.webp?w=1920&resize=1920,0&ssl=1 "Top Zero-Day Vulnerabilities Exploited in the Wild in 2025")
The cybersecurity landscape in 2025 has been marked by an unprecedented surge in zero-day vulnerabilities actively exploited by threat actors.
According to recent data, more than 23,600 vulnerabilities were published in the first half of 2025 alone, representing a 16% increase over 2024.
This alarming trend has seen sophisticated threat actors, including nation-state groups and ransomware operators, weaponizing unknown vulnerabilities faster than ever before.
Nearly 30% of Known Exploited Vulnerabilities (KEVs) were weaponized within 24 hours of disclosure, with some high-profile edge devices experiencing zero-day exploitation before patches were even available.
Zero-Day Vulnerabilities Exploited by Vendor/Platform in 2025
The scope and sophistication of these attacks have evolved dramatically, targeting everything from widely-used web browsers to critical enterprise infrastructure.
This comprehensive analysis examines the most significant zero-day vulnerabilities that have been actively exploited throughout 2025, providing cybersecurity professionals with detailed technical insights, impact assessments, and mitigation strategies.
CVEProductTypeImpactAttack VectorPatch DateCVE-2025-10585Google ChromeType ConfusionArbitrary Code ExecutionMalicious JavaScript2025-09-17CVE-2025-6558Google ChromeANGLE GPU ExploitSandbox EscapeMalicious Graphics2025-07-15CVE-2025-7775Citrix NetScalerMemory OverflowRemote Code ExecutionNetwork, Unauthenticated2025-08-26CVE-2025-53770Microsoft SharePointUnsafe DeserializationRemote Code ExecutionHTTP Requests2025-07-18CVE-2025-53771Microsoft SharePointHeader SpoofingAuthentication BypassHTTP Headers2025-07-18CVE-2025-31324SAP NetWeaverArbitrary File UploadFull System CompromiseHTTP Requests2025-08-26CVE-2025-38352AndroidRace ConditionLocal Privilege EscalationLocal Access2025-09-03CVE-2025-48543AndroidUse-After-FreeChrome Sandbox Escape, Privilege EscalationLocal Access2025-09-03CVE-2025-21043Samsung AndroidOut-of-Bounds WriteRemote Code ExecutionMalicious Image Processing2025-09-11CVE-2025-43300Apple iOS/macOSOut-of-Bounds WriteArbitrary Code ExecutionMalicious Image Files2025-08-24CVE-2025-53779Microsoft WindowsKerberos Authentication BypassActive Directory CompromiseKerberos Protocol2025-08-13CVE-2025-29824Microsoft WindowsElevation of PrivilegeRansomware DeploymentPost-Compromise2025-05-07CVE-2025-33053Microsoft WindowsWebDAV VulnerabilityRemote Code ExecutionHTTP Requests2025-06-11CVE-2025-53690SitecoreViewState DeserializationRemote Code ExecutionHTTP Requests2025-09-02
Google Chrome: The Browser Under Siege
CVE-2025-10585: The Latest Chrome Zero-Day
The most recent addition to Chrome’s vulnerability roster, CVE-2025-10585, was discovered on September 16, 2025, and patched within 24 hours.
This type confusion vulnerability in Chrome’s V8 JavaScript and WebAssembly engine represents the sixth Chrome zero-day exploited in 2025.
Google’s Threat Analysis Group (TAG) confirmed active exploitation, suggesting sophisticated threat actors, likely nation-state groups, were leveraging this flaw in targeted campaigns.
Technical Details:
Vulnerability Type: Type confusion in V8 engine
Attack Vector: Malicious websites with crafted JavaScript
Impact: Arbitrary code execution, complete browser compromise
Affected Versions: Chrome prior to 140.0.7339.185/.186
CVE-2025-6558: ANGLE GPU Exploitation
Earlier in July 2025, CVE-2025-6558 emerged as another critical Chrome zero-day, exploiting the ANGLE (Almost Native Graphics Layer Engine) and GPU components.
This vulnerability enabled attackers to escape Chrome’s sandbox through specially crafted graphics calls, leading to out-of-bounds memory access and potential arbitrary code execution.
Technical Impact:
CVSS Score: Not disclosed
Exploitation Method: Malicious HTML pages with crafted graphics calls
Consequence: Browser sandbox escape, system-level access
Fixed Version: Chrome 138.0.7204.157/.158
Chrome’s 2025 Zero-Day Portfolio
Throughout 2025, Chrome has been targeted by multiple zero-day exploits, including CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and CVE-2025-6558.
This sustained assault on Chrome underscores the browser’s critical role as an attack vector and the sophistication of modern threat actors targeting web-based technologies.
Citrix NetScaler: Critical Infrastructure Under Attack
CVE-2025-7775: The NetScaler RCE Zero-Day
On August 26, 2025, Citrix disclosed CVE-2025-7775, a critical memory overflow vulnerability in NetScaler ADC and NetScaler Gateway that had been actively exploited as a zero-day.
With a CVSS score of 9.2, this vulnerability represents one of the most severe threats to enterprise network infrastructure in 2025.
Vulnerability Analysis:
CVSS Score: 9.2 (Critical)
Attack Complexity: High (requires sophisticated exploitation techniques)
Authentication Required: None (unauthenticated exploitation)
Impact: Remote Code Execution and Denial of Service
The vulnerability affects NetScaler appliances configured as Gateway or AAA virtual servers, impacting versions 13.1, 14.1, 13.1-FIPS, and NDcPP.
According to Shadowserver data, over 28,200 instances remained exposed and vulnerable following the disclosure.
The exploitation has been linked to sophisticated threat actors capable of deploying web shells for persistent access.
Mitigation Requirements:
Organizations must immediately upgrade to fixed versions: 14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, and 12.1-FIPS/NDcPP 12.1-55.330+.
Microsoft SharePoint: The ToolShell Campaign
CVE-2025-53770 And CVE-2025-53771: Chained Exploitation
In July 2025, Microsoft issued emergency out-of-band patches for two interconnected zero-day vulnerabilities affecting on-premises SharePoint servers.
These vulnerabilities, exploited in a campaign dubbed “ToolShell,” demonstrate the evolution of multi-stage attack chains.
CVE-2025-53770 Technical Profile:
CVSS Score: 9.8 (Critical)
Vulnerability Type: Unsafe deserialization of untrusted data
Impact: Remote Code Execution
Authentication: Bypassed through CVE-2025-53771
CVE-2025-53771 Technical Profile:
CVSS Score: 6.3 (Medium)
Vulnerability Type: Header spoofing vulnerability
Impact: Authentication bypass
Exploitation Method: Crafted Referer header
The attack chain operates by first exploiting CVE-2025-53771 to bypass authentication through header spoofing, then leveraging CVE-2025-53770 for code execution through malicious deserialization.
This sophisticated approach allows attackers to extract cryptographic machine keys, enabling long-term persistence even after the initial vulnerability is patched.
Attribution and Impact:
Unit 42 research identified overlapping activity with the Storm-2603 cluster, with exploitation attempts observed as early as July 17, 2025.
The campaign has evolved rapidly, with threat actors adjusting tactics to evade detection and shifting from .NET modules to web shell payloads.
SAP NetWeaver: Enterprise ERP Under Fire
CVE-2025-31324: The Perfect CVSS 10.0 Vulnerability
CVE-2025-31324 achieved the rare distinction of a perfect CVSS score of 10.0, representing maximum severity across all metrics.
This vulnerability in SAP NetWeaver Visual Composer allows unauthenticated attackers to upload arbitrary files, leading to immediate system compromise.
Critical Vulnerability Details:
CVSS Score: 10.0 (Critical)
Component: SAP NetWeaver Visual Composer
Attack Vector: HTTP/HTTPS over Internet
Authentication: None required
Exploitation: /developmentserver/metadatauploader endpoint
The vulnerability was first exploited as a zero-day nearly three weeks before public disclosure, with evidence linking exploitation to both sophisticated APT groups and the Qilin ransomware operation.
OP Innovate’s incident response revealed communication with known Cobalt Strike infrastructure, suggesting the vulnerability’s use in broader ransomware campaigns.
Secondary Exploitation Wave:
Following public disclosure, CVE-2025-31324 experienced secondary exploitation waves by opportunistic attackers leveraging previously established web shells.
This pattern demonstrates how zero-day vulnerabilities continue to pose threats even after initial remediation efforts.
CVE-2025-42999: The Root Cause Fix
On May 13, 2025, SAP released Security Note 3604119 addressing CVE-2025-42999 (CVSS 9.1), which corrected the underlying root cause of CVE-2025-31324.
This follow-up vulnerability emerged from forensic analysis conducted by Onapsis Research Labs, highlighting the complex nature of enterprise software vulnerabilities.
Android Ecosystem: Mobile Platform Targets
CVE-2025-38352 And CVE-2025-48543: Targeted Mobile Exploitation
Google’s September 2025 Android Security Bulletin addressed two actively exploited zero-day vulnerabilities affecting the Android ecosystem.
Both vulnerabilities enable local privilege escalation and have been confirmed under “limited, targeted exploitation,” suggesting spyware campaigns against high-value individuals.
CVE-2025-38352 Analysis:
Component: Linux kernel POSIX CPU timers
Vulnerability Type: Race condition
CVSS Score: 7.4
Impact: Local privilege escalation
Affected Versions: Android 10 and later
CVE-2025-48543 Analysis:
Component: Android Runtime (ART)
Vulnerability Type: Use-after-free
Impact: Chrome sandbox escape, privilege escalation
Target: Android system_server compromise
The targeting pattern and discovery by Google’s Threat Analysis Group strongly suggest these vulnerabilities were weaponized in mercenary spyware operations against specific high-risk users.
Samsung-Specific Android Vulnerability
CVE-2025-21043 represents a critical Android vulnerability specific to Samsung devices, discovered in the libimagecodec.quram.so library developed by Quramsoft.
This out-of-bounds write vulnerability enables remote code execution through malicious image processing.
Samsung Vulnerability Profile:
CVSS Score: 8.8 (High)
Component: libimagecodec.quram.so
Discovery Date: August 13, 2025 (privately disclosed)
Affected Versions: Android 13, 14, 15, 16
Attribution: Reported by Meta and WhatsApp security teams
Apple Ecosystem: The Persistent Target
CVE-2025-43300: ImageIO Framework Exploitation
Apple issued emergency security updates in August 2025 for CVE-2025-43300, the seventh zero-day vulnerability patched by Apple in 2025.
This out-of-bounds write vulnerability in Apple’s ImageIO framework has been confirmed as exploited in “extremely sophisticated attacks against specific targeted individuals.”
Apple Zero-Day Profile:
CVSS Score: 8.8 (High)
Component: ImageIO framework
Attack Vector: Malicious image files
Impact: Memory corruption, arbitrary code execution
Scope: iOS, iPadOS, macOS across multiple versions
The vulnerability demonstrates the evolution of attack techniques targeting Apple’s ecosystem, with simple image viewing potentially compromising entire device security.
Apple’s acknowledgment of sophisticated targeted attacks suggests nation-state involvement in the exploitation campaigns.
Apple’s 2025 Zero-Day Timeline:
Throughout 2025, Apple has patched seven zero-day vulnerabilities: CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300.
This escalation indicates increasing attacker focus on Apple platforms and sophisticated threat research capabilities.
Microsoft Windows: Enterprise OS Under Siege
The May 2025 Zero-Day Cluster
Microsoft’s May 2025 Patch Tuesday addressed five actively exploited zero-day vulnerabilities, representing one of the most significant monthly zero-day disclosures in recent memory.
These vulnerabilities span multiple Windows components and enable various attack outcomes from privilege escalation to remote code execution.
Critical Windows Zero-Days:
CVE-2025-30397 – Scripting Engine Memory Corruption (CVSS 7.5)
CVE-2025-30400 – Desktop Window Manager Elevation of Privilege (CVSS 7.8)
CVE-2025-32701 – Common Log File System Driver EoP (CVSS 7.8)
CVE-2025-32706 – Windows CLFS Driver EoP (CVSS 7.8)
CVE-2025-32709 – Windows Ancillary Function Driver EoP (CVSS 7.8)
CVE-2025-53779: Kerberos Authentication Bypass
Microsoft’s August 2025 Patch Tuesday included CVE-2025-53779, a publicly disclosed zero-day affecting Windows Kerberos authentication.
This privilege escalation vulnerability, discovered by Akamai researcher Yuval Gordon, stems from relative path traversal and enables Active Directory domain compromise.
Kerberos Vulnerability Details:
CVSS Score: 7.2
Component: Windows Kerberos
Technique Name: BadSuccessor
Impact: Active Directory domain compromise through dMSA object abuse
CVE-2025-29824: CLFS Exploitation Leading To Ransomware
Microsoft Threat Intelligence discovered post-compromise exploitation of CVE-2025-29824, a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS).
The Storm-2460 threat group actively deployed this vulnerability in conjunction with PipeMagic malware for ransomware deployment.
CLFS Zero-Day Campaign:
Threat Actor: Storm-2460
Malware Family: PipeMagic backdoor
Attack Outcome: RansomEXX ransomware deployment
Target Sectors: IT, real estate, financial, software, retail
Sitecore: ViewState Deserialization Attack
CVE-2025-53690: ViewState Zero-Day Exploitation
Google’s Mandiant successfully disrupted an active ViewState deserialization attack targeting Sitecore products through CVE-2025-53690.
This zero-day vulnerability enabled remote code execution through improper handling of ViewState data, particularly affecting deployments using exposed sample keys from public documentation.
Sitecore Attack Chain:
Initial Access: ViewState deserialization vulnerability
Malware Deployed: WEEPSTEEL reconnaissance tool
Persistence Tools: EARTHWORM tunnel, DWAGENT remote access
Reconnaissance: SHARPHOUND Active Directory enumeration
The sophisticated attack progression from initial compromise to privilege escalation demonstrates the threat actor’s deep understanding of the exploited vulnerability and target environment.
The zero-day vulnerability landscape of 2025 represents an inflection point in cybersecurity, characterized by unprecedented exploitation velocity, sophisticated attack chains, and broad target diversity.
From Chrome browsers to enterprise SAP systems, no technology stack has proven immune to determined adversaries.
The consistent pattern of exploitation across major vendors, Apple, Google, Microsoft, Citrix, and others underscores the systematic nature of modern zero-day campaigns.
Organizations must recognize that zero-day exploitation is no longer an exceptional event but a routine component of the threat landscape.
Success in this environment requires moving beyond traditional patch-and-pray approaches to comprehensive defense-in-depth strategies that assume compromise and focus on detection, containment, and rapid response.
The lessons from 2025’s zero-day campaigns are clear: attackers are moving faster, targeting more diverse platforms, and demonstrating increasingly sophisticated techniques.
Defenders must match this evolution with equally sophisticated defensive capabilities, industry collaboration, and a fundamental shift toward proactive security architectures designed to withstand unknown threats.
As we advance through 2025, the cybersecurity community must continue adapting to this new reality where zero-day exploitation is not just possible but probable, requiring constant vigilance and continuous improvement of defensive capabilities across all technology platforms and organizational boundaries.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Top Zero-Day Vulnerabilities Exploited in the Wild in 2025 appeared first on Cyber Security News.
