Q4 2025 was one of the most intense quarters on record for critical vulnerability disclosures. CVE registrations continued to rise year-over-year, with critical flaws in Microsoft Office, WinRAR, React Server Components, Redis, Windows WSUS, and Linux kernel subsystems being actively exploited. Linux exploit attempts doubled in Q4 compared to Q3, driven by growing consumer device adoption. APT actors rapidly weaponized newly published CVEs, often within days of disclosure. Sliver remained the top C2 framework used in APT attacks, followed by Mythic and Havoc. Notable vulnerabilities include React2Shell (CVE-2025-55182), a critical RCE in React Server Components; RediShell (CVE-2025-49844) in Redis; and an insecure deserialization flaw in Windows WSUS (CVE-2025-59287). Fake PoC exploits generated by LLMs also emerged as a secondary threat following high-profile disclosures.
Table of contents
Statistics on registered vulnerabilitiesExploitation statisticsVulnerability exploitation in APT attacksC2 frameworksNotable vulnerabilitiesConclusion and adviceSort: