While thousands of security flaws are reported every year, a new investigation has found that the vast majority are never actually used. Instead, a small group of “routinely targeted” flaws are doing almost all the damage.
The 2026 Exploit Intelligence Report, released today by the research firm VulnCheck, provides a detailed look at how attackers behaved over the past year. According to researchers, of the 48,000 security flaws (CVEs) reported in 2025, a mere 1% were actually used in real-world attacks. However, those few flaws were hit with incredible speed and force.
Key CVEs Under Fire: The Routinely Targeted List
The research, which was shared exclusively with Hackread.com, identifies the specific flaws that have become favourites for hackers. Topping the list is React2Shell (CVE-2025-55182), which allows attackers to bypass security on popular web platforms. Some groups attempted to use this flaw within hours of its discovery.
Business software is also under heavy fire. Flaws in Microsoft SharePoint (CVE-2025-53770) and SAP NetWeaver (CVE-2025-31324) were among the most abused. For the SAP flaw, the timeline is surprising because hackers were spotted poking at it in January 2025, three months before it was officially reported.
Many of these attacks are zero-days, which means the victims are hit before a fix is even available. In fact, 56.4% of ransomware-linked flaws were first identified through these surprise attacks.
Jacob Baines, Chief Technology Officer at VulnCheck, noted that while the number of targeted flaws is small, “those vulnerabilities are being weaponised faster and at greater scale.”
Global Rivals and Ransomware Gangs
The report also sheds light on who exactly is pulling the strings. China-linked threat actors saw a massive 52% increase in activity last year, even as overall activity from named state groups fell by 13%. Meanwhile, activity from Iranian groups declined. It isn’t just government groups making moves. Notorious ransomware families like Cl0p, DragonForce, Earth Lamia, and RomCom remain highly active. These groups now specifically target initial access points to steal data more effectively.
The Rise of AI Slop
In 2025, VulnCheck tracked over 14,400 exploits for roughly 10,480 unique flaws, a 16.5% increase from the previous year. Much of this surge is due to AI-generated slop, which refers to fake or broken code created by AI. While this code often doesn’t work, it floods the internet with false signals, making it harder for human defenders to spot real threats.
The danger remains immediate, as last year, 884 vulnerabilities were added to the firm’s known exploited dataset, with nearly half being brand-new discoveries from 2025. It is worth noting that about one-third of ransomware flaws still had no public fix available by the start of 2026.
In the end, the report suggests that while we are discovering more flaws than ever, our ability to fix them isn’t keeping up with the speed of the criminals.
