Report Finds Just 1% of Security Flaws Drive Most Cyberattacks in 2025

While thousands of security flaws are reported every year, a new investigation has found that the vast majority are never actually used. Instead, a small group of “routinely targeted” flaws are doing almost all the damage.

The 2026 Exploit Intelligence Report, released today by the research firm VulnCheck, provides a detailed look at how attackers behaved over the past year. According to researchers, of the 48,000 security flaws (CVEs) reported in 2025, a mere 1% were actually used in real-world attacks. However, those few flaws were hit with incredible speed and force.

Key CVEs Under Fire: The Routinely Targeted List

The research, which was shared exclusively with Hackread.com, identifies the specific flaws that have become favourites for hackers. Topping the list is React2Shell (CVE-2025-55182), which allows attackers to bypass security on popular web platforms. Some groups attempted to use this flaw within hours of its discovery.

Business software ...