The year stood out for the number of severe zero-day vulnerabilities, in which attackers compromised systems before the vulnerabilities were publicly disclosed and retained access even after patches were applied. Attackers also continued to exploit vulnerabilities known for years that remained unpatched. Increasingly, and with greater specificity, attention has focused on state-backed groups that search for and exploit vulnerabilities in critical infrastructure systems.
Vulnerability of the year: React2Shell
The most serious and wide-reaching vulnerability discovered in 2025 was the flaw disclosed in early December, which became known as React2Shell (CVE-2025-55182).
This remote code execution vulnerability affects React Server Components and allows an attacker to gain control of a vulnerable server with relative ease. Its impact is exceptionally broad because React is widely used on web servers, including web services, administrative panels and application programming interfaces (APIs). Several groups began targeting servers vulnerable to React2Shell within hours of its disclosure.
Network devices under fire in Estonia
Last year saw the discovery of zero-day vulnerabilities in several network devices, alongside attacks exploiting older, unpatched flaws. Users of FortiGate, Cisco and Ivanti devices all experienced unwelcome tension as a result.
At the beginning of the year, it emerged that VPN devices using Ivanti Connect Secure software at two Estonian state authorities had been compromised. The attackers most likely exploited zero-day vulnerabilities (CVE-2025-0282 and CVE-2025-0283), compromising the devices before security updates were released. Later in the year, a new zero-day vulnerability (CVE-2025-20393) affecting Cisco network devices was found in Estonia.
In spring, malware was distributed through the systems of an Estonian library. Analysis of the incident showed that attackers gained access because security vulnerabilities in both the email server and the web content management software had not been patched, and the products had long reached the end of their supported life.
Several websites using WordPress were compromised. At Laagri School, for example, the new school year began with the compromise of the school’s website: shortly after midnight, a script was launched via outdated WordPress software, blocking access to the site. The homepage displayed a login window requesting a username and password.
Ransomware attack exploiting an unpatched vulnerability
In autumn, an employee at an Estonian company discovered that a server had been encrypted, and a ransom demand was displayed on the screen. Analysis revealed that the attackers had gained access by exploiting a vulnerability that had been patched in August 2024. Unfortunately, the company had failed to install the relevant security update in time. As a result, attackers gained access to the system in spring 2025 and deployed ransomware in autumn.
How to protect yourself against the exploitation of vulnerabilities
- Keep the operating systems, firmware, applications and other software on all your systems up to date.
- Replace devices and software that have reached the end of their supported life and no longer receive security updates from the manufacturer.
- Protect your network and administrative interfaces. Use VPNs and restrict access to devices, especially system management interfaces, to specified IP addresses only.
- Configure and monitor system logs and deploy monitoring tools so that anomalies are detected, and incidents can be addressed quickly.
The European Union Vulnerability Database launched
On 25 May, the European Union Vulnerability Database (EUVD) was launched and made public. The database is managed by the European Union Agency for Cybersecurity (ENISA). It aims to consolidate information relevant from an EU perspective on vulnerabilities, their impact, exploitation and mitigation measures.
In 2025, questions arose over the funding and long-term continuity of the Common Vulnerabilities and Exposures (CVE) system’s vulnerability databases – cve.org and the National Vulnerability Database (NVD), managed by the US National Institute of Standards and Technology (NIST). As of year-end, the CVE system and its databases remained operational, but the EUVD can serve as an alternative if needed.
Last updated: 11.02.2026
