Based on the comprehensive cybersecurity analysis from 2025 and 2026 reports, the following table and ranking detail the top 20 most exploited vulnerabilities.
| Rank | CVE ID | Vulnerability Name | Affected Product | Severity (CVSS) | Primary Impact & Mechanism |
|---|---|---|---|---|---|
| 1 | CVE-2025-55182 | React2Shell | React Server Components | 10.0 (Critical) | Unauthenticated RCE: Insecure deserialization in the RSC Flight protocol allows attackers to execute code (e.g., cryptocurrency miners, malware) without credentials. |
| 2 | CVE-2025-32433 | Erlang/OTP Zero-Day | Erlang/OTP SSH Daemon | 10.0 (Critical) | Pre-Auth RCE: Foundational flaw in SSH protocol parsing affecting OT and telecom infrastructure; enables root access before authentication completes. |
| 3 | CVE-2025-20333 | ArcaneDoor (Buffer Overflow) | Cisco ASA / FTD | 9.9 (Critical) | RCE (Root): Exploited by state-sponsored actors to implant persistent malware (“RayInitiator”) on network edge devices. |
| 4 | CVE-2025-59287 | WSUS Deserialization | Microsoft WSUS | 9.8 (Critical) | System RCE: Unauthenticated attackers exploit unsafe deserialization on ports 8530/8531 to execute code with SYSTEM privileges. |
| 5 | CVE-2025-5777 | CitrixBleed 2 | Citrix NetScaler | 9.3 (Critical) | Session Hijacking: Out-of-bounds read allowing attackers to leak session tokens and memory data; patched with a 24-hour deadline. |
| 6 | CVE-2025-9242 | Firebox Out-of-Bounds | WatchGuard Firebox | 9.3 (Critical) | Unauthenticated RCE: Stack-based buffer overflow in the IKEv2 VPN protocol allowing remote code execution. |
| 7 | CVE-2025-32463 | Sudo Chroot Escalate | Sudo Utility (Linux/Unix) | 9.3 (Critical) | Privilege Escalation: Race condition allowing local users to gain root access by manipulating the --chroot option. |
| 8 | CVE-2025-12480 | Triofox Access Bypass | Gladinet Triofox | 9.1 (Critical) | Improper Access Control: Allows attackers to create admin accounts and execute malicious files; exploited by threat cluster UNC6485. |
| 9 | CVE-2025-5086 | Apriso Deserialization | Dassault Systèmes Apriso | 9.0 (Critical) | Unauthenticated RCE: Exploits unsafe SOAP/HTTP requests in manufacturing operations software to execute arbitrary code. |
| 10 | CVE-2025-53690 | Sitecore ViewState | Sitecore Experience Platform | 9.0 (Critical) | RCE: Deserialization flaw leveraging exposed sample machine keys to execute code; confirmed exploitation by Mandiant. |
| 11 | CVE-2025-4664 | Chrome Cross-Origin Leak | Google Chrome | 8.8 (High) | Data Leak: Allows bypass of referrer policies to leak cross-origin data; widely exploited in the wild. |
| 12 | CVE-2025-10585 | V8 Type Confusion | Google Chrome | 8.8 (High) | RCE: Memory corruption in the V8 JavaScript engine allowing remote code execution via malicious web pages. |
| 13 | CVE-2025-48384 | Git File Write | Git (macOS/Linux) | 8.1 (High) | Arbitrary File Write: Case-sensitivity flaw in configuration parsing allows attackers to write files outside the repo during a clone operation. |
| 14 | CVE-2025-62221 | Cloud Files Driver UAF | Windows Cloud Files Driver | 7.8 (High) | Privilege Escalation: Use-after-free vulnerability allowing local attackers to gain SYSTEM privileges without user interaction. |
| 15 | CVE-2025-6218 | WinRAR Path Traversal | WinRAR | 7.8 (High) | RCE: Flaw allowing malicious archives to extract files to arbitrary locations (e.g., Startup folder); exploited by APT groups like Bitter. |
| 16 | CVE-2025-41244 | Aria Tools PrivEsc | VMware Aria / Tools | 7.8 (High) | Local PrivEsc: Untrusted search path vulnerability used by Chinese state actors (UNC5174) to gain root access on VMs. |
| 17 | CVE-2025-62215 | Kernel Race Condition | Windows Kernel | 7.0 (High) | Privilege Escalation: Race condition leading to double-free memory corruption; used for lateral movement and credential harvesting. |
| 18 | CVE-2025-20362 | ArcaneDoor (Auth Bypass) | Cisco ASA / FTD | 6.5 (Medium) | Auth Bypass: Used in a chain with CVE-2025-20333 to grant unauthenticated attackers access to restricted VPN endpoints. |
| 19 | CVE-2025-48633 | Android Info Disclosure | Android Framework | High | Sandbox Bypass: Allows malicious apps to access sensitive system memory; targeted exploitation by state actors. |
| 20 | CVE-2025-48572 | Android Priv Escalation | Android Framework | High | Privilege Escalation: Permissions bypass allowing background apps to launch unauthorized activities; often chained with CVE-2025-48633. |