Sign In

2025 Routinely Targeted Vulnerabilities

VulnCheck data captures risk and threat indicators across the entire vulnerability lifecycle, drawing on 500+ data sources to track exploit code maturity and validity, evidence of use in the wild, and threat actor attribution and tooling. Based on a data-driven analysis, VulnCheck has identified 50 vulnerabilities disclosed in 2025 that had elevated, multi-dimensional risk profiles by the end of the 2025 calendar year. We are releasing this list of Routinely Targeted Vulnerabilities in conjunction with VulnCheck’s 2026 Exploit Intelligence Report, which includes in-depth analysis of threat and vulnerability trends from 2025.
Read the full report
We are also releasing VulnCheck proprietary data on public exploit code, CVE severity, and in-the-wild usage by a variety of threat actors for each Routinely Exploited Vulnerability. Counts below also include unattributed threat activity curated by our vulnerability intelligence team. All unattributed activity collectively, in any category, is counted as one (1) threat actor, ransomware, or botnet instance in our calculations. If multiple vulnerabilities had similar threat profiles across key areas, our team also considered the breadth of real-world exploitation sources, honeypot exploit attempt volume over time, and attack indicators from VulnCheck Canaries when compiling our analysis.
To qualify for inclusion, 2025 Routinely Targeted Vulnerabilities must have been disclosed and exploited in the wild in 2025. They also must meet one or more of the following criteria:
  • Top 0.1% of 2025 CVEs with exploits
    20+ public exploits
  • Top 5% of TA CVEs
    At least two state-sponsored or other named threat actor attributions
  • Top 60% of 2025 ransomware CVEs
    At least one named ransomware family attribution
  • Top 20% of botnet CVEs
    At least two instances of known botnet activity, including a named botnet
All data below is as of December 31, 2025.
CVE-2024-53704SonicWall SonicOS SSLVPN Improper Authentication
critical
5120
CVE-2024-55591Fortinet FortiOS and FortiProxy Authentication Bypass
critical
8270
CVE-2024-57727SimpleHelp Path Traversal
high
5250
CVE-2025-0108Palo Alto Networks PAN-OS Authentication Bypass
high
12201
CVE-2025-0282Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
critical
12810
CVE-2025-0283Ivanti Connect Secure, Policy Secure, and Neurons Stack-Based Buffer Overflow
high
0300
CVE-2025-0994Trimble Cityworks Deserialization
high
0300
CVE-2025-3248Langflow Missing Authentication
critical
35101
CVE-2025-3928Commvault Web Server Unspecified Vulnerability
high
0300
CVE-2025-4427Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass
high
8400
CVE-2025-4428Ivanti Endpoint Manager Mobile (EPMM) Code Injection
high
9400
CVE-2025-5777Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
critical
26410
CVE-2025-6218RARLAB WinRAR Path Traversal Vulnerability
high
10500
CVE-2025-6264Rapid7 Velociraptor Incorrect Default Permissions
medium
2120
CVE-2025-7771ThrottleStop.sys Driver Exposed IOCTL with Insufficient Access Control
high
6140
CVE-2025-8088RARLAB WinRAR Path Traversal
high
21811
CVE-2025-10035Fortra GoAnywhere MFT Deserialization of Untrusted Data
critical
5220
CVE-2025-20363Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Heap-Based Buffer Overflow
critical
3200
CVE-2025-22224VMware ESXi and Workstation TOCTOU Race Condition
high
0130
CVE-2025-22225VMware ESXi Arbitrary Write
high
0120
CVE-2025-22226VMware ESXi, Workstation, and Fusion Information Disclosure
medium
0120
CVE-2025-22457Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
critical
10410
CVE-2025-23006SonicWall SMA1000 Appliances Deserialization
critical
1110
CVE-2025-24016Wazuh Server Deserialization
critical
13102
CVE-2025-24071Microsoft Windows Exposure of Sensitive Information
medium
26100
CVE-2025-24472Fortinet FortiOS and FortiProxy Authentication Bypass
high
0220
CVE-2025-24813Apache Tomcat Path Equivalence Vulnerability
critical
47100
CVE-2025-24893XWiki Platform Eval Injection
critical
48102
CVE-2025-25257Fortinet FortiWeb SQL Injection
critical
18200
CVE-2025-26633Microsoft Windows Management Console (MMC) Improper Neutralization
high
5220
CVE-2025-29824Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free
high
11230
CVE-2025-29927Vercel Next.js Improper Authorization
critical
82100
CVE-2025-31161CrushFTP Authentication Bypass
critical
23110
CVE-2025-31324SAP NetWeaver Unrestricted File Upload
critical
22940
CVE-2025-32433Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function
critical
39100
CVE-2025-32463Sudo Inclusion of Functionality from Untrusted Control Sphere
high
67100
CVE-2025-33053Microsoft Windows External Control of File Name or Path
high
10300
CVE-2025-34043Vacron Network Video Recorder (NVR) Remote Command Injection
critical
2103
CVE-2025-48384Git Link Following Vulnerability
high
27200
CVE-2025-49113Roundcube Webmail Deserialization
high
24200
CVE-2025-49704Microsoft SharePoint Code Injection
high
11640
CVE-2025-49706Microsoft SharePoint Improper Authentication
medium
14640
CVE-2025-53770Microsoft SharePoint Deserialization
critical
361060
CVE-2025-53771Microsoft SharePoint Improper Authentication
medium
8740
CVE-2025-55182Meta React Server Components RCE (React2Shell)
critical
2361124
CVE-2025-59287Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data
critical
22310
CVE-2025-61882Oracle E-Business Suite Unspecified Vulnerability
critical
12420
CVE-2025-61884Oracle E-Business Suite Server-Side Request Forgery
high
4120
CVE-2025-61932Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel
critical
1300
CVE-2025-64446Fortinet FortiWeb Path Traversal
critical
24100
Because 2025 Routinely Targeted Vulnerabilities are based on several different types of exploit data, each of which can change a vulnerability’s ranking meaningfully when prioritized or filtered out, this collection of vulnerabilities isn’t intended to be a one-dimensional hierarchy of CVEs expressed as a top-to-bottom list. We invite members of the community to sort and analyze this data themselves and make their own determinations about vulnerability risk and threat profiles.

Get more with VulnCheck

    Learn more about VulnCheck Vulnerability & Exploit Intelligence
    Schedule a Demo
    Read the 2026 VulnCheck Exploit Intelligence Report
    Download the Report
    Join the VulnCheck Community to explore our KEV, NVD++, and XDB data
    Sign Up