CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Accelerated Exploitation of New Vulnerabilities in 2025

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

In 2025, approximately 50 to 61 percent of newly disclosed vulnerabilities were weaponized within 48 hours, driven by automated attack systems. The time to exploit (TTE) dropped from 745 days in 2020 to 44 days in 2025, with n-day exploits representing over 80% of the CVEs listed in the VulnDB database. Attackers exploit the delay between vulnerability disclosure and patch deployment, which often follows a slower, human-driven process. The traditional patching cadence is no longer sustainable as attackers use AI and automation to rapidly weaponize vulnerabilities, while defenders struggle to keep up. The exploitation economy operates at machine speed, with threat actors leveraging automated scripts, AI, and dark web forums to quickly develop and distribute exploits. Defenders face challenges due to the need for near-perfect stability and the risk of service interruptions, which attackers do not consider. To mitigate this, organizations must transition to automated, policy-driven remediation to close the gap between vulnerability disclosure and patch deployment.

Timeline

  1. 12.02.2026 11:30 1 articles · 23h ago

    N-Day Exploits Dominate Vulnerability Landscape in 2025

    N-day exploits now represent over 80% of the CVEs listed in the VulnDB database. Adversaries rapidly weaponize researcher-published proof-of-concept (PoC) code, combining these ready-made exploits with internet-wide scanning tools to conduct mass exploitation across large segments of the internet in hours. Security and perimeter software is a growing target for n-day attacks, with 37 n-day attacks observed in 2025.

    Show sources
    Open in new tab
  2. 12.02.2026 11:30 1 articles · 23h ago

    Visibility Issues Compound Security Challenges in 2025

    The challenges facing security teams are exacerbated by asset visibility issues, with most large organizations not having more than a quarter of their total assets inventoried. Additionally, a 'CVE blind spot' arises from the fact that thousands of vulnerabilities disclosed every year never receive an official CVE ID, representing a massive blind spot for standard scanners.

    Show sources
    Open in new tab
  3. 13.11.2025 13:30 2 articles · 3mo ago

    Accelerated Exploitation of New Vulnerabilities in 2025

    In 2025, approximately 50 to 61 percent of newly disclosed vulnerabilities were weaponized within 48 hours, driven by automated attack systems. The time to exploit (TTE) dropped from 745 days in 2020 to 44 days in 2025, with n-day exploits representing over 80% of the CVEs listed in the VulnDB database. Attackers exploit the delay between vulnerability disclosure and patch deployment, which often follows a slower, human-driven process. The traditional patching cadence is no longer sustainable as attackers use AI and automation to rapidly weaponize vulnerabilities, while defenders struggle to keep up.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increase in Zero-Day and One-Day Exploits in 2025

In 2025, 28.96% of known exploited vulnerabilities (KEVs) were exploited before or on the day of public disclosure, up from 23.6% in 2024. VulnCheck identified 884 new vulnerabilities with evidence of exploitation, a 15% increase from 2024. Network edge devices, content management systems, and open-source software were the most targeted technologies. Time-to-exploitation patterns remained consistent with 2024, with operating systems being the most affected by zero-day and one-day exploits. Ransomware attribution continued to lag behind initial exploitation disclosure.

Open in new tab

Microsoft December 2025 Patch Tuesday addresses 3 zero-days, 56 flaws

Microsoft's December 2025 Patch Tuesday addresses 56 vulnerabilities, including three zero-days. One zero-day (CVE-2025-62221) is actively exploited, allowing privilege escalation in Windows Cloud Files Mini Filter Driver. Two other zero-days (CVE-2025-64671, CVE-2025-54100) are publicly disclosed, affecting GitHub Copilot for JetBrains and PowerShell. The updates also fix 3 critical remote code execution vulnerabilities. Additionally, Microsoft released the KB5071546 extended security update for Windows 10 Enterprise LTSC and ESU program participants, addressing the same vulnerabilities and updating Windows 10 to build 19045.6691 and Windows 10 Enterprise LTSC 2021 to build 19044.6691. The update includes a fix for CVE-2025-54100, a remote code execution zero-day vulnerability in PowerShell, and introduces a confirmation prompt with a security warning for script execution risk when using the Invoke-WebRequest command in PowerShell 5.1. Microsoft patched a total of 1,275 CVEs in 2025, according to data compiled by Fortra. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-62221 to the Known Exploited Vulnerabilities (KEV) catalog, mandating FCEB agencies to apply the patch by December 30, 2025. The remaining two zero-days, CVE-2025-54100 and CVE-2025-64671, are part of a broader set of security vulnerabilities collectively named IDEsaster, affecting multiple AI coding platforms.

Open in new tab

Increasing CVE Volume and Cyber Insurance Strategies

The number of Common Vulnerabilities and Exposures (CVEs) published has surged, with approximately 33,000 CVEs listed by mid-September 2025, nearly double the 18,400 published in 2020. This rapid increase poses significant challenges for cybersecurity teams and insurers. Cyber insurance carriers and brokers are adopting varied approaches to manage the growing risk, ranging from proactive assistance to penalizing policyholders for unpatched vulnerabilities. The industry is also focusing on holistic risk management strategies beyond just CVEs. The perception of cyber resilience among executives has risen, but the threat landscape remains fast-moving and unpredictable.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab

SecAlerts service launched for real-time vulnerability alerts

SecAlerts, a new service, has been launched to deliver real-time vulnerability alerts. This service aims to streamline vulnerability management by providing immediate, actionable information directly to security teams. It aggregates data from over 100 sources, including vendors, researchers, forums, and blogs, to avoid delays associated with traditional sources like the National Vulnerability Database (NVD). The service allows users to filter alerts based on severity, exploitation status, and other criteria, reducing noise and focusing on critical vulnerabilities. SecAlerts supports various integration methods and customizable alert delivery, making it suitable for a wide range of businesses and industries. It uses three core components: Stacks, Channels, and Alerts, to deliver vulnerability information. The service provides a Feed that shows vulnerabilities affecting your software over any period of time, along with a bar graph showing the vulnerabilities for that same period of time, color-coded to show their severity. SecAlerts also offers an API for programmatic access and automated integration into existing tooling. The service has already gained a global client base across five continents, including universities, intelligence agencies, startups, banks, government departments, aviation, and cyber insurers.

Open in new tab