Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Risks and Vulnerabilities
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
25 Security Vulnerabilities That Have Defined the 2020s (Thus Far)
Publish date
May 28, 2026
{x} minute read

25 Security Vulnerabilities That Have Defined the 2020s (Thus Far)

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Nicholas Sollitto
Senior Cybersecurity Writer
Nicholas's cybersecurity writing has been featured in G2.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

Welcome to vulnerability management's big bang.

If it feels like your security team is running a marathon on a treadmill set to a permanent incline of 12.0 with 50lb sandbags tied around each ankle, you're in good company. We have officially entered the era of the Great Vulnerability Acceleration.

To put this recent synthetic bloom into perspective, consider this: in the last five years, the cybersecurity community has identified and recorded over 150,000 new vulnerabilities. That is the same number of flaws recorded in the first twenty years of the National Vulnerability Database combined.

Now, I'm not generally a fan of “doom and gloom” security reporting. In my opinion, the industry already has enough fear and uncertainty to last a lifetime. However, ignoring the recent explosion of security vulnerabilities (nearly 50,000 new vulns were published in 2025 alone) is a risk in itself. When the smoke detector goes off, you should at least check if your house is on fire.

The way I see it, vulnerabilities are no longer a game of finding a needle in a haystack; it's more like Hungry Hungry Hippos with threat actors competing to see who can swallow the most marbles before IT teams even hear the plastic clicking. In fact, many vulnerabilities are now being found and exploited faster than they can be documented. Data from 2025 shows that 28.96% of KEVs (Known Exploited Vulnerabilities) were exploited on or before the day their CVE was published. And in April 2026, NIST officially acknowledged the reality we’ve all been feeling: it’s now impossible for humans to catalog every digital flaw manually.

The fact is, we are living through a period where code is being shipped faster than it can be secured (and with significantly fewer guardrails). The average organization's attack surface is no longer confined to the server room; it has jumped to the cloud, into the home offices of thousands of employees, and recently, into the very neural networks of the AI models used every day (often outside the purview of official AI policy).

Of course, within this Great Vulnerability Acceleration, there are levels to the madness. All vulnerabilities are not created equal, nor were all 50,000 found in 2025 catastrophic. Some bugs are just minor annoyances, but others are changing the rules of the game forever.

As we navigate 2026 and beyond, looking back at the carnage of the last five years might just be the way we find a solution or at least prepare ourselves for the onslaught. Or, it might just be like that car accident you gawked at on the way in to work. You knew you shouldn't have looked, but you just couldn't help it.

Blurred motion of people rushing through a subway station, symbolizing the overwhelming speed and volume of the top cybersecurity vulnerabilities of the 2020s.
For security teams, the influx of critical vulnerabilities in the 2020s has turned threat detection into a blur of constant triage.
This article originally appeared in the May 2026 issue of The UpGuardian, a monthly newsletter dedicated to cybersecurity storytelling. If you like this story, subscribe to receive future issues of the newsletter directly in your inbox.

1. Log4Shell (CVE-2021-44228)

  • Date Published: December 2021
  • 2026 Status: While major SaaS providers patched years ago, it remains a top entry point for ransomware in 2026, hiding within legacy shadow IT servers, unmanaged third-party appliances, and nested dependencies that haven't seen an update in half a decade.

If we were to compare this recent onslaught of vulnerabilities to an asteroid field, Log4Shell would be the Ceres 1 of vulnerabilities. Log4j is a ubiquitous Java logging library used in everything from Minecraft servers to high-end enterprise software. The flaw allowed attackers to execute code by simply sending a malicious string to a server. Because the library was often nested deep inside other software, many organizations spent 2022 and 2023 just trying to find where it was hiding. It fundamentally proved that you can't secure what you can't see.

2. SolarWinds SUNBURST (CVE-2020-10148)

  • Date Published: December 2020
  • 2026 Status: In 2026, the effects of SolarWinds have fundamentally altered executive accountability; while the SEC’s landmark fraud case against the company’s CISO was largely dismissed in late 2025, it permanently signaled that security leaders are now personally in the crosshairs for how they disclose risk.

The supply chain attack that changed the world. State-sponsored actors compromised SolarWinds’ build system, inserting a backdoor into official software updates. Because the malware was signed by the vendor, it bypassed almost every standard security defense. It proved that even your most trusted tools could be turned into a Trojan horse, leading to the birth of the modern Software Bill of Materials movement and a global shift toward verifying the build rather than just trusting the signature.

Sunrise over a corporate building silhouette, symbolizing the SolarWinds SUNBURST cyber attack and the dawn of major supply chain vulnerabilities and the rise of recent top security vulnerabilities
The SolarWinds exploit marked the dawn of a highly sophisticated era of supply chain vulnerabilities, catching the cybersecurity world by surprise.

3. MOVEit Transfer (CVE-2023-34362)

  • Date Published: June 2023
  • 2026 Status: Effectively mitigated at the source, but its playbook is now the industry standard for ransomware groups. In 2026, MOVEit serves as the primary case study for why Managed File Transfer tools require isolated, zero-trust network segments.

A zero-day SQL injection flaw that allowed the CL0P ransomware group to bypass authentication and steal data from thousands of organizations simultaneously. Unlike previous attacks that focused on encrypting files, MOVEit was a pure data-theft play. It proved that a single vulnerability in a boring back-office tool could trigger a global hostage crisis, exposing the personal data of over 60 million people.

4. XZ Utils Backdoor (CVE-2024-3094)

  • Date Published: March 2024
  • 2026 Status: Fully patched in all modern Linux distributions, but it remains a haunting warning.

A terrifyingly patient attack. A malicious actor spent years building trust in the open-source community to plant a backdoor in a core Linux compression utility. It was caught by a developer who noticed a tiny delay in SSH logins; a near miss that could have given attackers a master key to almost every Linux server on the planet. It exposed the fragile human element of the open-source software we all rely on.

5. Zerologon (CVE-2020-1472)

  • Date Published: August 2020
  • 2026 Status: Definitively solved for any organization with modern patching hygiene. In 2026, it is frequently used by red teams to identify completely abandoned segments of an enterprise network that have been out of sync with active directory for years.

Zerologon allowed an attacker to instantly become a domain admin by exploiting a flaw in the Netlogon cryptographic authentication process. It was essentially a skeleton key for Windows networks. The speed at which it could move from a single compromised laptop to owning the whole company made it one of the most dangerous internal threats of the early 2020s.

A man working on a laptop, symbolizing an attacker exploiting the Zerologon vulnerability to instantly gain domain administrator privileges.
With Zerologon, an attacker with a single laptop and network access could bypass authentication completely, compromising Active Domain controllers in seconds.

6. Citrix Bleed (CVE-2023-4966)

  • Date Published: October 2023
  • 2026 Status: While the Bleed was patched, it birthed a new era of session hijacking tools. In 2026, security teams have largely moved away from long-lived session tokens in favor of continuous authentication, as attackers have become experts at bleeding tokens from memory.

This flaw allowed attackers to bypass MFA entirely by stealing active session tokens from the memory of Citrix NetScaler devices. It was a hijacker’s dream, proving that even if your front door has five locks, an attacker can still get in if they find the key you left under the mat.

7. ProxyLogon (CVE-2021-26855)

  • Date Published: March 2021
  • 2026 Status: This vulnerability effectively ended the era of on-premises exchange for most mid-market companies. In 2026, the few remaining on-prem exchange servers are considered high-risk by default, often necessitating isolated network zones to prevent total lateral compromise.

A critical hit to Microsoft Exchange that allowed attackers to bypass authentication and impersonate any user. When chained with other flaws, it allowed for full remote code execution. Because email was the source of truth for identity and password resets, this flaw gave attackers a direct path to total corporate takeover within minutes.

8. Ivanti Connect Secure (CVE-2023-46805)

  • Date Published: January 2024
  • 2026 Status: This incident led to a massive exodus from Ivanti products. In 2026, Ivanti pushed the industry toward zero-trust network access solutions, as organizations realized their traditional VPN safety net was actually their biggest liability.

An authentication bypass targeting the very VPNs used to secure remote workforces. By exploiting a flaw in the web component, attackers could gain access to restricted resources without a password. The Ivanti vulnerabilities highlighted a recurring 2020s theme: the security tools we use to defend the perimeter are often the most vulnerable points of entry.

9. Okta Support System Breach

  • Date Published: October 2023
  • 2026 Status: Forced a vendor-on-vendor security shift. SaaS providers now undergo much more rigorous audits regarding their internal support and access levels, as security teams realized that their identity provider's support desk was a valid attack vector.

While not a single code-level CVE, this incident involved attackers using stolen credentials to access Okta’s internal support system to steal session tokens for Okta’s customers. This meta-vulnerability showed that a service provider's internal support tools are just as critical to your security posture as your own firewall.

10. ScreenConnect Auth Bypass (CVE-2024-1709)

  • Date Published: February 2024
  • 2026 Status: Now a primary focus for automated EASM. In 2026, a single unpatched ScreenConnect instance is usually viewed as a red alert that triggers immediate automated isolation of the affected host.

This vulnerability in ConnectWise ScreenConnect allowed attackers to bypass the setup wizard and create a new administrative user on the fly. With a CVSS score of 10.0, it was as dangerous as it gets. Because ScreenConnect is used for remote management, attackers used this instant admin access to deploy ransomware across entire client bases of managed service providers. 

A crowd of people dispersing onto a city street, serving as a transition point in a list of major 2020s cybersecurity vulnerabilities.
Now that we've covered the ten most disruptive threats, the landscape disperses into a wider array of specialized and lingering exploits defining the decade.

11: OMIGOD (CVE-2021-38647)

  • Date published: September 2021
  • 2026 Status: Auto-patching has cleared most of the cloud.

12: Spring4Shell (CVE-2022-22965)

  • Date published: March 2022
  • 2026 Status: Currently categorized as a legacy critical. 

13: Ni8mare (CVE-2026-21858)

  • Date published: January 2026
  • 2026 Status: Mandatory weight-signing is now standard for AI.

14: GitLab RCE (CVE-2021-22205)

  • Date published: April 2021
  • 2026 Status: Still a favorite for hijacking pipelines.

15: Kube-proxy Bypasses (CVE-2020-8554)

  • Date published: December 2020
  • 2026 Status: Unpatchable; requires strict internal network policies.

16: PrintNightmare (CVE-2021-34527)

  • Date published: July 2021
  • 2026 Status: Spoolers are now disabled by default worldwide.

17: Outlook Zero-Click (CVE-2023-23397)

  • Date published: March 2023
  • 2026 Status: Forced the permanent retirement of NTLM.

18: PwnKit (CVE-2021-4034)

  • Date published: January 2022
  • 2026 Status: Standard checkbox item in hardening scripts.

19: Follina (CVE-2022-30190)

  • Date published: May 2022
  • 2026 Status: Protocol permanently disabled by Microsoft.

20: Chrome Zero-Day Surge (2024-2025)

  • Date published: Ongoing (Multiple CVEs)
  • 2026 Status: Drove mass adoption of browser isolation.

21: HTTP/2 Rapid Reset (CVE-2023-44487)

  • Date published: October 2023
  • 2026 Status: Still requires aggressive rate limiting.

22: Snowflake Credential Wave (2024)

  • Date published: May 2024 (Incident Disclosure)
  • 2026 Status: Mandated MFA for all service accounts.

23: Palo Alto PAN-OS (CVE-2024-3400)

  • Date published: April 2024
  • 2026 Status: Actively hunted on unpatched N-1 firewalls.

24: Confluence Auth Bypass (CVE-2023-22515)

  • Date published: October 2023
  • 2026 Status: Most instances are now hidden behind ZTNA.

25: Terrapin Attack (CVE-2023-48795)

  • Date published: December 2023
  • 2026 Status: Older SSH clients are being phased out.
This article originally appeared in the May 2026 issue of The UpGuardian, a monthly newsletter dedicated to cybersecurity storytelling. If you like this story, subscribe to receive future issues of the newsletter directly in your inbox.

Related posts

Learn more about the latest issues in cybersecurity.
Risks and Vulnerabilities

ServiceNow Vulnerabilities: CVE-2024-4789 and CVE-2024-5217

Learn about two critical vulnerabilities affecting the ServiceNow platform (CVE-2024-4789 and CVE-2024-5217) and how UpGuard can help.
Nicholas Sollitto
Nicholas Sollitto
January 16, 2025
Risks and Vulnerabilities

Understanding and Mitigating CVE-2025-55182 (React2Shell)

CVE-2025-55182 is a critical unauthenticated RCE in React Server Components (CVSS 10.0). Check if your Next.js or React 19 app is vulnerable and patch now.
Edward Kost
Edward Kost
December 14, 2025
Risks and Vulnerabilities

Downstream Data: Investigating AI Data Leaks in Flowise

A thousand Flowise instances are exposed to the internet, many of them leaking confidential business data, passwords, and more.
Greg Pollock
Greg Pollock
December 1, 2025
Risks and Vulnerabilities

Beware the Sandworm: The Shai-Hulud Attack Explained

Learn about the Shai-Hulud worm, a self-replicating malware targeting the NPM ecosystem that steals developer credentials and exposes them.
Edward Kost
Edward Kost
September 21, 2025
Risks and Vulnerabilities

CVE-2016-10033: Detection and Response Guide for 2025

CVE-2016-10045 is still rearing its ugly head in 2025. Learn how to detect and shut down this risk.
Edward Kost
Edward Kost
July 10, 2025
Risks and Vulnerabilities

Data Leakage and Other Risks of Insecure LlamaIndex Apps

UpGuard Research surveyed accessible LlamaIndex chatbots to understand the real-world risks–including one instance leaking PII.
Greg Pollock
Greg Pollock
June 12, 2025
All posts