A Year of Real-World Exploitation

If you work in security, you probably remember React2Shell. Shortly after public disclosure, scanning activity increased, and exploitation attempts began to surface.

That sequence showed up repeatedly across several of 2025’s most impactful vulnerabilities. Advisories were still circulating while attackers were already testing and operationalizing exploits.

This wasn’t true for the thousands of CVEs published quietly throughout the year. But for a smaller set of high-impact issues, the ones that actually shaped risk for defenders, the window between disclosure and exploitation consistently narrowed.

In those cases, attackers favored flaws that offered unauthenticated access, reliable remote code execution, or broad reach across widely deployed software. The common thread wasn’t novelty so much as practicality.

This post isn’t a comprehensive list of every critical vulnerability from 2025. It focuses on the vulnerabilities that shaped exploitation behavior in practice: the ones that forced emergency response, exposed recurring blind spots, and reduced the margin for delay in meaningful ways.

The perspective here is grounded in real-world exploitation signals, exposure data, and community validation through open detection work. It reflects what attackers went after in practice, not what appeared most severe on paper.

The Five Vulnerabilities That Defined 2025

🥇 #1: CVE-2025-55182 — React Server Components RCE (“React2Shell”)

React2Shell didn’t introduce a new exploit class. What it changed was the amount of effort required.

A deserialization flaw in React Server Components enabled unauthenticated remote code execution across a large number of internet-facing applications. Public proof-of-concepts appeared quickly. Scanning activity followed soon after. Within days, exploitation ranged from broad opportunistic activity to more targeted campaigns.

The significance wasn’t the novelty of the vulnerability, it was the reach.

React is widely deployed across internal tools, staging environments, and production systems. A framework-level issue enabling unauthenticated code execution meant that many applications became viable targets at once, regardless of how they were intended to be exposed.

By the end of the year, it was increasingly difficult to argue that application frameworks could be treated as meaningfully separate from the external attack surface.

🥈 #2: CVE-2025-31324 — SAP NetWeaver Unauthenticated RCE

SAP NetWeaver’s Visual Composer Metadata Uploader lacked authentication entirely.

Attackers didn’t need chaining or bypass techniques for this CVE. They uploaded JSP web shells and executed code directly. Ransomware operators adopted the vulnerability quickly, largely because the value of a compromised SAP system is well understood.

The number of exposed systems was small compared to consumer-facing platforms, but that distinction didn’t matter for attackers. SAP deployments often sit at the center of enterprise operations. Successful exploitation provided high-privilege access and predictable paths to lateral movement.

This was not the first time enterprise software failed in a basic way. What stood out in 2025 was how quickly attackers recognized the opportunity and acted on it.

🥉#3: CVE-2025-0108 — PAN-OS Authentication Bypass

February reinforced a pattern defenders had encountered before.

A request-parsing inconsistency between Nginx and Apache handlers in PAN-OS allowed authentication to be bypassed on firewall management interfaces. Double URL encoding was sufficient and no credentials were required.

This wasn’t a deep protocol flaw, it was a logic issue with a low barrier to exploitation.

Hundreds of thousands of firewalls were exposed. Once exploitation began, the implications were straightforward. If the management interface of a perimeter device is accessible without authentication, downstream systems become reachable by default.

CISA’s KEV inclusion followed quickly, reflecting observed exploitation rather than precaution.

#4: CVE-2025-20188 — Cisco IOS XE Hardcoded JWT

Cisco shipped wireless controllers with the same embedded JWT secret across multiple firmware versions.

Once the token became public, exploitation required little effort. Attackers authenticated as administrators and gained full control. Because the secret was hardcoded, rotation wasn’t possible. Every affected device remained vulnerable until patched.

The vulnerability itself wasn’t complex, and that simplicity contributed to its impact.

Hardcoded credentials have continued to surface in enterprise products despite years of guidance to avoid them. In 2025, attackers again demonstrated how quickly these issues can be operationalized once exposed.

#5: CVE-2025-32433 — Erlang/OTP SSH Remote Code Execution

The Erlang/OTP SSH vulnerability highlighted a different class of exposure.

Millions of systems were affected, often indirectly. Erlang was frequently present as a dependency, embedded in platforms supporting telecom infrastructure, messaging systems, and backend services.

In many environments, teams only became aware of their Erlang footprint once exploitation activity prompted a closer review of dependencies.

After disclosure, scanning activity increased rapidly. The appeal was clear: a single flaw with broad runtime reach allowed attackers to operate at scale without precise targeting.

This vulnerability, along with others in 2025, made software supply chain visibility an operational concern rather than a theoretical one.

How Exploitation Played Out in 2025

Looking back, exploitation in 2025 didn’t follow a clean month-by-month progression. Instead, activity clustered into phases shaped by attacker incentives and software deployment realities.

Phase 1 (Jan - Mar): Perimeter Devices as Entry Points

The year opened with familiar targets. VPNs, firewalls, and edge appliances.

Ivanti, PAN-OS, and similar platforms experienced authentication bypasses and remote code execution vulnerabilities that attackers exploited quickly. These systems remained attractive because they were internet-facing, high-privilege, and consistently deployed.

In several cases, perimeter controls functioned less as barriers and more as entry points.

Phase 2 (Apr - Jun): Runtime and Enterprise Software Exposure

By spring, attention shifted inward.

SAP NetWeaver, Erlang/OTP, Craft CMS, and related components illustrated how much critical infrastructure depends on software that often receives limited routine scrutiny.

In many cases, the vulnerability itself was neither new nor technically sophisticated. The difficulty was visibility. Teams were required to identify and assess dependencies under active exploitation pressure, often across organizational boundaries.

Asset inventories consistently lagged behind attacker activity.

Phase 3 (Jul - Sep): Ubiquity as an Attack Multiplier

Mid-year exploitation favored software with broad deployment.

SharePoint, Fortinet appliances, Cisco infrastructure, and other widely deployed platforms became frequent targets. Attackers optimized for return on effort. A single working exploit against ubiquitous software produced disproportionate reach.

Vendor reputation mattered less than installation density.

Phase 4 (Oct - Dec): Developer and Update Infrastructure

In the final quarter, a shift became increasingly apparent.

Vulnerabilities in WSUS, React, Next.js, and related tooling showed that build pipelines, update mechanisms, and application runtimes are now part of the external attack surface.

When update servers or frameworks are compromised, exploitation inherits trust. Distribution occurs through legitimate channels, and downstream impact expands beyond the initial entry point.

By year’s end, the distinction between traditional exploitation and supply chain compromise had blurred in practical terms.

What Attackers Optimized For

Across these phases, consistent priorities emerged.

Attackers favored:

Deserialization flaws, authentication bypasses, path traversal issues, and hardcoded credentials accounted for a significant share of impactful exploitation. Memory corruption and complex exploit chains were less common.

This approach prioritized speed and reliability over technical sophistication.

In multiple cases, exploitation began while defenders were still validating advisories or assessing exposure.

How This Activity Was Tracked

Visibility into 2025’s exploitation activity came largely from open detection work, particularly through the Nuclei template ecosystem.

Nuclei templates are community-submitted, peer-reviewed, and continuously validated against real-world behavior. They are updated as exploitation techniques evolve, false positives are identified, and bypasses emerge.

Signals came from a combination of template usage, observed scanning behavior, public proof-of-concepts, and feedback from practitioners validating detection in live environments. In several instances, this provided early confirmation that vulnerabilities were being actively abused while official guidance was still forming.

This iterative process makes it possible to track how vulnerabilities move from disclosure into exploitation without relying solely on severity scores or vendor advisories.

What 2025 Highlighted for Defenders

The primary takeaway from 2025 isn’t that vulnerabilities suddenly became worse. It’s that response windows continued to shrink.

Disclosure no longer created much buffer time. In many cases, it simply marked the start of active exploitation.

Organizations that relied primarily on periodic scanning, advisory-driven workflows, or delayed validation often struggled to keep pace. The vulnerabilities that mattered most were frequently exploited before remediation plans were fully in place.

Visibility into exposure and exploitation behavior proved more useful than severity scoring alone.

Looking Ahead

The volatility of 2025 wasn’t driven by volume alone. It reflected how quickly exploitation could scale once vulnerabilities became public.

Attackers acted on accessible weaknesses rather than waiting for ideal conditions.

The vulnerabilities that defined the year were not theoretical risks. They were practical entry points, exploited openly and at scale.

That dynamic is unlikely to reverse. Going into 2026, the challenge for defenders will be maintaining visibility quickly enough to respond before compromise becomes routine.

Stay ahead of the next breakout exploit — follow us on X, LinkedIn, BlueSky and GitHub for real-time updates on emerging vulnerabilities.