Critical Vulnerabilities and Exploitation Trends in 2025
Security researchers highlighted several high-impact vulnerabilities that shaped the threat landscape in 2025, including unauthenticated remote code execution flaws in widely used platforms such as React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), PAN-OS (CVE-2025-0108), Cisco IOS XE (CVE-2025-20188), and Erlang/OTP SSH (CVE-2025-32433). These vulnerabilities were notable for their rapid exploitation following public disclosure, with attackers leveraging unauthenticated access and broad software reach to maximize impact. The year saw a shift in attacker focus, with perimeter devices and enterprise software becoming primary entry points, and defenders were forced to respond quickly as the window between disclosure and exploitation narrowed.
In December 2025, Microsoft released one of its lightest Patch Tuesday updates, addressing 56 new CVEs. Despite the lower volume, security experts emphasized the importance of prioritizing vulnerabilities that were already exploited, publicly disclosed, or rated as critical with a high likelihood of exploitation. The analysis provided actionable intelligence for defenders, including technology-specific threat insights and resources for mitigating risk. The convergence of these trends underscored the need for rapid vulnerability management and highlighted recurring blind spots in enterprise defense strategies.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses critical Office RCEs exploitable via Outlook preview pane
Microsoft's December 2025 security release included critical Office remote code execution flaws CVE-2025-62554 and CVE-2025-62557. The vulnerabilities could be exploited through the Outlook preview pane, raising client-side attack risk.
PowerShell RCE CVE-2025-54100 is publicly disclosed with PoC
CVE-2025-54100, a PowerShell remote code execution vulnerability, was publicly disclosed along with proof-of-concept exploit details by the time of Microsoft's December 2025 updates. Its publication increased the risk of near-term exploitation.
Public disclosure emerges for GitHub Copilot for JetBrains RCE
By the December 2025 Patch Tuesday release, CVE-2025-64671 affecting GitHub Copilot for JetBrains had been publicly disclosed. The flaw was described as a remote code execution vulnerability in a developer-focused tool.
Public disclosure highlights likely exploitation of CVE-2025-62454
The December 2025 Patch Tuesday also included CVE-2025-62454 in the same Windows Cloud Files Mini Filter Driver component, assessed as likely to be exploited. The repeated patching of this component over the prior year indicated sustained attacker interest.
Microsoft discloses exploited zero-day CVE-2025-62221
Microsoft's December 2025 updates identified CVE-2025-62221, a Windows Cloud Files Mini Filter Driver elevation-of-privilege flaw, as actively exploited in zero-day attacks. Successful exploitation can grant SYSTEM privileges.
Microsoft releases December 2025 Patch Tuesday updates
On 2025-12-09, Microsoft issued its December Patch Tuesday with 56 new CVEs. The release included several high-priority flaws affecting Windows, PowerShell, Microsoft Office, and GitHub Copilot for JetBrains.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Overview of High-Risk Vulnerabilities Exploited in 2025
The cybersecurity landscape in 2025 experienced a significant surge in critical vulnerabilities, with over 21,500 CVEs disclosed in the first half of the year, marking a notable increase from previous years. Among these, several vulnerabilities were actively exploited in the wild, including critical flaws in Langflow (CVE-2025-3248), Microsoft SharePoint Server (CVE-2025-53770, 53771), Sudo (CVE-2025-32463), and Docker Desktop (CVE-2025-9074), each enabling attackers to compromise enterprise infrastructure, escalate privileges, or gain unauthorized access to sensitive systems. These vulnerabilities were highlighted for their technical severity, ease of exploitation, and real-world impact on organizations across various sectors, including government and finance. In addition to these high-profile vulnerabilities, the WordPress ecosystem faced its own set of security challenges, with notable vulnerabilities in popular plugins such as Elementor Website Builder (CVE-2025-11220), WooCommerce (CVE-2025-15033), and All in One SEO (CVE-2025-64295). These flaws exposed millions of websites to risks such as cross-site scripting and sensitive data exposure, emphasizing the importance of timely patching and security updates. The overall trend in 2025 underscored the increasing sophistication and industrialization of cybercriminal operations, with attackers leveraging both newly discovered and well-known vulnerabilities to achieve widespread compromise and persistent access to targeted environments.
Mar 21, 2026
Critical Vulnerabilities and Security Updates in November–December 2025
Security researchers identified a significant drop in the number of critical vulnerabilities in November 2025, with only 10 high-impact CVEs requiring immediate attention, compared to 32 in October. Notable threats included two actively exploited FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034), a Samsung image processing flaw (CVE-2025-21042) weaponized for zero-click Android attacks, and several vulnerabilities with public proof-of-concept code available. The vulnerabilities spanned products from Microsoft, Google, Oracle, WatchGuard, and others, with exploitation campaigns favoring quality over quantity. In December 2025, Adobe and Microsoft released their final security updates of the year, addressing a large number of vulnerabilities across products such as Adobe Reader, ColdFusion, Experience Manager, and Creative Cloud Desktop. While Adobe patched 139 CVEs, most were cross-site scripting issues, and none were known to be under active attack at the time of release. Microsoft’s updates were also part of the regular Patch Tuesday cycle, emphasizing the ongoing need for organizations to remain vigilant and promptly apply security patches to mitigate risk from both newly disclosed and actively exploited vulnerabilities.
Mar 21, 2026
Record Surge in CVE Disclosures and Microsoft Vulnerabilities in 2025
In 2025, the cybersecurity landscape was marked by an unprecedented surge in vulnerability disclosures, with nearly 49,209 CVEs published—representing a 43% increase over the previous year. Microsoft alone issued mitigations for 1,246 CVEs, including 158 rated as critical, and faced 41 zero-day vulnerabilities. Security experts noted that while the volume of vulnerabilities reached new highs, the real risk stemmed from a small subset that were actively exploited, particularly those affecting Microsoft platforms and edge devices. Attackers increasingly leveraged AI and new tactics to exploit vulnerabilities faster, often timing attacks around Patch Tuesday cycles to maximize impact before organizations could apply updates. The overwhelming number of vulnerabilities forced security teams to rethink their prioritization strategies, as traditional severity ratings like CVSS proved insufficient for predicting exploitation. Instead, models such as the Exploit Prediction Scoring System (EPSS) and asset criticality became essential for identifying which vulnerabilities posed the greatest risk. State-sponsored actors and ransomware groups were responsible for a significant portion of exploitation activity, with remote code execution and privilege escalation flaws being the most targeted. Experts emphasized the need for rapid, risk-based patching and a shift away from patching solely based on severity scores, as attackers focused on speed, exposure, and critical assets rather than the sheer number of vulnerabilities disclosed.
Mar 21, 2026