The Most Exploited Ransomware targeted vulnerabilities in 2025 by CISA KEV data

These high-impact vulnerabilities across enterprise platforms were included to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog in 2025, highlighting active exploitation by the ransomware groups. The affected CVEs target widely deployed systems, including application servers, managed file transfer tools, collaboration platforms, VPN gateways, and business suites.

1/15/20264 min read

🧨 Critical Remote Code Execution & File Upload Vulnerabilities

CVE-2025-55182 – Meta React Server Components (CVSSv3: 10.0)

Remote code execution in React Server Components allows unauthenticated attackers to execute arbitrary code on affected servers. Exploitation can lead to full compromise of web applications.

Reference: https://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce

CVE-2025-10035 – Fortra GoAnywhere MFT (CVSSv3: 10.0)

Deserialization of untrusted data allows attackers to execute arbitrary code on GoAnywhere MFT servers. Actively exploited by ransomware operators for initial access.

Reference: https://www.fortra.com/security/advisories/product-security/fi-2025-012

CVE-2025-31324 – SAP NetWeaver (CVSSv3: 10.0)

Unrestricted file upload enables unauthenticated attackers to deploy web shells and execute commands. SAP deployments are frequent ransomware targets.

Reference: https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild

CVE-2024-55956 – Cleo Multiple Products (CVSSv3: 9.8)

Unauthenticated file upload vulnerability allows remote attackers to upload malicious files. Commonly exploited in ransomware campaigns.

Reference: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CVE-2024-50623 – Cleo Multiple Products (CVSSv3: 10.0)

Unrestricted file upload vulnerability enables execution of malicious code without authentication. Often abused for initial access.

Reference: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

🔐 Enterprise Applications & Collaboration Platforms

CVE-2025-49704 – Microsoft SharePoint (CVSSv3: 8.8)

Code injection flaw allows attackers to run malicious scripts in SharePoint. Exploitation can result in lateral movement and data theft.

Reference: https://www.tenable.com/cve/CVE-2025-49704

CVE-2025-49706 – Microsoft SharePoint (CVSSv3: 8.0)

Improper authentication allows attackers to bypass access controls. Exploitation may grant unauthorized access to SharePoint resources.

Reference: https://www.tenable.com/cve/CVE-2025-49706

CVE-2025-53770 – Microsoft SharePoint (CVSSv3: 9.8)

Deserialization of untrusted data enables arbitrary code execution on SharePoint servers. Full server compromise is possible.

Reference: https://www.tenable.com/cve/CVE-2025-53770

CVE-2025-61884 – Oracle E-Business Suite (CVSSv3: 7.5)

Server-side request forgery allows attackers to make unauthorized internal or external requests. Exploited for reconnaissance and access to internal resources.

Reference: https://www.oracle.com/security-alerts/alert-cve-2025-61884.html

CVE-2025-61882 – Oracle E-Business Suite (CVSSv3: 9.8)

An unspecified vulnerability actively exploited in the wild. Associated with zero-day attacks and extortion campaigns.

Reference: https://www.tenable.com/blog/cve-2025-61882-faq-oracle-e-business-suite-zero-day

CVE-2023-48365 – Qlik Sense (CVSSv3: 9.1)

HTTP tunneling vulnerability allows attackers to bypass security restrictions and reach internal services. Often used for lateral movement.

Reference: https://community.qlik.com/t5/Official-Support-Articles/Security-Advisory-HTTP-Tunneling/ta-p/2116874

CVE-2024-57727 – SimpleHelp (CVSSv3: 8.6)

Path traversal allows unauthorized access to arbitrary files. Sensitive credentials or configuration data may be exposed.

Reference: https://www.simple-help.com/security/CVE-2024-57727

CVE-2024-55550 – Mitel MiCollab (CVSSv3: 8.8)

Path traversal vulnerability allows attackers to access system files. Exploitation can result in information disclosure.

Reference: https://www.mitel.com/support/security-advisories

CVE-2024-41713 – Mitel MiCollab (CVSSv3: 8.8)

A related path traversal vulnerability enabling arbitrary file access. Often chained with other flaws for full compromise.

Reference: https://www.mitel.com/support/security-advisories

🌐 Network Gateway, VPN & Edge Infrastructure

CVE-2025-5777 – Citrix NetScaler ADC and Gateway (CVSSv3: 9.3)

Out-of-bounds read exposes sensitive memory contents. Can aid credential theft and further exploitation.

Reference: https://www.stormshield.com/news/security-alert-citrix-netscaler-cve-2025-5777-stormshield-products-response/

CVE-2025-22457 – Ivanti Connect Secure / Policy Secure / ZTA (CVSSv3: 9.8)

Stack-based buffer overflow allows remote code execution on Ivanti gateway products. Exposed internet-facing systems are at high risk.

Reference: https://forums.ivanti.com/s/article/Security-Advisory-CVE-2025-22457

CVE-2025-0282 – Ivanti Connect Secure / Policy Secure / ZTA (CVSSv3: 9.8)

Another stack-based buffer overflow vulnerability enabling remote code execution. Frequently targeted in mass exploitation campaigns.

Reference: https://forums.ivanti.com/s/article/Security-Advisory-CVE-2025-0282

CVE-2024-53704 – SonicWall SonicOS SSLVPN (CVSSv3: 9.8)

Improper authentication allows bypass of VPN controls. Exploitation enables unauthorized network access.

Reference: https://censys.com/advisory/cve-2024-53704

CVE-2025-23006 – SonicWall SMA1000 Appliances (CVSSv3: 9.8)

Deserialization vulnerability allows remote code execution. Full device control is possible if exploited.

Reference: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0006

CVE-2025-24472 – Fortinet FortiOS and FortiProxy (CVSSv3: 9.6)

Authentication bypass allows unauthorized administrative access. Actively exploited in ransomware operations.

Reference: https://www.fortiguard.com/psirt/FG-IR-25-001

CVE-2024-55591 – Fortinet FortiOS and FortiProxy (CVSSv3: 9.6)

Another authentication bypass vulnerability abused against exposed Fortinet devices. Commonly observed in intrusion chains.

Reference: https://www.fortiguard.com/psirt/FG-IR-24-393

🖥️ Operating System & Privilege Escalation Vulnerabilities

CVE-2025-29824 – Microsoft Windows CLFS Driver (CVSSv3: 7.8)

Use-after-free vulnerability allows local attackers to escalate privileges to SYSTEM. Often exploited after initial access.

Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29824

CVE-2025-26633 – Microsoft Windows MMC (CVSSv3: 7.8)

Improper neutralization flaw enables execution of malicious code via crafted MMC files. Commonly delivered via phishing or malicious documents.

Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633

CVE-2018-8639 – Microsoft Windows Win32k (CVSSv3: 7.8)

Improper resource shutdown or release allows local privilege escalation. Exploited in legacy systems and targeted attacks.

Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-8639

CVE-2019-6693 – Fortinet FortiOS (CVSSv3: 9.8)

Use of hard-coded credentials allows attackers to authenticate without authorization. Continues to be exploited in legacy deployments.

Reference: https://www.fortiguard.com/psirt/FG-IR-19-007

CVE-2025-31161 – CrushFTP (CVSSv3: 9.8)

Authentication bypass allows attackers to access CrushFTP servers without credentials. Can result in data exfiltration or ransomware deployment.

Reference: https://www.crushftp.com/crushftp9/security.html

🔎 Summary

Ransomware operators continue to leverage remote code execution, deserialization, authentication bypass, SSRF, file upload, and privilege escalation vulnerabilities to gain initial access and move laterally. The fact that these CVEs are listed in the CISA KEV Catalog underscores their active use in real-attacks and the need for immediate mitigation.

Key takeaways for security teams:

  • Reduce internet exposure of administrative interfaces

  • Implement layered defenses, including network segmentation, monitoring,

  • Use KEV intelligence and telemetry to guide patch prioritization

  • Use KEV insights and threat intelligence to guide patching priorities effectively.

  • Prioritize patching the most critical vulnerabilities and exposed technologies within your organization

CVE list in comma-separated format for Vulnerability Management Teams:

CVE-2025-55182, CVE-2025-10035, CVE-2025-31324, CVE-2024-55956, CVE-2024-50623, CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-61884, CVE-2025-61882, CVE-2023-48365, CVE-2025-5777, CVE-2025-22457, CVE-2025-0282, CVE-2024-53704, CVE-2025-23006, CVE-2025-24472, CVE-2024-55591, CVE-2025-29824, CVE-2025-26633, CVE-2018-8639, CVE-2019-6693, CVE-2025-31161, CVE-2024-57727, CVE-2024-55550, CVE-2024-41713

*Note: The selection represents Known Ransomware vulnerabilities with due date matching 2025, not CVEs issues in 2025

Image source: Michael Geiger\Unsplash