Fast Facts
-
Less than 1% of over 48,000 CVEs disclosed in 2025 were exploited in the wild, yet those few caused disproportionate operational damage, highlighting a focus on weaponized vulnerabilities quickly exploited by threat actors.
-
Ransomware groups are increasingly leveraging zero-day exploits, with over 56% of ransomware-related CVEs first identified through active exploitation, signaling a shift to faster, more aggressive attack tactics.
-
Despite many vulnerabilities having proof‑of‑concept or exploit code, only a small fraction (~1%) were actively exploited, with advanced ransomware campaigns often keeping attack chains private to avoid detection.
-
Major ransomware groups like Cl0p and DragonForce continue to exploit zero-day flaws and vulnerabilities across diverse sectors, utilizing sophisticated tactics such as bring-your-own-vulnerable-driver methods and leveraging extensive exploit-focused campaigns to maintain operational advantage.
Key Challenge
In 2025, New VulnCheck revealed that despite over 48,000 new CVEs identified, less than 1% were exploited in real-world attacks. Nevertheless, these few exploits caused significant operational damage. The data showed that the most dangerous vulnerabilities were quickly weaponized and attracted ransomware groups, botnets, and state-linked hackers. Often, these threats outpaced patching efforts, making it difficult for defenders to respond effectively. Additionally, the report highlighted a rise in proof-of-concept exploits fueled partly by low-quality AI-generated code, which distorted threat signals. Notably, more than half of the ransomware-related CVEs were first exploited through zero-days, indicating an increased reliance on undisclosed vulnerabilities by malicious actors. This shift toward faster, more aggressive operations underscores a widening gap between vulnerability data and actionable security measures.
The report further detailed that ransomware groups such as Cl0p and DragonForce extensively exploited high-risk vulnerabilities, with some still lacking public exploits. Cl0p, for example, maintained access through zero-days in file transfer software like MOVEit Transfer and GoAnywhere MFT, while DragonForce rebranded as a ‘cartel’ and used network edge vulnerabilities in sectors like healthcare and government. These groups often employed sophisticated tactics, including leveraging kernel driver vulnerabilities and bring-your-own-vulnerable-driver techniques, to evade detection. Meanwhile, botnets like RondoDox exploited numerous vulnerabilities indiscriminately, often waiting months after disclosure before launching attacks. Overall, VulnCheck’s findings emphasize that vulnerabilities remain vital tools for cybercriminals, necessitating proactive security practices to mitigate escalating threats driven by increasingly sophisticated exploitation techniques.
Security Implications
VulnCheck warns that ransomware groups are now increasingly using zero-day vulnerabilities to attack businesses. These are flaws in software unknown to vendors and unpatched, making them especially dangerous. When cybercriminals exploit zero-days, they can bypass existing security defenses easily. As a result, operational technology (OT) environments become particularly vulnerable. If your business faces such an attack, operational disruptions can occur, leading to costly downtime. Data loss or theft may follow, damaging your reputation and customer trust. Consequently, your business faces financial harm and legal risks. Therefore, understanding this threat is crucial to protect your operations from sophisticated ransomware threats.
Possible Next Steps
Timely remediation is crucial to prevent ransomware operators from exploiting zero-day vulnerabilities, especially in Operational Technology (OT) environments, where delays can lead to catastrophic operational failures and safety hazards.
Mitigation Strategies
Vulnerability Management
- Conduct continuous vulnerability scanning
- Prioritize and patch high-risk zero-day vulnerabilities promptly
- Maintain an up-to-date inventory of OT assets
Detection and Monitoring
- Deploy advanced threat detection systems tailored for OT networks
- Monitor network traffic for unusual activity indicative of zero-day exploitation
- Implement real-time alerts for suspicious behavior
Response Planning
- Develop and regularly update incident response plans specific to OT environments
- Train staff on recognizing early signs of ransomware attacks
- Establish clear procedures for rapid containment and eradication
Access and Control
- Enforce strict access controls and multi-factor authentication for OT systems
- Limit user privileges to the minimum necessary
- Segment OT networks from corporate IT networks to contain breaches
Preventive Measures
- Use network segmentation to isolate critical OT assets
- Disable unnecessary ports and services to reduce attack surface
- Regularly review and update security policies to address emerging threats
Recovery Readiness
- Maintain secure, offline backups of critical OT data and configurations
- Test backup restoration processes periodically
- Ensure rapid recovery protocols can be activated without delay
By proactively implementing these steps, organizations can significantly reduce the window of opportunity for ransomware operators exploiting zero-day vulnerabilities, thereby safeguarding their OT environments from potentially devastating consequences.
Stay Ahead in Cybersecurity
Stay informed on the latest Threat Intelligence and Cyberattacks.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
