Across industries, the year’s most damaging vulnerabilities shared the same defining trait: unauthenticated remote code execution (pre-auth RCE) on internet-facing systems.

VPNs, firewalls, web frameworks, and even core ERP platforms all fell victim to flaws that allowed attackers to run code before authentication, effectively collapsing the traditional security perimeter. In many cases, exploitation began within hours of public disclosure. VulnCheck found that “28.96% of the KEVs identified in 2025 were exploited on or before the day their CVE was published.” This is long before organizations could realistically patch, giving ransomware groups and nation-state actors a wide window to establish persistence.

Below are some of the worst vulnerabilities of 2025, why they were so effective, and what they reveal about a security model that still assumes the edge can be trusted.

Listen to the Audio Overview

 

1. React2Shell

Category: Web frameworks | Default-config RCE

React2Shell (CVE-2025-55182) quickly earned “worst vulnerability of 2025” status. Affecting default React configurations, the flaw exposed an estimated 77,000 internet-facing systems.

Exploitation began within hours of disclosure. At least 30 organizations were confirmed breached, with both criminal and nation-state actors moving fast.

Why it mattered: React2Shell showed that the perimeter isn’t just firewalls and VPNs anymore. Modern web frameworks—when deployed with insecure defaults—are the perimeter.

2. CitrixBleed 2 and NetScaler Memory Vulnerabilities

Category: Edge infrastructure | Memory safety failure

In June 2025, Citrix disclosed two critical NetScaler vulnerabilities within just two weeks—both actively exploited in the wild. CitrixBleed 2, a successor to the infamous 2023 flaw, enabled attackers to steal session tokens and authentication data via a simple out-of-bounds read.

Imperva researchers observed more than 11.5 million attack attempts targeting thousands of organizations, with financial services hit especially hard. Soon after, Citrix confirmed a second issue: a critical buffer overflow (CVE-2025-6543, CVSS 9.2), also added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Why it mattered: NetScaler devices live directly on the perimeter. Pre-auth memory exploits turned them into credential-harvesting systems at internet scale, proving that classic memory safety failures remain among the most dangerous weaknesses in modern software.

3. Ivanti Connect Secure VPN Zero-Days

Category: VPNs | Perimeter access

If one attack vector defined 2025, it was VPN exploitation. Ivanti Connect Secure and Policy Secure zero days enabled unauthenticated RCE on internet-facing VPN gateways, and were weaponized in long-running espionage campaigns attributed to China-nexus threat actors, including Silk Typhoon.

Once inside, attackers executed commands, harvested credentials, and moved laterally into internal networks. In many cases, access persisted even after patching, forcing full device rebuilds.

Why it mattered: These flaws bypassed authentication and erased the perimeter entirely by compromising the systems meant to protect remote access.

4. Cisco Firewall Zero-Days with Persistent Access

Category: Firewalls | Trust collapse

Multiple Cisco ASA and Firepower Threat Defense vulnerabilities enabled unauthenticated RCE on enterprise firewalls. Some attacks achieved ROMMON-level persistence, allowing malware to survive reboots and firmware upgrades.

Why it mattered: When attackers persist inside firewalls, perimeter trust collapses. Defensive controls become attacker infrastructure.

5. ERP and Enterprise Application RCEs (Oracle & SAP)

Category: Core business systems

ERP platforms were not spared in 2025. Oracle E-Business Suite vulnerabilities enabled unauthenticated access to core ERP functions, while SAP NetWeaver RCE (CVE-2025-31324) impacted more than 1,200 exposed systems, providing direct access to manufacturing and operations environments.

Why it mattered: These were not edge systems—they were the business itself. When ERP platforms fall, the blast radius includes financial data, supply chains, and operational continuity.

What 2025 Taught Us About Patch Management

The problem with patching is that defenders are always behind. It can take months for vendors to release fixes and even longer for organizations—especially in ICS and OT environments—to deploy them. Attackers know this, and 2025 showed how effectively they exploit that gap.

To reduce risk in 2026, organizations must focus on resilience, not just remediation:

• Create a vulnerability management plan: Continuously scan software, prioritize vulnerabilities by severity and exploitability, and track software supply chain risk with a Software Bill of Materials (SBOM).
• Use runtime security solutions: Runtime protections can block entire classes of exploits—such as memory-based attacks—even before patches exist.
• Invest in reachability analysis: Focus patching efforts on vulnerabilities that are actually exploitable in real environments.

2025 showed us that when pre-auth RCE becomes routine, the perimeter stops being a defense and starts being an attack surface. Organizations that adapt to that reality will be far better positioned for what comes next.

Stop attackers from exploiting your software, even before a patch is available. Learn more about RunSafe Security’s patented runtime exploit prevention. Or, get in touch with our team for more details.