Blog
Part 2: Vulnerability Insights and Prioritization Report 2025 H1 Analysis
Part 2 of our series analyzes the vulnerabilities Flashpoint prioritized in the first half of 2025, revealing key trends in attacker behavior, vendor exposure, and the critical importance of real-time, contextual intelligence. If you missed Part 1 – Read it here.
Table Of Contents
Contextual Intelligence for Real-World Risk
This mid-year report equips security leaders and operators with the contextual intelligence required to act decisively and goes beyond routine CVSS scoring and patch availability. It considers real-world consequences: how vulnerabilities are weaponized, what adversaries are favoring, and which vendor ecosystems- beyond the usual enterprise players- are drawing increased attention from threat actors.
This report also surfaces high-risk vulnerabilities that lack official CVE IDs, but present significant exploitation potential and business risk. These unofficial, but significant flaws, expose a fundamental gap in traditional vulnerability tracking systems, and underscore the importance of continuously managed, intelligence-driven vulnerability coverage.
To learn how to approach vulnerability and exposure management with threat-informed vulnerability prioritization, check out the Flashpoint Method for Threat-Informed Vulnerability Prioritization.
Learn More
Get an in-depth view into how Flashpoint helps organizations deliver an 85% reduction in vulnerability triage, including the strategy and prioritization criteria.
Vulnerability Insights from 2025 H1
1. Exploitation Visibility is Non-Negotiable
- At the time of publishing, 54% of prioritized vulnerabilities had an exploit or were being exploited, possessed a high CVSS score, were remotely exploitable, affected a ‘major’ vendor, and had already been exploited in the wild.
- In today’s vulnerability disclosure landscape, by the time many serious flaws are made public, there’s a high chance they’ve already been used for attacks.
- Between January and June 2025, 60% of vulnerabilities published by Flashpoint had publicly available exploit code (e.g., GitHub, Exploit-DB, Telegram etc.).
- Additionally, 97% of vulnerabilities with exploit information already had that information available when they were disclosed, further emphasizing the speed at which adversaries move.
- The elevated risk stems from the increased likelihood of these vulnerabilities being actively exploited by threat actors.
- Additionally, 97% of vulnerabilities with exploit information already had that information available when they were disclosed, further emphasizing the speed at which adversaries move.
2. Rapid Weaponization is the Rule, Not the Exception
- On average, it takes less than one day for an exploit to become available from public vulnerability disclosure.
- This statistic applies to vulnerabilities where both the disclosure date and the availability of an exploit are known. This rapid development cycle highlights the critical need for immediate action to mitigate risk effectively.
- Several high-profile vulnerabilities saw mass exploitation in under 24 hours.
Exploitation Consequence Distribution & Vendor Focus
Exploitation Consequences
In the first half of 2025 alone, our analysts identified and suggested prioritization for 96 vulnerabilities out of more than 21,100 vulnerabilities published to Flashpoint VulnDB and Ignite. These vulnerabilities could affect enterprises because many are found in widely used products and all of them contain one or more of the following criterion:
- Are in widely used products and are potentially enterprise-affecting
- Have critical severity and high CVSS score
- Are exploited in the wild or have exploits available
- Allow full system compromise
- Can be exploited via the network alone or in combination with other vulnerabilities
- Have a solution to take action on
An analysis of their exploit consequences reveals the potential impact across systems, data, and operations. This figure details the severity of potential breaches and their distribution among various exploit outcomes.
| Exploit Consequences | Vulnerability Count |
| RCE, including “Remote Command Execution” and “Remote Code Execution” | 31 |
| Authentication Bypass | 8 |
| Privilege Escalation | 7 |
| Command Injection | 6 |
| Information or Credential Disclosure | 4 |
| Other (i.e. buffer overflow, denial of service, and default/hard-coded credentials | 40 |
Vendor Concentration
(Remote, Exploit Available or Active, High CVSS Score)
The following dataset offers a compelling look at the vulnerability landscape from January to June 2025, specifically focusing on vulnerabilities that are remotely exploitable, have active exploits available, and possess a high CVSS score, rather than all vulnerabilities affecting the mentioned vendors during this period. This list highlights the continued dominance of tech giants like Amazon, Dell, and Microsoft at the top of the charts, underscoring the extensive and widespread usage of their technologies, demanding heightened attention.
Curiously, NASA’s three-time inclusion provides a unique data point, suggesting that even highly specialized and secure organizations are not immune to vulnerabilities. Furthermore, the significant presence of automation and ICS/IoT vendors such as Schneider, Siemens, Wiedmuller, and Eaton points to a growing concern within critical infrastructure and industrial control systems.
| Vendor | Prioritized, Threat-Informed Vulnerabilities |
| SUSE | 10 |
| Dell | 9 |
| Microsoft | 9 |
| IBM | 8 |
| Red Hat | 7 |
| Amazon | 5 |
| Canonical | 5 |
| Software in the Public Interest | 5 |
| Apache | 4 |
| Cisco | 4 |
| Apple | 4 |
| 4 | |
| Apache | 4 |
| Cisco | 4 |
| Apple | 4 |
| 4 | |
| Nilson Lazarin | 3 |
| Palo Alto | 3 |
| Ivanti | 3 |
| NASA | 3 |
| Fedora | 3 |
| Oracle | 3 |
| VMware | 2 |
| D-link | 2 |
| Zyxel | 2 |
| Fortinet | 2 |
| Sonicwall | 2 |
| Siemens | 2 |
| Opera | 2 |
| Philips | 2 |
Real-World Examples
Three additional vulnerabilities we wanted to highlight on top of the ones already prioritized in the Weekly Vulnerability Prioritization and Insights Report are:
| Microsoft Windows RAR File Extraction File Concealment Weakness | |
|---|---|
| Vulnerability Description | Microsoft Windows contains a flaw that is triggered when extracting files from specially crafted compressed RAR archives. This may allow a context-dependent attacker to hide extracted files when viewing directories in the Windows Explorer GUI. |
| Product(s) | Windows 10, 11 |
| Classifications | Attack Type: Input Manipulation Impact: Loss of Integrity Solution: Solution Unknown Disclosure: Discovered in the Wild |
| Ransomware Likelihood | Medium |
| Time to Exploit | Zero-day |
| Disclosure DateCVE Assignment | 2/13/2025133 days with no CVE assignment yet |
| Google Chrome chrome_elf.dll DLL Side-loading Local Code Execution Weakness | |
|---|---|
| Vulnerability Description | Google Chrome contains a flaw that is triggered when loading DLL files. This may allow a local attacker to load an attacker-controlled chrome_elf.dll library and execute arbitrary code. |
| Product(s) | Google Chrome |
| Classifications | Attack Type: Other Impact: Loss of Integrity Solution: Solution Unknown Disclosure: Discovered in the Wild FP Classification: Concern, Authentication Required |
| Time to Exploit | Zero-day |
| Disclosure DateCVE Assignment | 3/13/2025105 days with no CVE assignment yet |
| Zoom Contact Center Remote Control Functionality Insecure Notification Handling Access Weakness | |
|---|---|
| Vulnerability | Zoom contains a flaw in the Contact Center component that is triggered as the remote control functionality allows the display of a changed username in notifications when a user requests control over a user’s screen. This may allow a context-dependent attacker to spoof system notification and entice the user into unintentionally granting access to their system. |
| Product(s) | Zoom workplace desktop app for Windows, Linux and MacOS, Zoom client for Linux, Chrome, MacOS, Android, iOS, and ChromeOS |
| Classifications | Attack Type: Input Manipulation Impact: Loss of Integrity Solution: Solution Unknown Disclosure: Discovered in the Wild |
| Time to Exploit | Zero-day |
| Disclosure DateCVE Assignment | 3/24/202594 days without a CVE assignment |
These examples illustrate key trends and provide actionable insights into our ability to deliver early warning awareness for vulnerabilities that may pose significant risk to your organization. They still do not have a CVE assignment, for over 90 days now, representing Microsoft Windows, Google Chrome and Zoom Workplace.
For reference, we keep a running list of all vulnerabilities we have published as prioritizations in Flashpoint’s Weekly Vulnerability Prioritization and Insights Report.
Turning Signal Into Action
As we close the first half of 2025, one theme is unmistakably clear: most security teams are overwhelmed, not by a lack of data, but by an abundance of unusable, incomplete, and poor-quality data. With disparate sources offering inconsistent, delayed, or partial information, teams are forced to navigate a fragmented landscape that obscures more than it reveals. This not only drains resources and delays response but also leaves organizations dangerously exposed to threats that are already in the wild.
What’s needed is not just more vulnerability data, but better vulnerability intelligence that is curated, timely, and built with exploitation awareness at its core. Security operations require clarity, not noise; prioritization, not paralysis. The vulnerabilities outlined in this report illustrate how critical it is to have a continuously updated, independent view that goes beyond CVEs, CVSS scores, and patch availability alone.
Flashpoint delivers precisely this: a consolidated and actionable intelligence source that addresses the limitations of traditional repositories like the NVD and open-sourced databases that rely on it. By offering deeper enrichment, exploitation context, and extended coverage including vulnerabilities with no official CVE Flashpoint transforms vulnerability management from a reactive scramble into a strategic advantage.
To learn more, check out the Flashpoint Method for Threat-Informed Vulnerability Prioritization for an in-depth view into how Flashpoint helps organizations deliver an 85% reduction in vulnerability triage, including the strategy and prioritization criteria. Previously only available for customers, we showcase how curated intelligence, supported by weekly insights, can help security teams cut through the noise.