deployments and affected multiple major product lines.

The vulnerability affected Sitecore environments that reused a static ASP.NET machine key published in official documentation prior to 2017. When that sample key made its way into production, it quietly turned ViewState into a remote code execution vector.

Sitecore deployments using the exposed machine key – Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud – were vulnerable, putting many long-running enterprise installations at risk.

Researchers confirmed the flaw was exploited as a zero-day, with attackers moving quickly from initial access to post-exploitation. Observed campaigns deployed WEEPSTEEL malware for reconnaissance, followed by credential dumping, account creation, and long-term persistence using legitimate remote access tools.

7. MadeYouReset HTTP/2 DoS Technique

• CVE Identifier: CVE-2025-8671 (umbrella tracking ID)
• Severity: High (CVSS 7.5)
• Vendor: Multiple (Apache, Netty, Jetty, F5, IBM)

CVE-2025-8671 (SOCRadar Vulnerability Intelligence)

MadeYouReset was disclosed in 2025 as an evolution of the HTTP/2 Rapid Reset vulnerability (CVE-2023-44487). While no large-scale exploitation was publicly confirmed at the time of disclosure, the technique drew immediate attention because it demonstrated how existing mitigations could be systematically bypassed.

Unlike Rapid Reset, which relied on client-issued RST_STREAM floods, MadeYouReset manipulated subtle protocol edge cases to coax servers into resetting their own streams. By sending superficially valid HTTP/2 frames – such as illegal WINDOW_UPDATE values, malformed PRIORITY frames, or data on half-closed streams – an attacker could force repeated resets or GOAWAY responses while backend resource consumption continued to rise.

Its importance lay in the implications rather than observed exploitation. By mid-2025, coordinated disclosures confirmed impact across multiple widely deployed stacks, including Apache Tomcat, Netty, Jetty, F5 BIG-IP, and IBM WebSphere Liberty, tracked under CVE-2025-8671 and related vendor CVEs.

MadeYouReset highlighted how protocol-level weaknesses, even without active exploitation, can quietly undermine defensive assumptions and leave critical infrastructure vulnerable to future Denial-of-Service (DoS) attacks if left unaddressed.

8. SharePoint ToolShell Zero-Day RCE

• CVE Identifier: CVE-2025-53770
• Severity: Critical (CVSS 9.8)
• Vendor: Microsoft
• CISA Alert:Added to KEV – July 2025; Deadline – July 21, 2025

CVE-2025-53770 (SOCRadar Vulnerability Intelligence)

The ToolShell zero-day (CVE-2025-53770) became one of the defining on-prem SharePoint crises of 2025 because it didn’t stop at RCE; it also enabled durable access. The vulnerability was rooted in insecure deserialization and allowed unauthenticated remote command execution on vulnerable SharePoint Server deployments.

Microsoft’s earlier July patching cycle addressed related issues, but real-world attacks exposed gaps, and CVE-2025-53770 was treated as a more severe variant that required a second, stronger fix.

Researchers tracked ToolShell activity in mid-July: the exploit chain was publicly discussed around July 18–19, 2025, and by July 23, Shadowserver still identified 424 servers vulnerable to CVE-2025-53770/53771. Shodan exposure data suggested a far larger internet-facing footprint – over 16,000 exposed SharePoint servers globally – with heavy concentration in the U.S. (3,960).

After initial access, attackers extracted ASP.NET MachineKeys (ValidationKey and DecryptionKey) and used them to sign forged __VIEWSTATE payloads. Stolen keys could keep malicious ViewState payloads “valid” unless organizations rotated them and restarted IIS.

Campaigns evolved quickly too. Reporting tied exploitation to multiple China-nexus groups (including Linen Typhoon, Violet Typhoon, and Storm-2603), and later updates connected ToolShell access to ransomware deployment (Warlock, and separate 4L4MD4R activity) and broader tooling like webshells and modular backdoors.

9. CitrixBleed 2

• CVE Identifier: CVE-2025-5777
• Severity: Critical (CVSS 9.3)
• Vendor: Citrix
• CISA Alert:Added to KEV – July 2025; Deadline – Immediate (24 hours)

CVE-2025-5777 (SOCRadar Vulnerability Intelligence)

CitrixBleed 2 (CVE-2025-5777) echoed the impact of the original CitrixBleed incident from 2023. It affected Citrix NetScaler ADC and Gateway devices and allowed unauthenticated attackers to read out-of-bounds memory from exposed systems. In practice, this meant session tokens could be leaked and replayed, enabling session hijacking and MFA bypass without stealing credentials.

Although Citrix initially stated there was no confirmed exploitation, evidence emerged soon after. GreyNoise honeypot data showed targeted probing as early as June 23, 2025, nearly two weeks before public proof-of-concept exploits appeared on July 4.

By early July, researchers demonstrated that malformed login requests could repeatedly leak memory chunks, making token harvesting feasible at scale. At the time, Shodan data showed over 56,000 internet-reachable NetScaler services, underscoring the potential blast radius.

The combination of exposed remote-access infrastructure, session replay potential, and early exploitation made CitrixBleed 2 a high-priority vulnerability.

10. Ivanti Connect Secure Zero-Day

• CVE Identifier: CVE-2025-0282
• Severity: Critical (CVSS 9.0)
• Vendor: Ivanti
• CISA Alert:Added to KEV – January 2025; Deadline – January 15, 2025

CVE-2025-0282 (SOCRadar Vulnerability Intelligence)

CVE-2025-0282 drew early attention in 2025 after it was linked to a confirmed breach at Nominet, the organization responsible for managing the .UK domain registry. The incident was detected during the week of December 30, 2024, when Nominet identified suspicious activity tied to a zero-day vulnerability in Ivanti Connect Secure VPN software.

While no data exfiltration was confirmed, the intrusion demonstrated how quickly flaws in remote access infrastructure could expose even highly sensitive environments.

The vulnerability itself was a stack-based buffer overflow that allowed unauthenticated remote code execution. Attackers exploited it before Ivanti released a patch on January 8, 2025, making it a true zero-day. Researchers observed post-exploitation behavior that included reconnaissance via repeated HTTP requests, abuse of the Host Checker Launcher, disabling of security controls such as SELinux and syslog forwarding, and deployment of web shells like PHASEJAM.

A public proof-of-concept exploit appeared on January 17, lowering the barrier for wider abuse. The combination of confirmed exploitation, delayed patch availability for some Ivanti products, and its role in a real-world breach made CVE-2025-0282 one of the more consequential VPN vulnerabilities of the year.

Conclusion

Looking back, the top vulnerabilities of 2025 were not defined by severity scores alone. What set these CVEs apart was how quickly they were weaponized – or how broadly they applied – and how often they enabled follow-on activity such as credential theft, lateral movement, ransomware deployment, or long-term persistence. In many cases, attackers needed only a single exposed service, legacy configuration, or incomplete fix to gain a foothold.

The top 10 CVEs of 2025 reinforce a recurring lesson: exposure matters as much as severity. Internet-facing management interfaces, widely adopted enterprise platforms, and shared components across the software supply chain consistently amplified risk. Once exploitation began, these weaknesses moved from initial access to large-scale compromise with alarming efficiency.

For defenders, the takeaway is less about tools and more about visibility and timing. Tracking which CVEs are actively exploited, understanding how attackers chain weaknesses, and knowing which assets are exposed all shape effective response. Approaches such as following exploitation trends, or real-world exposure – through solutions like SOCRadar’s Cyber Threat Intelligence and Attack Surface Management (ASM) modules – help teams move from reactive patching toward more informed, risk-driven decisions.

SOCRadar’s Cyber Threat Intelligence module, Vulnerability Intelligence

In an environment where attackers move faster than patch cycles, early context and visibility are often the difference between rapid remediation and becoming the next breach headline.