Zero-day exploits were among the defining cyber threats of 2025, with high-severity flaws affecting platforms such as React2Shell, Oracle E-Business Suite (EBS), and CitrixBleed 2 highlighting how quickly zero-days can be weaponized and how damaging they can be.

To help organizations understand the zero-day threat landscape, Outpost24’s threat intelligence team has compiled a review of the vulnerabilities they encountered in the wild throughout 2025. This analysis covers the most significant cases observed in 2025 and the threat actors behind their exploitation.

Across these cases, four consistent patterns emerged that organizations should consider when preparing to defend against future zero-day exploitation:

1. Enterprise software as a prime target: Zero-days in widely deployed platforms such as security appliances, enterprise resource planning systems, file transfer tools, and web application frameworks were repeatedly exploited due to their central role and privileged access.

2. Financially motivated groups on the rise: Profit-driven actors accounted for a growing share of zero-day exploits in 2025, often moving quickly from initial access to data theft, ransomware, or extortion.

3. Patches don’t remove risk overnight: Even when fixes were released promptly, testing and operational constraints left many organizations exposed for weeks or months.

4. Rapid weaponization: Public disclosure of a zero-day was often followed by swift reuse and adaptation, allowing exploitation to spread beyond the original threat actors.

Five major vulnerabilities observed in 2025 

Improper Authentication in Oracle EBS

Name: CVE-2025-61882  

Severity: CVSS 3.x 9.8  

Products affected: Oracle Concurrent Processing (OCP) product of Oracle EBS (component: BI Publisher Integration).  

Impact: Unauthenticated remote compromise leading to OCP takeover  

Overview : CVE-2025-61882 is an improper authentication vulnerability that allows an unauthenticated attacker with network access over HTTP to compromise OCP. Successful exploitation can result in full takeover of the affected component. 

Timeline of events 

• First observed exploitation:  August 9, 2025  

• Discovery date: Undisclosed  

• Vendor disclosure and patch: October 4, 2025  

Analysis: In September 2025, the CL0P group launched a large-scale extortion campaign targeting organizations running Oracle EBS. Executives received high-volume emails claiming data theft, backed up with genuine file listings from compromised environments and demands to negotiate to avoid public disclosure.

In the weeks that followed, CL0P began naming victims and leaking data via its extortion site. CL0P later confirmed it had exploited a zero-day vulnerability in Oracle EBS to gain access and exfiltrate data, although a separate actor tracked as Scattered Lapsus$ Hunters claimed responsibility for developing the exploit on Telegram.

Oracle initially appeared to attribute the extortion activity to vulnerabilities patched in July. However, in early October, the company issued an emergency security update addressing a previously unknown vulnerability, CVE-2025-61882.

Analysis by Mandiant researchers indicates exploitation started as early as August 9, 2025, with additional suspicious activity dating back to July 10, 2025, several weeks before the patch was released.

Deserialization of Untrusted Data in React Server [React2Shell] 

Name: CVE-2025-55182  

Severity: CVSS 3.x 10  

Products affected: Meta React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0  

Impact: Unauthenticated remote code execution 

Overview: CVE-2025-55182, commonly referred to as React2Shell, is a critical deserialization vulnerability in React Server Components. The flaw allows unauthenticated attackers to execute arbitrary code by exploiting how React decodes payloads sent to React Server Function endpoints. 

Timeline of events  

• First observed exploitation: Unknown  

• Discovery date: November 29, 2025  

• Public disclosure: December 3, 2025  

• Patch released: December 3, 2025  

Analysis: A patch was released shortly after React2Shell was identified, but within hours of its public disclosure in early December Amazon’s threat intelligence teams observed  rapid exploitation activity targeting vulnerable React Server deployments. Multiple China-nexus threat groups, including Earth Lamia and Jackpot Panda, attempted to exploit the flaw, alongside several unattributed clusters using similar tactics and infrastructure.

React2Shell enabled unauthenticated remote code execution, which attackers used to deploy a range of payloads. Post-exploitation activity included cryptominers, Linux backdoors, reverse proxy tunnels, Go-based implants, and botnet variants, pointing to both opportunistic abuse and longer-term access. Given the widespread use of React Server Components across modern web frameworks, the incident highlighted how quickly high-impact flaws in development tooling can be weaponized and reused once details become public.

Unrestricted Upload of File with Dangerous Type in SAP NetWeaver 

Name: CVE-2025-31324 

Severity: CVSS 3.x 10 

Products affected: SAP NetWeaver Visual Composer, specifically the Metadata Uploader component 

Overview:  Allows an unauthenticated agent to upload potentially malicious executable binaries. 

Timeline of events 

• First observed exploitation: March 12, 2025 

• Discovery date:  April 2025 

• Public disclosure: April 22, 2025 

• Patch released: April 24, 2025 

Analysis: In April 2025, ReliaQuest investigated multiple customer incidents involving unauthorized file uploads and execution of malicious files on SAP NetWeaver systems. In these cases, attackers uploaded JSP webshells to publicly accessible directories, allowing them to maintain ongoing access to affected environments.

Following the public disclosure of the vulnerability in April 2025, Onapsis researchers conducted retrospective analysis of their telemetry. This review identified reconnaissance activity targeting the vulnerability between January 20 and February 10, 2025, followed by exploitation activity beginning in March. Confirmed compromises involving webshell deployment were observed from March 12, 2025 onwards.

Certain aspects of the exploitation were tied to China-linked threat actors tracked as Chaya_004. Additional evidence suggested involvement from ransomware groups BianLian and RansomEXX.

Deserialization of Untrusted Data in Microsoft SharePoint [ToolShell] 

Name: CVE-2025-53770 

Severity: CVSS 3.x 9.8 

Products affected: Microsoft SharePoint 

Overview: Allows an unauthorized attacker to execute code over a network. 

Timeline of events

• First observed exploitation: Unknown 

• Discovery date: July 14, 2025 

• Public disclosure: July 19, 2025 

• Patch released: July 20, 2025 

Analysis: During Pwn2Own Berlin in May 2025, researchers demonstrated a ToolShell attack by chaining two SharePoint vulnerabilities, CVE-2025-49706 and CVE-2025-49704, to achieve remote code execution. Microsoft addressed both flaws as part of its July Patch Tuesday release, but researchers soon demonstrated on X that the original fixes could be bypassed using modified techniques. These bypasses were later tracked as CVE-2025-53770 and CVE-2025-53771, restoring unauthenticated code execution

Although early reports suggested exploitation on July 17 and 18, 2025, subsequent analysis linked this activity to the already patched issues. Microsoft confirmed active exploitation on July 19 and attributed the attacks to China-aligned actors, including Linen Typhoon, Violet Typhoon, and a third group tracked as Storm-2603, which used the vulnerabilities to deploy ransomware.

Out-of-Bounds Read in Citrix NetScaler ADC and Gateway [CitrixBleed 2] 

Name: CVE-2025-5777 

Severity: CVSS 3.x 9.3 

Products affected: Citrix NetScaler ADC and Gateway 

Overview: Can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. 

Timeline of events 

• First observed exploitation: June 23, 2025 

• Discovery date: Unknown 

• Public disclosure: June 17, 2025 

• Patch released: June 17, 2025 

Note: CitrixBleed 2 is included here due to credible reporting of possible early abuse, rather than confirmed zero-day exploitation. The Outpost24 threat intelligence team found no conclusive evidence that the vulnerability was actively exploited before the patch was released. As a result, it cannot be definitively classified as a zero-day.

Analysis: Cloud Software Group stated at disclosure that there was no evidence of active exploitation at that time. In the days that followed, exploitation attempts were observed, and CISA added CVE-2025-5777 to its Known Exploited Vulnerabilities catalogue. Proof-of-concept exploits were published by watchTowr and Horizon3 in early July to support defensive awareness.  

Based on honeypot telemetry,  GreyNoise researchers tracked back exploitation attempts originating from malicious IP addresses geolocated in China, with activity dating back to June 23, 2025. Independent reporting by Kevin Beaumont also referenced exploitation activity potentially spanning back to mid-June. 

Researchers from ReliaQuest observed indicators suggesting the vulnerability may have been used to gain initial access to targeted environments as early as June 26, 2025, placing exploitation before public proof-of-concept releases. 

While exploitation of CitrixBleed 2 has since been publicly confirmed and linked to ransomware activity, few threat actors have been definitively named. One publicly reported case linked INC Ransom to exploitation of CVE-2025-5777, which was most likely used to gain initial access to the Pennsylvania Attorney General’s Office in August 2025. 

Additional zero-day vulnerabilities observed in 2025

CVE	CVSS 3.x	Products affected	Publication	Threat actors or malware involved
CVE-2025-0282	9	Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways	January 8, 2025	UNC5221
CVE-2025-0994	8.8	Trimble Cityworks	February 6, 2025	UAT-6382
CVE-2025-9491	7.8	Microsoft Windows	March 3, 2025	XDSpy   UNC6384
CVE-2025-29824	7.8	Windows Common Log File System Driver	April 8, 2025	Play ransomware
CVE-2025-21042	8.8	Samsung’s Android image processing library	May 7, 2025	LANDFALL (spyware)
CVE-2025-54309	9.8	CrushFTP	July 18, 2025	Unidentified
CVE-2025-8088	8.8	Windows version of WinRAR	August 8, 2025	RomCom   Paper Werewolf
CVE-2025-55177		Whatsapp	August 29, 2025	Unidentified
CVE-2025-10035	9.8	GoAnywhere MFT	September 18, 2025	Storm-1175
CVE-2025-20333   CVE-2025-20362	9.9   8.6	Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD)	September 25, 2025	UAT4356
CVE-2025-61932	9.3	Motex LANSCOPE Endpoint Manager	October 20, 2025	Bronze Butler
CVE-2025-20393	10	Cisco AsyncOS	December 17, 2025	UAT-9686

How Outpost24 addresses zero-day vulnerabilities

Defending against zero-day vulnerabilities starts with maintaining constant visibility across your attack surface. Solutions like Outpost24’s External Attack Surface Management (EASM) continuously identify internet-facing assets and map the relationships between them in an organization. If vulnerabilities are identified, this visibility means security teams can respond quickly and effectively.

Pen-testing extends this protection, with solutions like Outpost24’s CyberFlex combining the power of EASM with flexible human-led penetration-testing-as-a-service (PTaaS). Organizations benefit from continuous coverage of their entire application attack surface with the flexibility to test and prioritize the vulnerabilities that matter most.

If you’re interested in seeing how Outpost24 can help secure your organization against advanced threats in 2026, speak to one of our experts today.