New VulnCheck data disclosed that out of more than 48,000 newly disclosed CVEs in 2025, barely 1% were exploited in the wild, yet those few drove disproportionate operational damage. Drawing on more than 500 data sources and tracking hundreds of thousands of vulnerabilities, the analysis shows that the flaws that mattered were weaponized quickly, drew interest from ransomware groups, botnets, and state-linked hackers, and often outpaced patching cycles before defenders could respond.
In its ‘The 2026 VulnCheck: Exploit Intelligence Report,’ VulnCheck identified 50 routinely targeted vulnerabilities that carried elevated risk by year’s end, while proof-of-concept exploits for new CVEs rose 16.5%, much of it fueled by low-quality AI-generated code that distorted risk signals. China-nexus attributions climbed 52% year over year, and ransomware operators increasingly leaned on zero-day activity, with 56.4% of ransomware-linked CVEs first discovered through active exploitation, underscoring a shift toward faster, more aggressive operational models.
“Security teams are drowning in vulnerability data, yet still struggle to understand where real risk exists and what demands action now,” Jacob Baines, chief technology officer at VulnCheck, wrote in the report. “In 2025, the gap between signal and noise widened. CVE volume surged, proof-of-concept code was ubiquitous, and AI accelerated the production of low-quality signals, while real‑world exploitation remained persistent and ruthless.”
The report found that more than a quarter (26%) of CVEs with 2025 identifiers had proof‑of‑concept code or exploit details available by the end of the calendar year. The existence of exploit code alone, however, isn’t a great predictor of in-the-wild exploitation; a minuscule 1% of 2025 CVEs have so far been used in attacks. Even fewer of those flaws had named threat actor (ransomware, APT, or botnet) activity.
The data found that ransomware and extortion operations made heavier use of hypervisor and file transfer vulnerabilities that gave them a direct path to encryption and/or data theft; initial access vectors used by ransomware crews can also be trickier to track down precisely, for instance, if access brokers are involved or TTPs include heavy use of shared tooling and techniques. The prevalence of driver vulnerabilities linked to ransomware attacks is also notable, if somewhat anomalous.
“When we arrange the top 40+ CVEs from 2025 in a Venn diagram, we can see that there’s a larger overlap between the most researched CVEs and threat actor-exploited CVEs than there is between ransomware and researcher-favored vulns,” VulnCheck reported. “It’s worth emphasizing that ⅓ of known 2025 ransomware CVEs have no known (functional) exploit code, meaning ransomware groups are succeeding in keeping attack chains private for proprietary use. The raw number of unresearched ransomware vulnerabilities from 2025 is similar to the raw number from 2024, but with a smaller batch of ransomware flaws overall this past year, the statistical impact is more noticeable.”
VulnCheck’s ransomware dataset covers both newly disclosed and previously known CVEs exploited by named ransomware families, with source links and dates tracked by its intelligence team. In 2025, 39 newly disclosed CVEs were tied to ransomware activity across at least 17 families, along with numerous unattributed incidents. That figure marks a 25% year-over-year decline, down by 13 vulnerabilities compared with 2024.
However, the broader picture is less reassuring. VulnCheck’s KEV list included more than 50 CVEs from any year linked to ransomware activity in 2025, while CISA added 24. More notably, 56.4% of ransomware-related CVEs disclosed in 2025 were first identified through zero-day exploitation by financially motivated actors, up from 33% in 2024. As of January 2026, one-third of known 2025 ransomware CVEs still had no public or commercial exploit available.
The report highlights several 2025 ransomware-linked CVEs that still lack usable public exploits. Among them is Fortra GoAnywhere MFT CVE-2025-10035, where proof-of-concept code exists but cannot be weaponized without an unknown private key, raising questions about how attackers obtained it. Three zero-day flaws in VMware ESXi disclosed in March 2025 were still being used in live intrusions as of January 2026.
Other cases include Oracle WebLogic Server CVE-2025-21535, a missing authentication vulnerability tied to initial access in activity attributed to Hunters International, and a Baidu Antivirus driver flaw in BdApiUtil that enabled a bring-your-own-vulnerable-driver attack to bypass endpoint detection and response, culminating in DeadLock ransomware deployment.
Fortinet FortiOS CVE-2024-55591, a zero-day authentication bypass vulnerability disclosed in January 2025, had the highest count of ransomware groups attached to it as the year closed, with six named ransomware families (DragonForce, Hunters International, NightSpire, Qilin, RansomHub, and SuperBlack) in addition to unattributed activity. Microsoft SharePoint CVE-2025-53770 took the second spot, with nearly half a dozen families linked to it; followed by three SimpleHelp CVEs (ex: CVE-2024-57727) used for initial access in Play, Medusa, and other ransomware incidents.
Two other vulnerabilities with known ransomware use are also worth calling out: CVE‑2025‑7771, a ThrottleStop (rwdrv.sys) driver flaw that Akira affiliates abused in a BYOVD attack before using a second-stage driver vulnerability to disable security software; and CVE-2025-6264, an incorrect default permissions issue in Rapid7’s open-source Velociraptor DFIR tool that Cisco Talos said could have been used to establish persistence during ransomware intrusions. Several 2025 incidents saw Velociraptor otherwise abused for remote access and C2 communication.
VulnCheck detailed Cl0p, also tracked as TA505, FIN11 and Lace Tempest, which has operated since at least 2019. While now best known for large-scale data theft and extortion, the group previously deployed ransomware with encryption. It drew widespread attention in early 2021 after exploiting four zero-day flaws in Accellion FTA, a campaign that compromised dozens of high-profile organizations and affected more than nine million individuals.
Since then, Cl0p has repeatedly targeted file transfer and file sharing software with zero-day exploits, including flaws in SolarWinds Serv-U, MOVEit Transfer, GoAnywhere MFT, Cleo software and SysAid. The MOVEit and GoAnywhere campaigns were especially far-reaching, with estimates that the MOVEit attack alone impacted more than 2,700 organizations and over 95 million downstream victims.
The group’s leak site activity tends to spike after major campaigns, as seen in early 2025 following exploitation of a Cleo vulnerability, but lower posting volume does not signal dormancy. Cl0p is known to quietly retain zero-day access and conduct reconnaissance before launching rapid data exfiltration waves, such as the September 2025 extortion emails sent to Oracle E-Business Suite customers claiming large-scale data theft. At the same time, attribution remains complex in the RaaS (ransomware-as-a-service) ecosystem, where reused code, shared tooling and copycat branding can blur the line between distinct operators.
“Cl0p has maintained its dominance operationally and as a criminal brand, using zero‑day exploit chains to facilitate wide-ranging breaches of corporate networks and leveraging a legitimate security media outlet to claim credit,” VulnCheck reported. “There’s no indication the group is slowing down: As of January 2025, VulnCheck is aware of purported Cl0p extortion communications that claim to have used an as-yet-unclear vulnerability in Gladinet software to facilitate data exfiltration.”
The report also addressed how DragonForce emerged in late 2023 with a wave of high-profile intrusions following the launch of its leak site, quickly naming victims across the U.S., Europe, and Asia, including healthcare providers, Coca-Cola Singapore, Yakult Australia, and the Ohio Lottery. By mid-2024, the group was linked to attacks on government and public sector entities from Palau to California. Analysts disagree on its origins, with some pointing to activity as early as August 2023 and others speculating about possible Russian ties, though evidence remains inconclusive.
Operating under a ransomware-as-a-service model, DragonForce initially relied on leaked LockBit and modified Conti variants and offered affiliates up to 80 percent of ransom payments. In March 2025, it rebranded as a ‘cartel,’ allowing affiliates to use its infrastructure without deploying its ransomware, a move that complicated attribution and accelerated growth.
The group has combined social engineering with the exploitation of network-edge and remote-management vulnerabilities, including flaws in SimpleHelp and Fortinet FortiOS, as well as earlier bugs such as Log4Shell and Ivanti Connect Secure. It has also adopted less common tactics, such as bring-your-own-vulnerable-driver techniques to disable security tools, with researchers observing shared ‘AVKiller’ utilities and newer malware variants leveraging vulnerable kernel drivers to evade endpoint defenses.
VulnCheck noted that the targeting appears opportunistic, with victims spanning multiple verticals. Healthcare and manufacturing organizations are common in DragonForce’s victimology, though retail and other sectors have also been targeted in recent months. DragonForce’s aggressive attack patterns, combined with an unusually lucrative and open-handed affiliate model, both explain the group’s quick rise and serve as a warning for the future: As new affiliates inevitably onboard and further evolve DragonForce’s techniques and tooling, already-high attack volumes are likely to increase as attribution confidence lags.
The report also mentioned that RondoDox, which surfaced in mid-2025 and gained notice for attempting to exploit an unusually broad set of vulnerabilities, earned the label ‘exploit shotgun’ from several security vendors. Instead of relying on a handful of proven access points, the botnet cast a wide net across platforms to scale infections, using compromised systems for distributed denial-of-service attacks, credential theft and cryptocurrency mining.
VulnCheck’s Canary Intelligence observed RondoDox exploiting 38 distinct CVEs ranging from 2013 through 2025. The mix of legacy and newly disclosed flaws used within the same campaigns suggests the botnet prioritized whatever exploit code was readily available, rather than focusing on newer or more technically advanced vulnerabilities.
Analysis of CVE-2025 activity shows RondoDox exploited six newly disclosed vulnerabilities affecting consumer routers, enterprise systems and widely used web frameworks. Despite its aggressive scanning, the botnet was typically not an early mover, often waiting months after public disclosure before attempting exploitation. Telemetry also indicates uneven persistence. Some vulnerabilities were probed briefly and then dropped, while others were exploited consistently over extended periods, suggesting a pragmatic approach that tested opportunities and doubled down where access proved reliable.
In conclusion, VulnCheck identified that vulnerabilities remain an integral part of adversary toolkits, providing perennially useful vectors for initial access, privilege escalation, defense evasion, and more. “By examining vulnerability exploitation and research trends at scale, we can better understand where visibility and remediation gaps are preventing effective risk assessment, driving up the human and business costs of cyberattacks. VulnCheck data is designed to enable proactive security and emerging threat response at machine speed, empowering organizations with best-in-class intelligence across the entire vulnerability lifecycle.”
