Legacy Vulnerabilities Still Top Targets: 32% of Exploited CVEs Over 10 Years Old
What Happened – Cisco Talos’ 2025 Year‑in‑Review shows that 32 % of the most‑exploited vulnerabilities are at least a decade old, with legacy components such as Log4j, PHPUnit and ColdFusion still driving active attacks. New flaws are weaponized within weeks, while old weaknesses linger for years, especially in end‑of‑life devices and network infrastructure.
Why It Matters for TPRM –
- Persistent exploitation of outdated libraries creates hidden attack surfaces in third‑party software.
- Vendor lifecycle mismatches mean many suppliers cannot patch quickly, increasing downstream risk.
- Remote‑code‑execution flaws dominate, giving attackers direct system control without user interaction.
Who Is Affected – Enterprises across all sectors that rely on legacy frameworks, network appliances, and third‑party integrations (e.g., SaaS platforms, telecom gear, manufacturing control systems).
Recommended Actions –
- Inventory all third‑party components and identify any that embed known legacy CVEs.
- Enforce strict patch‑management SLAs with vendors, especially for end‑of‑life hardware.
- Prioritize remediation of RCE‑type vulnerabilities in critical supply‑chain software.
Technical Notes – Attackers rapidly weaponize newly disclosed flaws (e.g., React2Shell) while continuing to exploit long‑standing issues such as Log4Shell (CVE‑2021‑44228). 80 % of the top‑100 exploited CVEs are remote‑code‑execution bugs; 23 % affect VPN appliances and firewalls, and 25 % target widely used frameworks/libraries. Source: Help Net Security