Every year brings new software vulnerabilities, but some never seem to go away. Despite patches being available, and many of these flaws appearing in the CISA Known Exploited Vulnerabilities (KEV) catalog, NodeZero® continues to find and exploit them in production environments across industries.
This raises a hard question: if these vulnerabilities are known, published, and actively exploited, why are they still unpatched in 2025?
What makes this year’s findings even more concerning is that every one of the Top 10 CVEs NodeZero exploited so far in 2025 is included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, and several were rapidly integrated into NodeZero through our Rapid Response process.
Methodology
Since its launch in 2019, NodeZero has conducted more than 170,000 pentests across industries, environments, and geographies. This scale provides a unique, attacker’s-eye dataset of what’s truly exploitable in the real world.
The vulnerabilities highlighted here represent the most frequently exploited CVEs identified by NodeZero during 2025 assessments. Unlike theoretical scan data, these results confirm real exploitability, which is clear evidence that attackers can, and often do, take advantage of the weaknesses below.
The Top 10 CVEs NodeZero Exploited in 2025
| Number | CVE | Description | KEV Status | KEV Add Date | Instances Exploited by NodeZero |
| 1 | CVE-2018-0171 | Cisco IOS/IOS XE Smart Install RCE | On KEV | Nov 3, 2021 | 9,526 |
| 2 | CVE-2023-20198 | Cisco IOS XE Web UI Privilege Escalation | On KEV | Oct 16, 2023 | 8,952 |
| 3 | CVE-2020-1938 | Apache Tomcat AJP Connector (Ghostcat) | On KEV | Mar 10, 2021 | 3,911 |
| 4 | CVE-2025-0108 | PAN-OS Authentication Bypass | On KEV | Feb 18, 2025 | 3,801 |
| 5 | CVE-2023-46604 | Apache ActiveMQ Deserialization / RCE | On KEV | Nov 2, 2023 | 3,656 |
| 6 | CVE-2017-0144 | Windows SMBv1 RCE (EternalBlue / WannaCry) | On KEV | Nov 3, 2021 | 3,585 |
| 7 | CVE-2021-34527 | Windows Print Spooler RCE (PrintNightmare) | On KEV | Jul 7, 2021 | 3,478 |
| 8 | CVE-2019-0708 | Remote Desktop Services RCE (BlueKeep) | On KEV | Nov 3, 2021 | 2,649 |
| 9 | CVE-2021-42013 | Apache HTTP Server Path Traversal / RCE | On KEV | Nov 17, 2021 | 1,021 |
| 10 | CVE-2021-42278 | Active Directory sAMAccountName Spoofing -> Priv Esc | On KEV | Nov 17, 2021 | 892 |
First-Run Findings Matter
Many of the vulnerabilities on this list are found exploitable when a new customer runs NodeZero for the very first time. The visibility often comes as a surprise, not because teams are unaware of patching requirements, but because exploitable weaknesses can hide in corners of the environment that aren’t routinely checked.
The encouraging news is that once these exposures are identified, the majority are remediated quickly by security teams. NodeZero’s value lies in surfacing them immediately and then verifying that fixes hold, closing the loop between awareness and action.
Not Every KEV Has a NodeZero Rapid Response Test
It’s important to note that while every CVE in this list is part of CISA’s Known Exploited Vulnerabilities (KEV) catalog, not all of them appear as individual Rapid Response tests in NodeZero. Officially announced in early 2024, Horizon3.ai’s Rapid Response service focuses on newly disclosed, high-impact vulnerabilities — the kind that see active exploitation within days or weeks of discovery.
Older KEVs, such as EternalBlue (CVE-2017-0144) or BlueKeep (CVE-2019-0708), are long understood and already integrated into the NodeZero platform.
In contrast, Rapid Response tests target emerging threats like CVE-2023-20198 (#2), CVE-2025-0108 (#4), and CVE-2023-46604 (#5), allowing customers to verify exposure, often before these vulnerabilities gained widespread attention.
In short, NodeZero identifies and exploits vulnerabilities across the entire lifecycle of exposure, from newly emerging Rapid Response threats to persistent KEVs that continue to reappear in production environments, often for years to come.
Why Rapid Response Matters
Horizon3.ai’s Rapid Response service isn’t just about reacting to CISA’s KEVs. It’s about staying ahead of it. When our research team spots a new vulnerability, they evaluate how easy it is to exploit, the overall impact, how widely the affected software is deployed, the types of organizations that rely on it, and the critical functions it supports.
When risk signals are high, we don’t wait for a CVE to show up on CISA’s KEV list. We develop an exploit and add it to NodeZero, often days or weeks before formal recognition by CISA. That can give our customers same-day visibility into whether they’re exposed to vulnerabilities that adversaries are most likely to target. Here are two examples:
- CVE-2025-32433 (Erlang/OTP SSH RCE): Our research team released a Rapid Response test on April 18, 2025. CISA didn’t add it to the KEV catalog until June 9, 2025, but by then, NodeZero had already identified it as exploitable across customer environments.
- CVE-2023-48788 (FortiClient EMS SQL Injection): Our research team released a Rapid Response test on March 15, 2024, just three days after disclosure. CISA didn’t add it to the KEV catalog until March 25, 2024. At that time, NodeZero had already uncovered it across customer environments.
Why Are These KEVs Still Being Exploited by NodeZero
The Top 10 CVEs above aren’t theoretical flaws. They’re the ones attackers are already exploiting and defenders should have closed months or years ago. Some, like EternalBlue and BlueKeep, have been around for nearly a decade. Yet NodeZero continues to exploit them inside production environments.
Why does this keep happening?
- Overloaded teams: Security and IT staff struggle to keep up with the flood of patch advisories and constant updates while juggling competing priorities.
- Operational friction: Patching requires downtime or regression testing, so updates get delayed.
- Legacy systems: Unsupported applications that can’t always be patched stay online because replacing them is costly or disruptive.
- False sense of safety: Controls like firewalls, segmentation, or EDR can create an illusion of protection so patching gets deprioritized.
- Accountability gaps: Even when KEVs are known, patch SLAs often aren’t enforced.
The result? Attackers, and NodeZero, exploit the same weaknesses with ease.
The Takeaway for Security Leaders
The proof is undeniable: if NodeZero can exploit it, so can an adversary. KEVs are not hypothetical. They’re a living catalog of what attackers are actively using in the wild to gain footholds. The fact that these flaws are still exploitable in 2025 shows how wide the gap remains between knowing and doing.
Security leaders should consider:
- Verifying patching, not assuming it. Test for real exploitability, not just vulnerable versions.
- Treating KEVs as non-negotiable. Patch or mitigate the risk immediately.
- Measuring accountability. Track mean time to mitigate (MTTM) and mean time to remediate (MTTR) for KEVs.
- Closing the loop. Validate fixes through retesting.
Final Word
The persistence of these vulnerabilities isn’t a failure of awareness. It’s a failure of understanding the real risk they pose. NodeZero exposes that gap with irrefutable proof. The organizations that win are those that don’t just know about vulnerabilities but actually verify they are no longer exploitable in their environments.