Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
VulnCheck: Ransomware Operators Are Increasingly Using Zero-Days, Increasing OT Risk
Advertisements

VulnCheck’s latest exploit intelligence report says ransomware operators are relying more heavily on zero-day vulnerabilities, a trend that increases risk for operational technology (OT) environments and critical infrastructure defenders. The analysis examined more than 48,000 newly disclosed CVEs in 2025 and found that only a small fraction were actually exploited in the wild, but those that were tended to drive the most operational impact.

According to the report, attackers moved quickly on the flaws that mattered, often before defenders could patch systems or fully understand the exposure. VulnCheck also found that proof-of-concept material became more common in 2025, while AI-generated low-quality code added noise to the vulnerability landscape and made it harder for security teams to separate real threats from less useful signals.

Only a small share of 2025 CVEs were exploited, but they carried outsized impact

VulnCheck said that out of more than 48,000 newly disclosed CVEs in 2025, barely 1% were exploited in the wild. Even so, the vulnerabilities that were weaponized were quickly taken up by ransomware groups, botnets, and state-linked threat actors, according to the company’s tracking across hundreds of thousands of vulnerabilities and more than 500 data sources.

The report identified 50 routinely targeted vulnerabilities that remained elevated-risk items by the end of the year. It also noted that more than a quarter of CVEs with 2025 identifiers had proof-of-concept code or exploit details available by year-end, though VulnCheck stressed that exploit code alone is not a strong predictor of real-world exploitation.

Ransomware crews increasingly favored zero-days and private attack chains

One of the report’s central findings is that ransomware operators increasingly leaned on zero-day activity. VulnCheck said 56.4% of ransomware-linked CVEs first discovered in 2025 were identified through active exploitation, up from 33% in 2024.

The company also said ransomware and extortion groups made especially heavy use of hypervisor and file transfer vulnerabilities because those paths can lead directly to encryption or data theft. Some initial access routes are difficult to trace precisely, particularly when access brokers are involved or when attackers use shared tooling and techniques.

VulnCheck highlighted that one-third of known 2025 ransomware CVEs had no known functional exploit code, suggesting that ransomware groups are keeping some attack chains private for exclusive use.

Notable 2025 vulnerabilities tied to ransomware activity

VulnCheck’s dataset covers both newly disclosed and previously known CVEs that were exploited by named ransomware families. In 2025, the company tied 39 newly disclosed CVEs to ransomware activity across at least 17 families, plus additional unattributed incidents. That marked a 25% year-over-year decline from 2024, but VulnCheck said the broader picture remains concerning because older vulnerabilities continued to appear in ransomware cases as well.

  • Fortinet FortiOS CVE-2024-55591 — a zero-day authentication bypass disclosed in January 2025 and linked to six named ransomware families, plus unattributed activity.
  • Microsoft SharePoint CVE-2025-53770 — tied to nearly half a dozen ransomware families.
  • SimpleHelp CVEs — including CVE-2024-57727, used for initial access in Play, Medusa, and other incidents.
  • Oracle WebLogic Server CVE-2025-21535 — a missing authentication flaw associated with initial access in activity attributed to Hunters International.
  • Fortra GoAnywhere MFT CVE-2025-10035 — proof-of-concept code exists, but VulnCheck said it cannot be weaponized without an unknown private key.
  • THrottleStop rwdrv.sys CVE-2025-7771 — abused by Akira affiliates in a bring-your-own-vulnerable-driver attack.
  • Rapid7 Velociraptor CVE-2025-6264 — an incorrect default permissions issue that Cisco Talos said could support persistence during ransomware intrusions.

VulnCheck also noted that three VMware ESXi zero-days disclosed in March 2025 were still being used in live intrusions as of January 2026. In another case, a Baidu Antivirus driver flaw in BdApiUtil was used in a BYOVD attack that bypassed endpoint detection and response and ended with DeadLock ransomware deployment.

What the report means for defenders

The report suggests that vulnerability management alone is not enough if teams cannot tell which flaws are being operationalized by attackers. VulnCheck said security teams are facing a widening gap between signal and noise, with a surge in CVE volume, more proof-of-concept code, and AI-driven low-quality content complicating prioritization.

For OT environments in particular, the concern is not just the number of vulnerabilities, but how quickly the small number of truly relevant ones are turned into ransomware access paths. VulnCheck’s data indicates that the most dangerous flaws are often the ones that are weaponized rapidly and reused across multiple intrusion campaigns.

As of January 2026, one-third of known 2025 ransomware CVEs still had no public or commercial exploit available. That leaves defenders with a moving target: some high-risk vulnerabilities are widely discussed, while others remain effectively private to threat actors.

In short, VulnCheck’s findings point to a ransomware ecosystem that is becoming more selective, faster to exploit, and more willing to use zero-days when they offer a direct route into critical systems.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading