Zero-Day Threats of 2025: A Detailed CVE-by-CVE Analysis

Every zero-day has a story. Some bring down major services; others quietly compromise data, and many remain invisible until the damage is done. So far in 2025, the volume of zero-day discoveries has reached unprecedented levels, with AppTrana identifying over 6000+ such vulnerabilities across protected applications. Here is a close look at the most critical CVEs of the year.

CVE Analysis: What 2025’s Zero-Days Reveal

1. Apache Tika XXE Injection (CVE-2025-66516)

CVE-2025-66516 is an XML External Entity (XXE) vulnerability in Apache Tika caused by insufficient validation of external entity references during XML parsing. This vulnerability allows attackers to submit specially crafted files or XML payloads that force the parser to process malicious external entities, potentially leading to unauthorized file disclosure.

Because Apache Tika is widely used for document content extraction across web applications, APIs, and data processing pipelines, exploitation can expose sensitive server files or enable internal network interaction from otherwise public-facing services.

To remediate the vulnerability, organizations must upgrade to patched Apache Tika releases where external entity handling is properly restricted. Until updates are applied, applications using vulnerable Tika versions remain exposed and should implement temporary gateway-level protections, restrict XML processing where possible, and monitor for suspicious file upload or parsing activity to reduce exploitation risk.

2. React2Shell (CVE-2025-55182)

CVE-2025-55182, known as React2Shell, is a remote code execution vulnerability affecting React Server Components. The vulnerability stems from unsafe deserialization within the RSC Flight protocol, allowing unauthenticated attackers to send crafted HTTP requests that trigger arbitrary code execution on vulnerable servers. The vulnerability impacts applications using React 19 Server Components through packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, as well as frameworks like Next.js App Router built on RSC. Because exploitation requires no authentication or special configuration, exposed deployments face a high risk of full server compromise.

To remediate the vulnerability, organizations must upgrade affected React packages to patched versions (19.0.1, 19.1.2, 19.2.1, or later) and update related frameworks such as Next.js to their fixed releases. Until these updates are deployed, exposed RSC endpoints remain vulnerable and should be restricted or protected through temporary gateway-level mitigations to reduce exploitation risk.

3. Apache SkyWalking Stored XSS (CVE-2025-54057)

CVE-2025-54057 is a stored cross-site scripting (XSS) vulnerability in Apache SkyWalking versions up to 10.2.0. The vulnerability arises from improper neutralization of script-related HTML tags in the web interface, allowing an attacker to inject malicious scripts into data rendered on dashboards or details pages. When administrators or users load those pages, the injected code runs automatically in their browser.

Because the injected payload persists in the backend and executes on page load, the risk extends beyond simple defacement. Exploitation can lead to theft of credentials or session cookies, unauthorized access, impersonation of privileged users, manipulation of monitoring data, and even exposure of sensitive infrastructure or application details.

To remediate this vulnerability, upgrade Apache SkyWalking to version 10.3.0 or later, the release that contains the fix. Until the upgrade is applied, all deployments running vulnerable versions should treat exposed SkyWalking dashboards as high-risk, restrict external access, and monitor for suspicious script injection or abnormal dashboard entries.

4. Django SQL Injection (CVE-2025-64459)

CVE-2025-64459 is a SQL injection vulnerability in Django’s ORM: when methods like QuerySet.filter(), QuerySet.exclude(), QuerySet.get() or the Q() class accept a specially crafted dictionary with dictionary expansion via the _connector argument, attackers can manipulate the generated SQL query to inject arbitrary SQL commands.

A vulnerability at the ORM level affects all deployments running versions 4.2 (before 4.2.26), 5.1 (before 5.1.14), and 5.2 (before 5.2.8), placing many applications at risk of data exposure and compromise. An attacker exploiting this vulnerability can inject malicious SQL via user-controllable parameters, potentially leading to unauthorized data access, modification, or even total database compromise.

To remediate the risk, the Django maintainers issued security updates, upgrading to Django 4.2.26, 5.1.14, or 5.2.8 (or later) patches the vulnerability.

5. Apache Tomcat Path Traversal (CVE-2025-55752)

CVE-2025-55752 is a path traversal vulnerability in Apache Tomcat that allows attackers to bypass directory restrictions and access or retrieve sensitive server files by submitting specially crafted requests. Because Tomcat is among the most widely deployed application servers in web infrastructure, this vulnerability poses a significant risk: automated scanning and exploitation campaigns can easily identify and target exposed instances at scale.

Attackers exploit the vulnerability by manipulating directory sequences or encoded paths in requests, tricking the server into serving files or content from outside the intended webroot, potentially exposing configuration files, credentials, private data, or other sensitive resources.

To mitigate this risk, inbound requests must be properly normalized and validated to block traversal sequences, and gateway-level inspection should detect encoding abuses or path-manipulation patterns before requests reach application services. Until such protections are deployed, any Tomcat instance exposed to untrusted networks remains vulnerable to directory traversal abuse.

6. Microsoft WSUS Deserialization RCE (CVE-2025-59287)

CVE-2025-59287 is a critical remote code execution vulnerability in Windows Server Update Services (WSUS) caused by unsafe deserialization of untrusted data sent to WSUS web service endpoints. Because WSUS operates as a trusted update distribution system, compromise of this service can undermine endpoint integrity across an enterprise environment. Exploitation has involved sending specially crafted requests that trigger the vulnerable deserialization process, allowing unauthenticated attackers to execute arbitrary code on the WSUS server.

Microsoft addressed the vulnerability through an out-of-band security update, and organizations running WSUS must apply the provided patch immediately to remediate exposure. Until updates are fully deployed, restricting access to WSUS endpoints helps contain exposure and prevents attackers from reaching vulnerable services during the patching window.

7. Oracle E-Business Suite BI Publisher RCE (CVE-2025-61882)

CVE-2025-61882 is a critical unauthenticated remote code execution vulnerability in the BI Publisher integration component of Oracle E-Business Suite, where crafted HTTP requests can abuse vulnerable endpoints to execute arbitrary commands on the application server. The vulnerability has been associated with active exploitation, including ransomware campaigns targeting exposed EBS environments.

This vulnerability is particularly dangerous because Oracle EBS supports essential business functions such as payroll, finance, procurement, and HR operations, meaning successful exploitation can result in full system compromise, data exposure, and severe business disruption. Attacks involve sending specially crafted requests to BI Publisher integration endpoints that do not require authentication, leading directly to server-side command execution.

To remediate the risk, Oracle released an emergency patch for affected E-Business Suite versions (12.2.3 through 12.2.14), and organizations must apply this vendor update immediately to eliminate exposure. Any environment that has not yet applied the update continues to face immediate risk, especially given the active exploitation associated with this vulnerability.

8. Adobe Commerce (Magento) “SessionReaper” (CVE-2025-54236)

CVE-2025-54236 is an improper input validation vulnerability in Adobe Commerce / Magento (commonly referred to as SessionReaper) affecting versions up to 2.4.9-alpha2 and earlier. The vulnerability affects session handling within the Commerce REST API, allowing unauthenticated attackers to manipulate session data, resulting in customer session hijacking, account takeover, and, in some cases, backend remote code execution.

Given Magento’s role in processing payments and managing customer and order data, exploitation presents a serious risk to both financial transactions and sensitive customer information.

Adobe addressed the vulnerability through an out-of-band security update (hotfix) issued under bulletin APSB25-88. Organizations that delay applying the fix leave their Commerce installations exposed during a period when attackers are actively probing for this weakness.

9. WinRAR Directory Traversal (CVE-2025-8088)

CVE-2025-8088 is a directory traversal vulnerability in WinRAR’s archive extraction process, where malicious archives can be crafted to extract files outside intended directories, allowing attackers to deploy executables or malicious payloads to arbitrary locations on disk. Given WinRAR’s widespread global usage and the availability of public exploit tools, this vulnerability represents a high-risk, large-scale exploitation opportunity.

Attackers exploit this by sending or distributing specially crafted .rar files; once a user extracts them, the payloads are silently placed outside the standard extraction path, enabling unauthorized code deployment or execution.

To mitigate this risk, organizations should employ rigorous email attachment scanning, inspect archive contents before extraction, and deploy endpoint behavior monitoring, especially watching for unexpected file writes or executable deployment from archive extraction processes.

10. Trend Micro Apex One Command Injection (CVE-2025-54948)

CVE-2025-54948 is a command injection vulnerability in the on-premises Apex One Management Console caused by improper input validation that allows remote attackers to execute operating system commands on the server. Because the console serves as the centralized control layer for endpoint security operations, successful exploitation exposes highly privileged administrative workflows across managed environments.

To remediate the vulnerability, Trend Micro released a temporary mitigation utility (FixTool_Aug2025) followed by a permanent critical patch that fully addresses the vulnerability. Organizations running affected on-prem versions remain exposed until these vendor updates are applied, while cloud-managed deployments were mitigated directly by Trend Micro.

11. Adobe AEM Forms OGNL Injection (CVE-2025-54253)

CVE-2025-54253 is a pre-authentication vulnerability affecting Adobe AEM Forms on JEE (versions 6.5.23.0 and earlier), where a misconfigured Struts2 dev mode leaves a debug servlet such as /adminui/debug exposed. This allows attackers to send crafted HTTP requests containing malicious OGNL expressions, which are evaluated without proper validation and result in arbitrary server-side code execution. Because AEM Forms commonly powers public-facing portals and document workflows, exploitation can lead to full compromise of exposed application servers and sensitive business or user data. Public proof-of-concept exploits have been released for this vulnerability.

To remediate the vulnerability, Adobe issued a security update under bulletin APSB25-82, requiring customers to upgrade AEM Forms on JEE to version 6.5.0-0108 or later. Until updates are deployed, organizations should ensure that vulnerable debug endpoints are not publicly accessible and restrict network access to affected servers to reduce exposure.

12. Microsoft SharePoint Deserialization RCE (CVE-2025-53770)

CVE-2025-53770 is an unauthenticated RCE vulnerability in Microsoft SharePoint caused by unsafe handling of serialized data. Because SharePoint hosts sensitive internal documents and collaboration workflows, exploitation enables attackers to gain server-level access and expose internal business data. Microsoft confirmed active exploitation involving malicious serialized payloads sent to vulnerable SharePoint endpoints.

To remediate the vulnerability, Microsoft released security updates for all affected SharePoint Server editions, including Subscription Edition, 2019, and 2016. Organizations must apply these patches immediately to eliminate exposure. Microsoft also recommends restricting unnecessary public access to SharePoint servers until updates are fully deployed. SharePoint deployments that have not yet applied the official security updates remain exposed to malicious payload delivery attempts until patched.

13. SAP NetWeaver Unrestricted File Upload (CVE-2025-31324)

CVE-2025-31324 is an unauthenticated file-upload vulnerability in the Metadata Uploader component of SAP NetWeaver Visual Composer, caused by missing authorization checks on the /developmentserver/metadatauploader endpoint. This allows attackers to upload arbitrary files, including web shells or executable payloads, directly to the server. Because SAP NetWeaver supports core business systems, successful exploitation can lead to full application server compromise, exposure of sensitive business data, manipulation of workflows, and persistent attacker access.

Security researchers confirmed active exploitation in the wild, with attackers deploying web shells and achieving remote code execution on both Windows and Linux NetWeaver installations.

To remediate the vulnerability, SAP released an emergency security patch in April 2025, and organizations must apply the updated SAP build immediately. Servers that have not installed the updated SAP build continue to be exposed to unauthorized file uploads and potential server takeover until the fix is in place.

Best Practices to Prevent Zero-Day Attacks

Preventing zero-day attacks requires reducing exposure in real time and strengthening controls around every publicly accessible application and API.

1. Maintain continuous visibility across all public-facing assets to ensure no endpoint or shadow component remains outside security controls.
2. Detect exploit behavior in live traffic such as injection, traversal, unsafe deserialization, or malformed queries rather than relying solely on signatures or CVE data.
3. Apply virtual patching to block exploit methods at the application layer and close the risk window before code-level fixes are deployed.
4. Conduct continuous vulnerability testing to confirm which weaknesses are actually exploitable in production and to focus remediation on real business risk.
5. Enforce strict access controls and least-privilege permissions to minimize the blast radius if a zero-day is exploited.
6. Isolate critical services and segment networks so attacks cannot easily move laterally across systems.
7. Use anomaly detection to flag unusual traffic patterns, request spikes, or behavior deviations that may indicate early-stage exploitation.
8. Keep dependencies, libraries, and frameworks continuously updated to reduce the number of latent vulnerabilities attackers can target.
9. Implement robust logging and centralized monitoring to ensure rapid visibility into suspicious activity and failed exploitation attempts.
10. Establish an incident response playbook that outlines immediate containment steps for zero-day scenarios.

How AppTrana Protects Against CVEs and Zero-Day Threats

AppTrana WAAP uses an AI-driven detection engine that continuously analyzes live traffic to identify exploit behavior in real time. Instead of relying solely on CVE signatures, AI models evaluate patterns such as injection attempts, traversal manipulation, unsafe deserialization flows, malformed queries, and deviation-based signals that indicate emerging attacks. By focusing on how exploits behave, AppTrana can stop zero-day threats long before official disclosures or signatures become available.

Beyond request-level detection, AppTrana incorporates an AI-powered vulnerability intelligence platform that monitors the evolving threat landscape across diverse global feeds. The system automatically filters noise, prioritizes vulnerabilities relevant to application security, analyzes proof-of-concept exploit availability, and evaluates virality and likely impact. This allows the platform to flag high-risk zero-days early, enabling rapid defensive action without waiting for traditional advisories.

Virtual patching further strengthens this protection by shielding vulnerable components at the application edge, ensuring that exploit methods are blocked immediately while internal teams work on remediation safely and without operational pressure. This closes the exposure window created during patch testing and deployment cycles where most successful zero-day attacks occur.

AppTrana’s managed security operations team complements the AI engine by validating exploit attempts observed across the global customer base, analyzing attacker techniques, and deploying precise rules for newly discovered or evolving vulnerabilities. Leveraging this intelligence, the team creates and deploys custom rules to block exploitation paths rapidly even for vulnerabilities that are new, evolving, or not yet widely understood. As a result, AppTrana WAAP maintains out-of-the-box coverage for almost all major CVEs, including newly disclosed ones and those already being actively exploited in the wild.

In essence, AppTrana provides a unified security layer that reinforces applications against both disclosed vulnerabilities and those still unknown. By combining behavior-based detection, virtual patching, continuous monitoring, and expert-managed threat response, AppTrana ensures that organizations remain resilient even when the next zero-day emerges without warning.

Want to keep up with the latest vulnerabilities, patches, and AppTrana’s protection updates? Our Security Bulletin Hub has you covered.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.