Year in Review: Vulnerabilities old and new and something React2

The year was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e.g., Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of 2025.

Speed and age shouldn’t be allowed to pair up, but that is the theme of the  Talos 2025 Year in Review  vulnerability findings. Figure 1. React/React2Shell (2025) at the top, with PHPUnit (2017) and Log4j (2021) following up. The year was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e. g. , Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of 2025.

 Agentic AI's capacity for building and deploying new proofs-of-concepts and exploit kits lowered attacker time-to-exploit, and the landscape shifted for defenders.   “The speed at which these CVEs climbed into the top tier reflects a larger systemic challenge: Newly disclosed vulnerabilities in widely deployed software can generate significant, organization-wide impact long before typical patch cycles catch up, leaving defenders with small reaction windows and escalating consequences for even short-lived exposure.

” – 2025 Talos Year in Review Top-targeted infrastructure  Outdated infrastructure continues to expand the attack surface.  Components like PHPUnit, ColdFusion, and Log4j are often embedded within applications, tightly coupled to legacy applications.  Technologies age quickly, and companies are under pressure to adopt first, ask questions later. Low-use systems in a network can fossilize, unnoticed and unpatched. Others become mainstays that often cannot be swapped out or even patched without destabilizing an organization.