Top Exploited Vulnerabilities in 2025 and How to Defend Against Them

Ransomware successfully hit a high in May of 2025, targeting many victims. Email security and Security Awareness have failed to protect the organizations impacted in these incidents. To defend against exploits by bad actors, companies need to patch multiple Critical Zero-Day Common Vulnerabilities and Exposures (CVEs) ASAP, including: 

• Qualcomm Chipset Zero-Day 

• SAP Visual Composer Deserialization Zero-Day 

The SAP Zero-Day CVE needs to be singled out because of its great potential for causing destruction.  

Fortinet Stack Based Buffer Overflow earns an Honorable Mention as a CVE because, while the company is very good about sending notifications out right away, their customers don't always read the announcements in time to patch these vulnerabilities. 

Here’s an overview of the CVEs companies should be aware of in 2025 and ways ProActive Solutions can help organizations mitigate the risk. 

Who was Affected by CVEs? 

Multiple sectors were affected by CVEs in May of 2025. 

Critical infrastructure, telecom and unified communications (UC) industries that rely on Fortinet appliances were negatively impacted. 

Financial, healthcare, retail, manufacturing, and legal services organizations were impacted via Windows endpoint exploits and Chrome-driven compromises. 

Industrial Control Systems (ICS) and ICS providers fell victim to browser-based exploits that targeted critical interfaces. 

Managed Service Providers (MSPs) and cloud resellers had vulnerable golden images of Windows server and endpoint Virtual Machines (VMs). 

Bring Your Own Device (BYOD) shops and field teams were targeted by Android exploits that affected unmanaged or unpatched devices. Mobile workforce endpoints were impacted by Android kernel vulnerabilities. 

Ransomware-prone verticals, such as law, logistics, and manufacturing, were targeted heavily in Elevation of Privilege (EoP) chains. 

Top Exploited CVEs as of May 2025 

As of 2025, several CVEs have been identified as actively exploited. These vulnerabilities affect both software and critical infrastructure components. Below is a summary of the most significant CVEs and their negative impacts. 

Fortinet Stack Based Buffer Overflow (RCE)  

Summary:  

• Critical Remote Code Execution (RCE) affecting FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera 

• Buffer overflow via crafted HTTP requests with malicious cookies 

Exploitation:  

• Confirmed zero-day exploited before patch release 

• Attackers have achieved SYSTEM-level control and planted backdoors 

Patch:  

• Apply Fortinet’s May 2025 firmware/security patches immediately  

Remediation:  

• Implement Web Application Firewall (WAF) to strip unusual cookie payloads 

• Endpoint Detection and Response (EDR) to monitor process injection/backdoor behavior 

• Enforce network segmentation for appliance access  

Third-Party Impact:  

• MSPs and integrators deploying Fortinet at client sites are at risk  

• Ensure patch compliance across outsourced environments  

Windows Common Log File System (CLFS) Driver EoP  

Summary:  

• Two zero-days in Windows CLFS driver (use-after-free and input validation flaws) [Common Vulnerability Scoring System (CVSS) 7.8] 

Exploitation:  

• Exploited in-the-wild by malware/ransomware actors to gain SYSTEM privileges  

Patch:  

• Install Microsoft’s May 13, 2025 updates  

Remediation:  

• Harden local admin policies. Deploy EDR with CLFS monitoring  

• Validate patch installation via vulnerability management tools  

Third-Party Impact:  

• Cloud providers and partners with Windows VMs should update images  

• Hardware vendors bundling Windows should push firmware/driver updates  

Windows WinSock Ancillary Function Driver (AFD) on Driver EoP

Summary:  

• Use-after-free flaw in Windows AFD for WinSock (CVSS 7.8)   

Exploitation:  

• Actively exploited for local privilege elevation post user action 

Patch:  

• Apply May 2025 security updates immediately 

Remediation:  

• Educate users on avoiding untrusted attachments/links 

• Bolster EDR for monitoring WinSock driver anomalies 

Third-Party Impact:  

• Vendors bundling custom networking drivers must ensure compatibility and prompt updates 

Windows Desktop Window Manager (DWM) Core Library Priv. Escalation 

Summary:  

• Use-after-free in DWM core library (CVSS 7.8)   

Exploitation:  

• Improved post user-interaction scenarios, actively exploited 

• Allows privilege escalation 

Patch:  

• Install Microsoft’s May 2025 Patch Tuesday updates  

Remediation:  

• Follow EDR hunting playbooks targeting DWM anomalies 

• Audit workstations lacking patch implementation  

Third-Party Impact:  

• Original Equipment Manufacturers (OEMs) shipping custom desktop environments reliant on DWM must integrate patches in firmware updates 

Windows Scripting Engine RCE  

Summary:  

• Memory-corruption leading to RCE via malicious link (CVSS 7.5)   

Exploitation:  

• Actively exploited, typically via user opening email/website 

Patch:  

• Update scripting engine via May 2025 Windows cumulative  

Remediation:  

• Strengthen email/web filtering 

• Disable or sandbox outdated IE-mode in Edge, enforce attachment policies 

Third-Party Impact:  

• Email gateway and URL filter providers should update detection signatures and inform customers of blocked patterns 

SAP Visual Composer Deserialization (Critical Zero-Day)  

Summary:  

• Java deserialization flaw in SAP Visual Composer allowing webshell installation  

Exploitation:  

• Qilin ransomware group used it early in late May 2025 

• Direct exploitation observed by Onapsis labs 

Patch Recommendations:  

• Apply SAP Security Notes 3594142 (initial fix) and 3604119 (residual fix) immediately 

Remediation:  

• Audit SAP application logs for POST requests to Visual Composer endpoints  

• Restrict access via WAF and IP allowlists  

Third Party Impact:  

• Security Information Event Management (SIEM) providers should onboard relevant SAP telemetry  

• MSPs must prioritize patch workflows 

What Companies Need to Know About Current CVEs

Qualcomm Chipset Zero Days (June) 

Qualcomm released patches on June 3, 2025, for three zero-day chipset vulnerabilities exploited in limited targeted attacks. This information is relevant for mobile/IoT environments. 

Ransomware Surge in May 2025 

Notable breaches, such as Synnovis, Cobb County GA, TDSB via PowerSchool, Kettering Health, highlight the use of both CVE exploits and insider-assisted network breaches.  

Key Trend for Q1 

Q1 2025 saw approximately 159 CVEs exploited, with around 28% occurring within 24 hours, reinforcing the need for rapid patching and mitigation. 

How ProActive Solutions Can Help Clients Mitigate CVEs 

Proactive Solutions offers a comprehensive approach to managing and mitigating the risks associated with critical CVEs that were identified in May 2025. By leveraging advanced security tools, preventative monitoring, and timely patch management, Proactive Solutions can help organizations stay ahead of cyber threats and ensure the security of their systems. 

Key Mitigation Strategies 

Goal: Rapid identification and remediation of high-risk vulnerabilities  

What to do:  

• Deploy updates for Fortinet devices and Chrome immediately.  

• Ensure Windows cumulative updates are applied across all systems.  

• Patch Android endpoints via Mobile Device Management (MDM) or mobile fleet governance.  

How Proactive Helps:  

• Patch Service Level Agreement (SLA) dashboards and auto-escalation workflows 

• Vulnerability scanning integrated with asset inventory [Configuration Management Database (CMDB)-based]  

• Chrome patch enforcement and browser telemetry monitoring  
  

2.) Network Segmentation & Access Controls 

Goal: Limit blast radius and lateral movement opportunities  

What to do:  

• Isolate Fortinet appliances at the network level until patched.  

• Segment browser-based industrial access zones and mobile BYOD access from core systems.  

• Apply segmentation rules to remote or contractor devices.  

How Proactive Helps:  

• Network topology risk assessment and segmentation recommendations  

• Conditional access policy enforcement based on patch status or device health  

• Remote user access quarantine via Network Access Control (NAC) or Zero Trust Network Access (ZTNA) enforcement

Goal: Prevent exploitation of local/system-level access after initial compromise.  

What to do:  

• Remove unnecessary local admin rights.  

• Enforce Multi-Factor Authentication (MFA) for Remote Desktop Protocol (RDP), Virtual Private Network (VPN), and browser-based dashboards.  

• Implement Just-in-Time (JIT) privilege elevation.  

How Proactive Helps:  

• Privileged Access Management (PAM) integrations and privilege auditing tools  

• Behavioral MFA monitoring and credential misuse alerts  

• JIT access orchestration via IAM governance module  

Goal: Detect and stop exploit behavior at runtime  

What to do:  

• Tune EDR to look for heap corruption, svchost memory abuse, and abnormal Chrome process behavior.  

• Monitor for cookie manipulation and DWM.dll abuse in userland.  

How Proactive Helps:  

• Custom detection rules for CVE-specific chains 

• ThreatOps team deploys continuous behavioral monitoring for memory misuse and browser-based exploits  

• Integration with native EDR 

Goal: Ensure recovery after ransomware or destructive activity 

What to do:  

• Verify air-gapped and immutable backups of Fortinet configurations, domain controllers, and user data.  

• Validate restore time objectives for endpoints impacted by malware exploiting CVEs.  

How Proactive Helps:  

• Backup testing schedules with Recovery Point Objective/Recovery Point Objective (RPO/RTO) dashboards  

• Integration with backup vendors for snapshot verification and audit trails  

• Ransomware recovery playbooks aligned to your architecture 

Goal: Identify attacks early and trace back the exploitation path  

What to do:  

• Monitor Fortinet syslogs, Chrome crash logs, and Windows event logs.  

• Correlate abnormal login or script execution tied to exploitation.  

How Proactive Helps:  

• Log ingestion and correlation into SIEM/Extended Detection and Response (XDR)  

• Threat detection rules specific to RCE/EoP behaviors  

• ThreatLens: CVE threat intelligence correlated with your telemetry  

Goal: Reduce risk from inherited vulnerabilities via supply chain 

What to do:  

• Assess third-party products using Fortinet, Android platforms, or Chromium bases.  

• Verify vendors are patching underlying CVEs in OEM builds or integrations.  

How Proactive Helps:  

• Third-party software risk scoring  

• Vendor patch tracking dashboard and automated alerts  

• Procurement-side security checklists to validate supplier response to active exploits 

ProActive Solutions in Action 

Partnering with the right technology company for cybersecurity can make the difference between falling victim to an exploit and defending your company successfully. 

Here are 3 example scenarios showing how Proactive Solutions can help organizations mitigate the critical CVEs that were identified in May 2025. 

Scenario 1: Fortinet Stack-Based RCE  

Problem:  

A regional telecom provider has multiple branch offices that use FortiVoice and FortiMail. They haven’t patched the devices, so attackers exploit the cookie overflow to drop a reverse shell.  

How Proactive Solutions Helps  

• Discovery & Triage: Asset inventory flags these Fortinet devices; devices noted as unpatched.  

• Patch SLA Enforcement: Firmware updates are pushed through the orchestration engine under a 72-hour SLA.  

• EDR Integration: We deployed monitoring for shell-like process creation or unusual FortiOS events.  

• Hunting Playbook Execution: Analysts search logs for signs of RCE indicators within Fortinet logs.  

Outcome:  

• No compromise occurred. Patching was completed within 24 hours.  

• Shell activity detection alerts were triggered and triaged.  

• Documentation of patch and monitoring formalized for future compliance reports.  

Scenario 2: Windows EoP Chain

Problem:  

A financial services workplace uses golden VM images with the May patch pending. An incoming phishing email is opened, delivering a low-privileged payload. The incident quickly escalates via CLFS.sys and AFD.sys, reaching SYSTEM using DWM.dll.  

How Proactive Solutions Helps 

• EDR Rule Tuning: Behavioral signatures detect atypical DWM interactions and AFD.sys memory abuses, creating an alert cluster.  

• ThreatOps Triage: Incident analysts correlate the alert chain across multiple endpoints and quarantine the device.  

• Privilege Hardening: Review and revoke local admin privileges. Enforce JIT for admin needs in that department.  

• Remediation Support: Complete patch deployment across the VM farm, confirmed via compliance dashboard.  

Outcome:  

• Escalation chain was detected in early stages before data exfiltration.  

• Endpoint was quarantined in under 10 minutes.  

• Patch compliance increased from 68% to 99% within the business unit.  

Scenario 3: SAP Visual Composer Deserialization (Critical Zero-Day)  

Problem:  

A global manufacturing firm runs an internet-facing SAP NetWeaver Java instance that includes the Visual Composer “developmentserver” component (VCFRAMEWORK). Threat actors identify the /developmentserver/metadatauploader endpoint via automated scanning and send a crafted POST request, uploading a JSP webshell. Inside the shell, a deserialization payload executes, giving the attacker sidadm privileges. The attacker quickly gains access to SAP business data and drops ransomware.  

How Proactive Solutions Helps  

• Our SAP discovery module scans and identifies all NetWeaver systems with VCFRAMEWORK installed.  

• Systems lacking recent SAP patches are flagged as vulnerable.     

• Automatically enforce application of Emergency Fix and follow up within a 72-hour SLA.  

• For systems that can’t patch immediately, Proactive deploys rapid mitigation, disabling the metadata uploader endpoint or blocking it via WAF, per SAP Note.     

• ThreatOps tunes SIEM/XDR to alert on:  

• • Uploads to /irj/…/servlet_jsp/…/*.jsp  

• • Execution via GET requests to unknown JSPs  

• • Deserialization patterns and suspicious j2ee process activity  

• Deploys Onapsis/Mandiant IoC scanner to detect previously dropped webshells. 

• When an IOC triggers, the relevant SAP server is quarantined automatically.  

• Forensics team captures memory and filesystem snapshots to identify attack origin. 

• Confirm removal of malicious Jakarta Server Pages (JSPs) and patch installation across the SAP landscape.  

• Harden SAP deployment through secure design: remove unused VCFRAMEWORK, restrict WAF, enforce network segmentation from web-facing zones.  

• Use Proactive’s threat-hunting rules to detect chained attacks, such as webshell plus deserialization payloads, consistent with the observed exploitation waves.  

Outcome  

• Exploit blocked: WAF prevented uploads to the development server endpoint.  

• Malicious payload detected: Webshell triggers alerted within 15 minutes.  

• Cleanup & recovery: Malicious JSPs removed, server quarantined, patch application completed.  

• Resilience achieved: Defense-in-depth architecture, no business process disruption.  

• Reduced future risk: Hardening and endogenous scanning blocked other Visual Composer exploit attempts.  

ProActive’s thorough and successful approach to these CVE scenarios illustrates why we are a sought-after technology partner for companies that want to eliminate critical vulnerabilities. 

Learn how to keep your company from being targeted by exploits that take advantage of CVEs. Ask for a consultation from ProActive Solutions.