An extensive investigation by VulnCheck has revealed that, despite the annual surge in reported security vulnerabilities, most remain unexploited in real-world scenarios. Of the staggering 48,000 security flaws documented in 2025, only 1% were actively targeted, signaling a concerning trend where a limited set of vulnerabilities inflict the majority of damage.
The findings, presented in the 2026 Exploit Intelligence Report, give insight into the behavior and tactics of cyber adversaries over the past year. Within this small fraction of actively exploited flaws, attackers have demonstrated rapid and aggressive strategies, often targeting vulnerabilities as soon as they surface.
Critical Vulnerabilities Under Continuous Attack
Exclusive data shared with Hackread.com highlights specific vulnerabilities that have garnered the attention of malicious actors. Leading this list is React2Shell (CVE-2025-55182), a flaw that enables attackers to circumvent security measures on widely used web platforms. Some threat groups attempted to exploit this vulnerability within mere hours of its discovery.
Similarly, business applications have become prime targets, with significant flaws identified in Microsoft SharePoint (CVE-2025-53770) and SAP NetWeaver (CVE-2025-31324). The latter is particularly notable, as hackers were observed probing this vulnerability as early as January 2025, three months prior to its official disclosure.
A substantial portion of these attacks involves zero-day exploits, where victims are compromised before any patches are released. For instance, 56.4% of the ransomware-related vulnerabilities were identified following these surprise strikes, indicating a troubling pattern for affected organizations.
Jacob Baines, Chief Technology Officer at VulnCheck, emphasized the rapid transformation of these vulnerabilities into weaponizable threats, noting that, although the number of targeted flaws is relatively small, their exploitation is escalating at an alarming rate.
Shifts in Threat Actor Activity
This report also uncovers trends in threat actor behavior. Groups linked to China exhibited a striking 52% spike in activity last year, diverging from a broader trend where state-sponsored groups saw a 13% reduction in operations. In contrast, Iranian-affiliated groups have noticeably decreased their cyber activities. Notably, organized ransomware factions such as Cl0p, DragonForce, Earth Lamia, and RomCom remain exceptionally active, focusing on initial access points to effectively extract data.
Impact of AI on Cyber Threats
In 2025, VulnCheck documented over 14,400 exploits tied to approximately 10,480 unique flaws, highlighting a 16.5% increase compared to the previous year. This spike can largely be attributed to “AI-generated slop,” which consists of erroneous or ineffective code created by artificial intelligence. While this code often fails to serve malicious purposes, it complicates the landscape by inundating defenses with misleading signals, thereby obscuring genuine threats.
As the threat landscape evolves, urgency remains paramount—last year saw 884 vulnerabilities entering the known exploited dataset, nearly half of which were newly discovered in 2025. Notably, approximately one-third of ransomware-related flaws lacked publicly available fixes as of early 2026.
Ultimately, while the rate of vulnerability discovery continues to outpace historical norms, the challenge lies in the cybersecurity community’s ability to remediate these flaws in a timely manner. This disparity emphasizes the pressing need for enhanced strategic defenses and prompt patching protocols to combat evolving cyber threats effectively.