2025 had some brutal zero-days. Here's a post-mortem on the year's most impactful vulnerabilities and the lessons that should change how you build.
A zero-day is a vulnerability that:
The "zero" refers to the days the vendor has had to fix it: zero.
Buffer overflows, use-after-free, and heap corruption remain the bread and butter of zero-days. This is why Rust is being adopted for security-critical code.
Multiple enterprise VPN, firewall, and remote access products had auth bypass vulnerabilities that allowed unauthenticated attackers to gain admin access.
Chrome's V8 and Firefox's SpiderMonkey had multiple type confusion bugs that could achieve code execution through a malicious webpage.
Supply chain attacks through GitHub Actions, npm packages, and Docker images were a consistent theme throughout 2025.
# Run dependency audits regularly
npm audit
pip-audit
cargo audit
# Enable automated security PRs
# GitHub Dependabot, Snyk, or similar
# Pin your dependencies
package-lock.json / yarn.lock / Cargo.lockExploitation of public CVEs went from average 15 days (2021) to under 48 hours (2025). The time between "vulnerability published" and "actively exploited" is now basically nothing.
Lesson: Automate your patching. Manual updates are too slow.
Despite all the sophisticated zero-days, the majority of successful attacks in 2025 used:
Boring, unsexy, effective.