The 10 Worst Vulnerabilities of 2025: Ranked by Real-World Impact

CVSS scores tell part of the story, but they don't capture the chaos when a vulnerability is weaponized in the real world. A "9.0" that sits unpatched in a lab is far less dangerous than a "7.8" actively exploited by ransomware gangs. This list ranks 2025's most impactful vulnerabilities based on what actually happened: breaches confirmed, systems compromised, and damage inflicted.

TL;DR

• React2Shell (CVE-2025-55182): 30+ organizations breached, 77,000 vulnerable IPs, nation-state exploitation within hours
• SAP NetWeaver (CVE-2025-31324): 1,200+ exposed enterprise systems, ransomware-ready webshells deployed
• Erlang/OTP SSH (CVE-2025-32433): Affects WhatsApp, CouchDB, industrial control systems—exploited for root access
• Ivanti VPN flaws: Two critical zero-days (CVE-2025-0282, CVE-2025-22457) enabled China-nexus espionage campaigns
• Cisco ASA/FTD: State-sponsored attacks persisted across reboots via ROMMON manipulation

---

1. CVE-2025-55182: React2Shell

CVSS: 10.0 | Disclosed: December 3, 2025

React2Shell is the vulnerability that defined 2025. An unsafe deserialization flaw in React Server Components, it allowed unauthenticated remote code execution via a single malicious HTTP request. Default configurations of Next.js applications—created with create-next-app—were vulnerable out of the box.

Why It's #1

Within hours of Meta's December 3 disclosure, multiple threat actors—including China state-nexus groups Earth Lamia and Jackpot Panda—began active exploitation. Google Threat Intelligence observed campaigns deploying MINOCAT tunnelers, HISONIC backdoors, and XMRIG cryptocurrency miners.

The numbers are staggering: 77,000 vulnerable IP addresses identified, with researchers confirming 30+ organizations already breached across multiple sectors. Microsoft telemetry revealed several hundred machines across a diverse set of organizations compromised with common web application RCE tactics.

Iran-nexus actors joined the exploitation within days. CISA added it to the KEV catalog with a December 26 remediation deadline—one of the tightest windows of 2025.

Impact Factor

React powers a significant portion of modern web applications. The fact that default configurations were exploitable—requiring no code changes by developers—turned this into a mass-compromise scenario rather than a targeted attack.

---

2. CVE-2025-31324: SAP NetWeaver Visual Composer

CVSS: 10.0 | Disclosed: April 24, 2025

A missing authorization check in SAP NetWeaver's Metadata Uploader component allowed unauthenticated attackers to upload malicious files via crafted POST requests to /developmentserver/metadatauploader. The result: remote code execution and complete system compromise.

Why It's #2

"This is as bad as it can get," said Onapsis CTO JP Perez-Etchegoyen. SAP systems contain an organization's most sensitive business data—financial records, customer information, intellectual property.

Rapid7's MDR team confirmed exploitation dating back to March 27, 2025—nearly a month before disclosure. Attackers uploaded JSP webshells (commonly named helper.jsp or cache.jsp) for persistent access. By May, a second wave of opportunistic attackers was leveraging webshells planted during the initial zero-day campaign.

An estimated 50-70% of internet-facing SAP NetWeaver Java systems had the vulnerable Visual Composer component enabled. Over 1,200 instances were exposed. Threat actors used Brute Ratel and Heaven's Gate for post-exploitation evasion—tools typically associated with advanced persistent threats.

Impact Factor

SAP is the backbone of enterprise operations for Fortune 500 companies. Compromise means access to ERP, CRM, and financial systems—prime targets for both espionage and ransomware.

---

3. CVE-2025-32433: Erlang/OTP SSH

CVSS: 10.0 | Disclosed: April 16, 2025

A flaw in Erlang/OTP's SSH daemon allowed attackers to send post-authentication SSH messages (numbers ≥80) before authentication completed. The server failed to disconnect as required by RFC, enabling unauthenticated arbitrary code execution.

Why It's #3

Erlang/OTP isn't a household name, but it powers critical infrastructure: WhatsApp's messaging platform, distributed databases like CouchDB and Riak, and industrial control systems in OT and 5G environments. Many Erlang SSH daemons run as root, granting attackers absolute control.

Horizon3.ai reproduced the exploit within a day, calling it "surprisingly easy." CISA added it to the KEV catalog on June 9, 2025, after confirming active exploitation with reverse shell payloads.

The vulnerability affects telco infrastructure, IoT devices, and any system using Erlang's native SSH implementation—often chosen for its fault tolerance in high-availability environments where downtime isn't an option.

Impact Factor

The combination of root-level execution and deployment in critical infrastructure made this a nightmare scenario for operators who couldn't easily patch.

---

4. CVE-2025-22457: Ivanti Connect Secure (April Zero-Day)

CVSS: 9.0 | Disclosed: April 3, 2025

A stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways allowed remote, unauthenticated attackers to execute arbitrary code.

Why It's #4

Google Threat Intelligence observed exploitation by suspected China-nexus espionage group UNC5221 as early as mid-March 2025—weeks before public disclosure. The campaign targeted edge network devices specifically because they provide network access while often lacking endpoint detection capabilities.

Post-exploitation, attackers deployed newly identified malware families: TRAILBLAZE (in-memory dropper) and BRUSHFIRE (passive backdoor), alongside the previously documented SPAWN ecosystem. Later analysis revealed attacks between December 2024 and July 2025 using MDifyLoader to launch Cobalt Strike in memory.

Mandiant's recommendation was stark: "If your environment contains affected versions, assume compromise and perform a full investigation, including integrity checks and credential revocation."

Impact Factor

VPN appliances are designed to be the secure perimeter. When they're compromised, attackers get network access with minimal detection risk.

---

5. CVE-2025-0282: Ivanti Connect Secure (January Zero-Day)

CVSS: 9.0 | Disclosed: January 8, 2025

Another stack-based buffer overflow in Ivanti Connect Secure, this one was exploited as a zero-day since December 2024.

Why It's #5

UK domain registry Nominet—managing over 11 million .UK domain names—became the first publicly confirmed victim. The organization detected suspicious activity in early January 2025, later confirming the attack exploited CVE-2025-0282 through their third-party Ivanti VPN.

Mandiant attributed the activity to UNC5221, the same China-nexus group behind CVE-2025-22457. Researchers found malware including the SPAWN ecosystem (SPAWNANT, SPAWNMOLE, SPAWNSNAIL), plus newly discovered tools: DRYHOOK (credential harvester) and PHASEJAM (dropper).

At disclosure, 2,048 internet-facing Ivanti instances were vulnerable. A proof-of-concept exploit was quickly released, accelerating the race between patching and exploitation.

Impact Factor

Nominet's breach highlighted the risk to critical internet infrastructure. Domain registries are foundational trust anchors—compromise could enable DNS hijacking, certificate fraud, or service disruption at scale.

---

6. CVE-2025-21298: Windows OLE (Zero-Click Outlook RCE)

CVSS: 9.8 | Disclosed: January 2025

A use-after-free vulnerability in Windows OLE (ole32.dll) allowed remote code execution when a user simply opened or previewed a malicious RTF document in Microsoft Outlook.

Why It's #6

Zero-click vulnerabilities represent the apex of offensive capability—no user interaction required beyond receiving an email. Attackers could send a crafted email, and if the victim previewed it, arbitrary code would execute with the potential for full system compromise.

The vulnerability affected Windows 10, 11, and every Windows Server version from 2008 through 2025. Proof-of-concept code appeared on GitHub shortly after Microsoft's January Patch Tuesday fix.

While widespread exploitation wasn't confirmed, the combination of zero-click delivery, universal Windows coverage, and public PoC availability made this one of the most dangerous vulnerabilities of the year for enterprises relying on Outlook.

Impact Factor

Email remains the primary attack vector for enterprises. A zero-click email RCE in the world's most deployed email client is a threat intelligence nightmare.

---

7. CVE-2025-20363, CVE-2025-20333, CVE-2025-20362: Cisco ASA/FTD Zero-Days

CVSS: 9.0 | Disclosed: September 25, 2025

Three critical vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, including a heap-based buffer overflow enabling unauthenticated RCE.

Why It's #7

This wasn't just exploitation—it was a siege by a sophisticated state-sponsored actor. Cisco confirmed the campaign, attributed to UAT4356 (China-aligned), had been active since May 2025. The same threat actor conducted the ArcaneDoor campaign in 2024.

What made this particularly alarming: attackers demonstrated ROMMON manipulation, persisting malware through device reboots and even software upgrades. Older Cisco ASA 5500-X appliances were specifically targeted.

CISA issued an emergency directive requiring immediate defensive actions. Cisco's advisory was blunt: "There are no workarounds or mitigations for these vulnerabilities."

Impact Factor

Firewalls and VPN appliances are security controls. Persistent compromise of these devices—surviving reboots—represents a near-total loss of network perimeter integrity.

---

8. CVE-2025-54309: CrushFTP Zero-Day

CVSS: 9.8 | Disclosed: July 18, 2025

An unprotected alternate channel vulnerability in CrushFTP's AS2 validation allowed unauthenticated attackers to gain administrative access through the web interface.

Why It's #8

CrushFTP learned of active exploitation the same day they disclosed: July 18, 2025, at 9 AM CST. Four days later, ReliaQuest discovered an exploit being sold on the cybercriminal forum "Exploit."

The exposure was massive: 295,534 CrushFTP instances visible on the internet, with approximately 1,040 remaining unpatched and vulnerable. CISA added it to the KEV catalog on July 22.

This was CrushFTP's third high-impact zero-day in 15 months, following the VFS sandbox escape (CVE-2024-4040) and the AWS4-HMAC race-condition bypass (CVE-2025-31161). Managed file transfer platforms have become prime targets after the MOVEit massacre of 2023.

Impact Factor

MFT platforms handle sensitive data transfers. Administrative takeover enables data theft, ransomware staging, and supply chain attacks affecting downstream partners.

---

9. CVE-2025-29824: Windows CLFS Zero-Day

CVSS: 7.8 | Disclosed: April 8, 2025

A use-after-free vulnerability in the Windows Common Log File System (CLFS) driver allowed privilege escalation to SYSTEM.

Why It's #9

The lower CVSS score belies the real-world impact: this vulnerability was actively exploited by ransomware operators before Microsoft's patch. Storm-2460 used PipeMagic malware to deliver exploits, while the Balloonfly group (Play ransomware) weaponized it in attacks.

Targets included IT and real estate firms in the U.S., financial sector organizations in Venezuela, a software company in Spain, and retailers in Saudi Arabia. Post-exploitation, attackers used procdump.exe to dump LSASS memory for credential theft before deploying ransomware.

This was the second CLFS zero-day delivered via PipeMagic, following CVE-2025-24983. The CLFS driver has become a reliable privilege escalation primitive for ransomware operators.

Impact Factor

Privilege escalation vulnerabilities are force multipliers. They transform limited access into full system control, enabling ransomware deployment at scale.

---

10. CVE-2025-24813: Apache Tomcat RCE

CVSS: Moderate (per Apache) | Disclosed: March 10, 2025

A path equivalence vulnerability in Apache Tomcat's partial PUT handling could allow remote code execution via deserialization attacks.

Why It's #10

Days after public proof-of-concept release, GreyNoise observed exploitation attempts from multiple malicious IPs targeting systems in the U.S., Japan, Mexico, South Korea, and Australia. Attackers sent Base64-encoded serialized Java payloads via PUT requests, then triggered deserialization with crafted session cookies.

Apache rated this as "moderate" because exploitation requires specific configurations (write permissions enabled, file-based session persistence with default storage). However, security researchers noted the "troubling trend of continuously shrinking time to exploitation"—the gap between PoC and in-the-wild attacks measured in days.

Affected versions spanned Tomcat 9.x through 11.x, covering a massive deployment footprint across enterprises worldwide.

Impact Factor

Tomcat powers countless Java applications. The speed of weaponization—PoC to exploitation in days—demonstrates how quickly vulnerability disclosure translates to active attacks.

---

The 2025 Vulnerability Landscape: Key Takeaways

Edge Devices Became Ground Zero

VPNs, firewalls, and network appliances dominated this list. Ivanti, Cisco, and CrushFTP vulnerabilities enabled initial access with minimal detection. Attackers increasingly target these devices because they sit outside traditional endpoint security controls.

Time-to-Exploitation Collapsed

The "patch within 30 days" standard is obsolete. React2Shell was exploited within hours of disclosure. SAP NetWeaver was compromised nearly a month before the patch existed. Organizations need near-real-time patching for internet-facing assets.

Nation-State and Criminal Lines Blurred

UNC5221 exploited Ivanti flaws for espionage. Storm-2460 exploited Windows CLFS for ransomware. React2Shell saw both China-nexus APTs and cryptocurrency miners. The same vulnerabilities serve different objectives depending on who gets there first.

Default Configurations Were Deadly

React2Shell and Apache Tomcat vulnerabilities affected default installations. Organizations can no longer assume that deploying unmodified software is safe—they must verify security configurations as part of deployment.

---

Looking Forward

The vulnerabilities on this list share a common thread: they targeted the infrastructure organizations trust most—VPN appliances, enterprise platforms, web frameworks, and file transfer systems. Attackers understand that compromising these foundational systems provides access to everything built on top of them.

For 2026, organizations should prioritize:

• Continuous vulnerability management for edge devices and internet-facing assets
• Assume-breach mentality when patching is delayed
• Network segmentation to limit blast radius when perimeter devices fail
• Vendor security track records as a factor in procurement decisions

The vulnerabilities will keep coming. The question is whether defenders can close the gap between disclosure and exploitation before attackers do.

---

This ranking reflects vulnerabilities disclosed in 2025 based on confirmed exploitation, scope of impact, and organizational damage. Some incidents remain under investigation.