The Top Vulnerabilities of 2025

Businesses of all sizes are facing an intensifying threat environment. Attackers aren’t just targeting enterprises — they’re scanning the internet for any exposed service, misconfigured cloud asset or unpatched system they can exploit.

By analyzing over 3,000 customer environments, our security team identified the vulnerabilities that shaped the threat landscape in 2025. They selected these based on three factors:

• Prevalence across environments
• Likelihood of exploitation
• Real world impact

Keep reading for our top six vulnerabilities of the year...

Top 6 Vulnerabilities of 2025

What started as a list of the five top vulnerabilities of 2025 quickly evolved into a list of six when React2Shell, one of 2025’s biggest CVE’s, hit the headlines in early December…

6. Apache Tomcat RCE - CVE-2025-24813

A remote code execution flaw in Apache Tomcat, rated CVSS 9.8

Why it matters:

Its high severity, combined with the broad prevalence of Tomcat made it one of the top exposures of the year, affecting a wide range of organizations - a classic example of an impactful, widely distributed application vulnera bility.

5. Fortinet Perimeter Vulnerabilities - CVE-2024-55591 & CVE-2025-32756

CVE-2024-55591: An authentication bypass in FortiOS.
CVE-2025-32756: Critical flaw in FortiVoice.

Both affect internet-facing Fortinet appliances.

Why they mattered:

Fortinet saw a series of critical vulnerabilities across multiple product lines over the last 18 months. Incidents like these highlight why edge appliances like Fortinet are high value targets as they are internet facing, widely deployed and hold the keys to network access. 

For most enterprises, changing vendors in response is not an effective solution - the cost and disruption is too high - leaving fast patching and compensating controls as the only viable defenses.

4. Apache mod_rewrite RCE - CVE-2024-38475

A vulnerability in Apache HTTP Server’s mod-rewrite module (versions 2.4.59 and earlier) caused by improper output escaping. It allows attackers to map URLs to filesystem locations that should not be directly accessible.

Why it mattered:

Despite being discovered in 2024, the number of vulnerable instances still present highlight the continued relevance of this vulnerability in 2025. 

Its persistence shows how widely deployed web server modules remain attractive targets, and how quickly attackers incorporate reliable application-layer bugs into their exploitation toolkits.

3. Palo Alto Auth Bypass - CVE-2025-0108

An authentication bypass in the web management interface of Palo Alto Networks PAN-OS firewall.

Why it mattered:

This vulnerability was actively exploited and highlights a recurring theme of incomplete fixes. Protections introduced after a prior authentication bypass (CVE-202-0012) proved insufficient, and attackers found new ways to abuse how different technologies (Apache, Nginx, PHP) process requests. When authentication controls on management interfaces fail, attackers gain an immediate foothold in security-critical devices.

2. ToolShell - CVE-2025-53770

A critical remote code execution flaw in Microsoft Sharepoint, exploitable without authentication.

Why it mattered:

ToolShell was a perfect storm in 2025. It offered reliable, unauthenticated remote code execution on systems that are often perimeter exposed and tightly integrated with Active Directory. 

Because the exploit required very little skill — and Microsoft released the details on a Saturday — teams without an out-of-hours SOC were left at a severe disadvantage. 

To make matters worse, there was a gap between disclosure and patch availability – a window attackers quickly took advantage of. For many organizations failing to patch within days meant they were already in a post-exploitation scenario. Vulnerabilities this impactful, reliable, and easy to exploit don't come along often!

1. React2Shell - CVE-2025-55182

React2Shell is a critical remote code execution vulnerability affecting applications built with React Server Components, where attacker-controlled input could be executed on the server in certain configurations.

Why it mattered:

React2Shell stood out because of its scale. React is the most widely used web framework, and applications using React Server Components - including those built with frameworks like Next.js - were exposed by default in some configurations. Exploitation began within days of disclosure, and patching was the only effective fix. Intruder identified significantly more vulnerable hosts for React2Shell than for Log4Shell, reinforcing its unusually large real-world impact.

Get more threat landscape insights in our 2025 Exposure Management Index

CVEs alone don’t capture the full picture. Based on insights from over 3,000 organizations, our 2025 Exposure Management Index explores the factors driving an increasingly hostile threat environment and how defenders are keeping pace:

• Attackers are weaponizing older CVEs at unprecedented speed - using AI-assisted exploit development to turn long forgotten vulnerabilities into today’s active threats.
• The dangers posed by Shadow IT - tools and services that exist without the proper oversight.
• Small companies fix issues nearly twice as fast as larger environments, but larger estates are catching up - highlighting how complexity, not intent, drives remediation performance.
• European organizations are now finding 100 fewer critical vulnerabilities on average than North America - suggesting early regulatory frameworks may be improving cyber hygiene.

👉 Download the Exposure Management Index ‍- See the vulnerabilities most likely to impact your business — and how to get ahead of them.