2025 saw its fair share of dangerous security vulnerabilities, often exploited before firms were able to apply patches. Here are the four worst flaws of the year, according to experts – alongside some tips on how to deal with attackers increasingly taking advantage of holes in software.

React2Shell (CVE-2025-55182)

Arguably the worst – or at least the most infamous – flaw of 2025 was the remote code execution (RCE) issue dubbed React2Shell. Tracked as CVE-2025-55182, the 10.0 critical severity vulnerability allows attackers to compromise servers with a single malicious request in React and Next.js applications.

It was disclosed by security researcher Lachlan Davidson on 29 November 2025, but was quickly exploited in attacks.

The flaw was weaponised by “multiple threat actors within hours of disclosure”, says Matt Middleton-Leal, general manager EMEA at Qualys. “Attackers used a mix of techniques to find hosts that had vulnerable Node.js installed and available on the internet, including automated scanning and more manual approaches.”

Its “critical risk” rating reflects the ability to achieve unauthenticated, arbitrary code execution with server-level privileges via a single HTTP request, according to Casey Charrier, senior analyst, Google Threat Intelligence Group. “Exploitation occurred almost immediately after its disclosure, and was driven by the technical simplicity of exploitation, extent of impact, and widespread use of affected frameworks like Next.js.”

React2Shell (CVE-2025-55182), exposes “a structural failure in how modern web applications are built, shipped, and maintained,” says Jonathan Elkabas, security researcher, Semperis. “If you are running React and haven’t patched yet, consider yourself compromised by multiple actors.”

ToolShell (CVE-2025-53770)

In July, Microsoft patched an issue in SharePoint, dubbed ToolShell by researchers, which was already being used in attacks. Tracked as CVE-2025-53770 and handed a CVSS score of 9.8, successful exploitation could allow an unauthenticated attacker to execute arbitrary code on a vulnerable SharePoint server.

The flaw allowed unauthenticated attackers to exploit unsafe deserialization in on-premises Microsoft SharePoint servers, upload web shells and extract cryptographic machine keys. Once the keys were stolen, attackers could forge authentication tokens and retain access, demonstrating “how quickly a single exposed enterprise service can turn into a full environment compromise,” Flashpoint analysts told SC Media UK.

From an operational standpoint, ToolShell was especially painful because SharePoint often sits deep inside trusted networks. Exploitation activity shows that attackers were not stopping at web access and were using SharePoint as a foothold to “pivot laterally, escalate privileges, and establish persistence that survived patching alone,” the analysts warned.

Citrix NetScaler (CVE-2025-5777 and CVE-2025-7775)

In June 2025, it emerged that a critical vulnerability in Citrix NetScaler ADC and Gateway devices tracked as CVE-2025-5777 was being exploited in attacks. Dubbed CitrixBleed 2 due to similarities to the 2023 CitrixBleed flaw of 2023, the out of bounds read issue was given a CVSS score of 9.3.

If exploited, it could allow attackers to bypass authentication mechanisms, including multifactor authentication (MFA), and hijack user sessions.

In August, Citrix reported the exploitation of another NetScaler bug, a critical zero-day remote code execution (RCE) flaw, tracked as CVE-2025-7775.

The Citrix NetScaler “double threat,” consisting of CVE-2025-5777 (CitrixBleed 2) and CVE-2025-7775, was the worst security issue of the year, according to Tom Whittle, principal incident response analyst at NormCyber. “Incident response teams were already dealing with the fallout of CVE-2025-5777, especially with regards to the comprehensiveness of NetScaler logging readily available within the security stack, when a new vulnerability appeared shortly after. To complicate matters further, both vulnerabilities had been exploited in the wild, so this warranted heightened due diligence from detection and incident response.”

Fortinet (CVE-2025-59718 and CVE-2025-59719)

As 2025 drew to a close, it emerged that two Fortinet vulnerabilities tracked as CVE-2025-59718 and CVE-2025-59719 were being exploited in the wild.

The recent Fortinet SAML authentication bypasses are “particularly frustrating,” says Dr. Oliver Farnan, head of research at Reliance Cyber.

The issues provide unauthenticated administrator access to FortiCloud management portals across a large range of Fortinet products, by not verifying the cryptographic hash on SAML requests. “Once exploited, this vulnerability can be used to provide access to the internal network, allowing follow on attacks to any systems or applications within our networks,” he warns.

Fortinet claims the portal isn’t active by default, but basic configuration and enrolment of Fortinet support services (FortiCare) “enable the service invisibly,” says Farnan. “Many customers do not realise they have these services active and exposed. Public exploit code exists and we are seeing active scans for the vulnerability.”

Patch Management In 2026

Beyond these issues, 2025 saw its fair share of flaws – a trend that is set to continue in 2026. With this in mind, patching should be automated as much as possible, says Middleton-Leal. “You can still prioritise your patching so you dedicate more resources to the most important issues, but you can manage more of those secondary issues with automated patch deployment.”

It’s important to know your environment. Alongside this, tiering your IT assets can make it easier to roll out patches, he advises. “Some assets can be patched quickly, acting as ‘canary’ deployments that show up any problems before you commence your main rollout,” says Middleton-Leal.

Next will come the primary assets needing the most human support, such as business critical applications or endpoints that must be available. After this, you can roll out patches in a “phased manner,” according to Middleton-Leal.

In addition, ensure you look out for unmanned assets – the systems or assets not used by specific people every day. These still need to be updated, he advises. “For example, the PC in a meeting room: Who is responsible for checking that asset is up to date?”

Kate O'Flaherty Cybersecurity and privacy journalist