Keeping up with the latest vulnerabilities in popular software is crucial for maintaining cybersecurity. Here are some of the most significant and common vulnerabilities that people should be aware of, based on insights from Redditors:

Recent Significant Vulnerabilities

• BYO-Vulnerable Driver Attacks: Ransomware gangs are using Bring Your Own (BYO) Vulnerable Driver accounts for about 20% of attacks. "Ransomware gangs are using BYO-Vulnerable Driver account for about 20% of attacks, too, so if you aren't blocking all vulnerable drivers you have a giant hole in your security."

• Chrome Plug-ins: Malicious Chrome plug-ins are a significant threat, often downloaded from seemingly legitimate sources. "A user googles ‘I want a thing to do a thing’ and the first hit takes them to download a malicious YouTube converter."

• Fortinet/Ivanti Zero Days: Constant zero-day vulnerabilities in Fortinet and Ivanti products are a major concern. "What about the constant Fortinet/Ivanti zero days. Feels like it’s almost every month there's a new one to panic about."

• Microsoft Office Zero-Day: A security feature bypass vulnerability in Microsoft Office is being actively exploited. "Microsoft has released updates for all Office version starting with 2016 to fix a zero day vulnerability that is being exploited in the wild."

Common Vulnerabilities

• User Awareness: Poor user awareness and human error remain major security risks. "It’s always people. Shitty passwords, clicking on email links. Modern AI means voices can be simulated to get your CFO to move money."

• Misconfigurations: Default passwords and other misconfigurations are frequently exploited. "The most frequently encountered vuln in real life is misconfigurations... things like not changing the default passwords for example."

• Java Vulnerabilities: Java applications often have numerous vulnerabilities due to the complexity of updating frameworks. "If a company has anything remotely even close to dealing with Java in any way, there are usually so, so many Java vulnerabilities."

• Broken Object Level Authorization: This vulnerability is common in web applications and APIs. "Broken object level authorization. I find it on almost every web app/API test."

• Unpatched Systems: Legacy and unpatched systems are frequently targeted. "Unpatched systems, legacy systems, password reuse, weak passwords, sqli, xss, IDOR, not using 2FA, error handling, etc."

Resources for Tracking Vulnerabilities

• OpenCVE.io: Provides email notifications for CVEs related to specific products and vendors. "I use https://www.opencve.io/ and I'm happy with selecting the products and vendors I'm interested in."

• Exploit-DB.com: A database of exploits that can be used to test for vulnerabilities. "I'll search https://www.exploit-db.com/ for products in our inventory."

• Chinese National Vulnerability Database: Sometimes publishes vulnerabilities earlier than Western databases. "Organizations who operate in China are required by Chinese law to disclose Vulnerabilities to the Chinese government first."

Vendor Practices

• Pay-to-Patch: Some vendors charge for security patches, which can be a contentious issue. "Got this from a vendor today. I opened a ticket with them because of a security bulletin we got that disclosed an RCE vulnerability in their software."

• Contractual Language: Ensure your contracts include clear terms regarding security patches. "What is the contractual language surrounding security patches that you have with this vendor?"

Specific Software Vulnerabilities

• Android Devices: Nearly a billion active Android devices are security targets due to outdated software. "More than 30% of Android users out there are running on devices with Android 13 or older."

• Microsoft Products: Microsoft has the highest number of exploited vulnerabilities among Big Tech companies. "Microsoft reportedly has the highest number of exploited vulnerabilities than any other Big Tech company out there, accounting for 30% of all exploited vulnerabilities."

• Debian Linux: While often perceived as vulnerable, many reported vulnerabilities are due to transparent reporting and extensive package availability. "First of all, this refers to reported vulnerabilities. Second, this doesn't qualify the vulnerability, so there is no sorting by criticality."

Worst Bugs of 2025

• Cloudflare Global Outage: Took down many services like X, ChatGPT, Spotify, etc. "Cloudflare global outage: took down many services like X, ChatGPT, Spotify etc."

• React2Shell: A remote code execution vulnerability in React.js Server Components. "React2Shell (React.js remote code execution): vulnerability in React.js Server Components that exposed thousands/millions of servers."

• Microsoft SharePoint Zero-Day Exploit: Allowed attackers to steal authentication keys. "Microsoft SharePoint Zero-Day Exploit: allowed attackers to steal authentication keys, leading to attacks against government agencies and enterprises."

By staying informed about these vulnerabilities and utilizing available resources, individuals and organizations can better protect themselves from cyber threats.

Software Vulnerability Communities

<<rtjson>>{"c":[{"e":"ra:subreddit","id":"t5_2u559"},{"e":"ra:subreddit","id":"t5_2qrkp"},{"e":"ra:subreddit","id":"t5_2qhy7"},{"e":"ra:subreddit","id":"t5_2s869"},{"e":"ra:subreddit","id":"t5_c9kbd2"},{"e":"ra:subreddit","id":"t5_38tsu"}],"content_type":"subreddit","e":"ra:grid"}<</rtjson>>