Top 5 Vulnerabilities Exploited in H1 2025

Attackers have lost interest in noisy, complex exploits when there are easier paths available. In the first half of 2025, exploitation of a small set of software vulnerabilities once again accounted for a disproportionate number of incidents. ENISA’s latest threat landscape reporting notes that exploitation of software vulnerabilities remains a top initial access vector and that new flaws are weaponised within days of disclosure. CISA’s Known Exploited Vulnerabilities (KEV) catalog tells the same story, with dozens of new entries added in 2025 alone as field evidence of active exploitation accumulates.

For CISOs and security leaders, the lesson is clear: vulnerability management in 2025 is about focus. You cannot patch everything at once, but you can move fast on the weaknesses adversaries are actually using.

This article looks at five vulnerabilities widely exploited in H1 2025, what made them attractive to attackers and the practical steps security teams can take to reduce exposure.

Why these vulnerabilities matter in 2025

Several trends amplified the impact of exploited vulnerabilities in early 2025:

• A record volume of new CVEs: threat intelligence analyses indicate more than 21,000 CVEs were disclosed in the first half of 2025, averaging over 130 per day.
• Faster exploitation cycles: ENISA warns that adversaries routinely weaponise new vulnerabilities within days of disclosure, not weeks or months.
• Shift to edge and SaaS targets: attackers increasingly favour vulnerabilities in file transfer services, collaboration platforms, backup tools and other internet-facing systems that sit outside traditional perimeters.

Against this backdrop, the following five vulnerabilities became high-value tools in attacker playbooks.

1. Apache Tomcat RCE – CVE-2025-24813

Apache Tomcat remains a widely deployed Java application server in enterprise environments. When a remote code execution flaw such as CVE-2025-24813 appears, it immediately becomes attractive to attackers scanning for exposed instances. Recorded Future’s midyear analysis highlighted this Tomcat vulnerability as one of several newly exploited flaws added to CISA’s KEV list in H1 2025.

Why it is dangerous

• Tomcat is often internet-facing and may host business-critical applications.
• RCE allows attackers to deploy web shells, harvest credentials and pivot deeper into the network.
• Patching can be delayed if Tomcat is embedded in third-party packages that are not centrally tracked.

What security teams should do

• Inventory Tomcat usage, including embedded instances bundled into other products.
• Prioritise patching to fixed versions recommended by Apache.
• Implement WAF rules and virtual patching where immediate upgrades are not possible.
• Hunt for suspicious JSP files, unusual outbound connections and abnormal Tomcat process activity.

DACTA Global often begins vulnerability assessments by correlating exposures like Tomcat RCE with business impact, rather than simply listing missing patches. A similar risk-based view can help internal teams make stronger cases for urgent remediation.

2. Erlang SSH library flaw – CVE-2025-32433

CVE-2025-32433 affects the Erlang SSH library, which underpins SSH capabilities for systems built on the Erlang runtime. Threat intelligence research identified it as another of the most notable vulnerabilities exploited and added to KEV in early 2025.

Why it is dangerous

• Erlang powers several telecom, messaging and distributed systems platforms.
• A flaw in its SSH implementation can lead to authentication bypass or code execution, depending on configuration.
• Many organisations are unaware they are indirectly exposed because the library is embedded in higher-level products.

What security teams should do

• Work with vendors to identify products that ship the affected Erlang SSH versions.
• Apply vendor patches or updated container images where available.
• Enforce network segmentation so that Erlang-based services are never directly exposed to the internet unless strictly necessary.
• Increase monitoring of SSH access patterns and failed logins to detect exploitation attempts.

3. Cleo managed file transfer zero-day – CVE-2024-50623

Managed file transfer (MFT) platforms continue to be attractive targets for organised crime. Following high-profile exploitation of multiple MFT products in 2023–2024, a critical vulnerability in Cleo file transfer software, tracked as CVE-2024-50623, was widely abused in ransomware campaigns referenced in threat intelligence reporting for H1 2025.

Why it is dangerous

• MFT systems handle high volumes of sensitive data, often for multiple business partners.
• They are typically internet-facing, making them easy to discover and probe.
• Successful exploitation can give attackers direct access to large data repositories and privileged service accounts.

What security teams should do

• Treat all MFT infrastructure as Tier 0 assets, with strict access controls and continuous monitoring.
• Ensure rapid application of vendor security updates and hotfixes, especially where CISA or vendors flag active exploitation.
• Implement network-layer controls to restrict which IP ranges can reach MFT services.
• Use DLP and file integrity monitoring to detect large or unusual transfers from MFT hosts.

4. Mitel MiCollab remote code execution – CVE-2024-41713 and CVE-2024-55550

Voice and collaboration appliances have quietly become high-value targets. Two Mitel MiCollab flaws, CVE-2024-41713 and CVE-2024-55550, were widely exploited and later added to KEV as confirmed active threats.

Why they are dangerous

• These systems sit at the edge, with direct internet exposure and limited host-based security controls.
• Appliances are often treated as “set and forget”, leading to long patching delays.
• Compromised collaboration platforms are ideal footholds for lateral movement and voice or messaging interception.

What security teams should do

• Place collaboration appliances behind VPNs or reverse proxies where possible, instead of exposing them directly.
• Work with telecom and UC providers on patching SLAs and remote update procedures.
• Harden administration interfaces with strong authentication, IP-based restrictions and logging.
• Include voice and UC systems in regular vulnerability scanning and configuration reviews, not only classic servers and endpoints.

5. Craft CMS template injection – CVE-2024-56145

Many organisations rely on content management systems to power marketing sites, microsites and customer portals. CVE-2024-56145, a template injection flaw in Craft CMS, emerged as a widely exploited web application vulnerability in early 2025.

Why it is dangerous

• Exploitation can allow attackers to run arbitrary code in the web server context.
• CMS deployments are often poorly inventoried and may be managed by marketing or agencies rather than central IT.
• Compromised CMS instances can be used to deliver malware, skim credentials or pivot into internal networks.

What security teams should do

• Maintain an authoritative inventory of all CMS instances and plugins, including those hosted by external agencies.
• Enforce patch windows for CMS platforms and test upgrades in staging environments.
• Require modern authentication and SSO for CMS admin access, and limit login exposure to VPN or corporate networks.
• Use web security testing (DAST) and security headers to harden public sites.

From CVE lists to risk-based action

Lists of exploited vulnerabilities are only useful if they translate into concrete action. Several practices can help teams move from awareness to execution:

• Use KEV and threat intel as prioritisation inputs, not just CVSS. CISA’s KEV catalog, EPSS exploit probability scores and vendor threat reports can be combined to focus patching on real-world risks rather than theoretical severity alone.
• Align vulnerability management with asset criticality. Exposed MFT servers, collaboration appliances and backup consoles should be classed as high-value assets, even if they do not host core applications directly.
• Feed exploitation trends into architecture decisions. If every second incident involves an edge appliance, it may be time to reduce the number of internet-facing points and move more traffic through well-managed reverse proxies or SASE platforms.

DACTA Global’s Vulnerability Monitoring and Risk Assessment services and follow this approach by combining threat intelligence, asset context and exploitability to help clients prioritise controls that actually reduce attack surface.

Key takeaways for CISOs

• A small number of exploited vulnerabilities can drive a large proportion of real incidents.
• Edge infrastructure, SaaS platforms and internet-facing middleware continue to be prime targets.
• Patching, segmentation and focused monitoring around these systems can significantly reduce risk.

If your organisation is still treating vulnerability management as a pure compliance exercise, H1 2025 should serve as a prompt to recalibrate. Start with the vulnerabilities attackers demonstrably care about, then build a risk-based framework that keeps your focus aligned with theirs.