Kaspersky’s latest report confirms that the first half of 2025 was marked by a significant rise in exploits targeting both Windows and Linux systems. The number of critical vulnerabilities recorded also reached historic highs, fueling increasingly sophisticated cyberattack campaigns.
Data published by Kaspersky in their report Exploits and Vulnerabilities in Q2 2025 reveals a concerning trend: both Linux and Windows users have become more exposed to attacks based on vulnerabilities compared to 2024.
According to cve.org, the official vulnerability registry, early 2024 saw about 2,600 CVEs per month, whereas in 2025, the figure has already surpassed 4,000 vulnerabilities monthly, with a notable increase in those considered critical (CVSS > 8.9).
Windows and Linux in the crosshairs
Alexander Kolesnikov, a security expert at Kaspersky, states that exploits in 2025 are especially concentrated on operating systems:
- 64% of attacks targeted critical vulnerabilities in Windows and Linux.
- 29% targeted third-party applications.
- 7% targeted browsers.
In the case of Windows, outdated vulnerabilities in Microsoft Office and components like Equation Editor continue to be exploited, along with flaws in WinRAR and credential theft via NetNTLM in File Explorer. Notable examples include:
- CVE-2018-0802 and CVE-2017-11882: remote code execution in Equation Editor.
- CVE-2023-38831: a flaw in WinRAR still widely exploited.
- CVE-2025-24071: a vulnerability in Windows Explorer to obtain credentials.
For Linux, three vulnerabilities continue to be heavily exploited:
- CVE-2022-0847 (Dirty Pipe): allows privilege escalation.
- CVE-2019-13272: a privilege inheritance flaw.
- CVE-2021-22555: a Netfilter buffer overflow that enables Use-After-Free attacks.
Kolesnikov warns that in the second quarter of 2025, the number of Linux users affected by exploits was more than 50% higher than during the same period in 2024. Windows also saw notable increases: a 25% rise in Q1 and an 8% increase in Q2 compared to the previous year.
The evolution of APT attacks
The report also highlights that Advanced Persistent Threats (APTs) continue to exploit both zero-day vulnerabilities and known flaws, used for initial access and privilege escalation.
Among exploits linked to APT attacks in 2025, critical vulnerabilities are seen in remote access platforms, office applications, and low-code/no-code development tools, as well as a flaw in an AI-powered application framework, underscoring how attackers keep pace with emerging technological trends.
The role of C2 frameworks
Attacker groups utilize command and control (C2) frameworks like Sliver, Metasploit, Havoc, and Brute Ratel C4, which automate malicious tasks following exploitations. These frameworks facilitate everything from command execution to persistence in compromised systems.
In this landscape, critical vulnerabilities such as:
- CVE-2025-31324 (SAP NetWeaver, CVSS 10.0)
- CVE-2024-1709 (ConnectWise ScreenConnect, CVSS 10.0)
- CVE-2025-33053 (Windows LNK, remote code execution)
have been combined with C2 frameworks to execute highly effective and hard-to-detect attacks.
More CVEs, more threats
The rapid growth in vulnerabilities poses a critical challenge for organizations. Thousands of security flaws emerge each month, and cybercriminals swiftly exploit those lacking patches or mitigation strategies.
Kaspersky’s conclusion is clear:
“The increase in critical vulnerabilities and the rising number of users impacted by exploits reinforce the need to apply patches quickly, implement advanced detection solutions, and strengthen endpoint and server security processes.”
Frequently Asked Questions about Exploits and Vulnerabilities in 2025
1. Why have exploits in Linux and Windows increased in 2025?
The growth in critical vulnerabilities and the exploitation of unpatched old flaws explain the upward trend. Additionally, Linux has gained more presence in enterprise and user environments, making it a more attractive target.
2. What are the most exploited vulnerabilities in Windows?
Primarily old flaws in Microsoft Office (Equation Editor), errors in WinRAR, and system vulnerabilities used to steal credentials.
3. And in Linux, what are the most common exploits?
Dirty Pipe (CVE-2022-0847), CVE-2019-13272, and CVE-2021-22555, all related to privilege escalation and highly popular among attackers.
4. What risks do APT attacks pose?
APT groups combine exploits with C2 frameworks to maintain persistence in compromised systems, enabling data theft, lateral movement, and complex espionage or sabotage operations.
5. What measures should companies and users adopt?
- Promptly install security patches.
- Use endpoint protection solutions with advanced detection (EDR/XDR).
- Monitor infrastructure in real-time.
- Educate employees on cybersecurity to reduce social engineering risks.
via: securelist