360 2025年度网络安全漏洞分析报告

1360数字安全集团●漏洞情报服务2025年度网络安全漏洞分析报告 2目录 01引言（ExecutiveSummary）.................................................................4 02态势综述（Overview）............................................................................6 1.漏洞总量与趋势.....................................................................................................................................................7 2.全量漏洞严重程度分析......................................................................................................................................8 3.漏洞类型分析..........................................................................................................................................................9 4.行业漏洞数据分析.............................................................................................................................................10 03月度全景(MonthlyTimeline)..............................................................11 一月｜AI时代的“斯普特尼克时刻”：大模型基建化与边界防御的初步坍塌..........................12 二月｜“零点击”间谍阴云：雇佣兵式网络武器与高价值目标的精准“狩猎”............................14 三月｜算力夺权与框架之殇：当AI工具链沦为攻陷全球巨头的“数字特洛伊”...................15 四月｜攻防演进的“点杀”时代：国家级黑客的底层渗透与开发环境的“灯下黑”..................16 五月｜零售业的“散布之影”：医疗与商业关键基础设施的韧性大考..........................................18 六月｜邮件即入侵，协议即跳板：老旧IoT设备与科研机构的“全网大沦陷”......................20 七月｜信任链的“静默污染”：Slopsquatting幻觉投毒与软件供应链的信用破产................22 八月｜勒索引擎的“AI智能化”：PromptLock现身与身份准入核心的门禁失守...................24 九月｜具身智能的物理冲击：从s1ngularity自动化扩散到朝日啤酒生产线停摆..............26 十月｜“影遁”提示词注入：AIAgent逻辑资产泄露与电商生态的支付劫持..........................27 十一月｜闪电贷逻辑坍塌与BADCANDY逆袭：金融合约与基础设施的极速渗透............29 十二月｜满分漏洞与架构重塑：Web框架底层协议级坍塌与AI语音诈骗的终极进化..31 04重点漏洞(KeyVulnerabilities)...........................................................33 1.Langflow未授权代码注入漏洞(CVE-2025-3248).............................................................................34 2.MicrosoftSharePointServer远程代码执行利用链(CVE-2025-53770、CVE-2025- 53771)............................................................................................................................................................................3433.Sudo外部资源引用不当漏洞(CVE-2025-32463).............................................................................35 4.DockerDesktop访问控制不当漏洞(CVE-2025-9074)...................................................................36 5.WhatsApp授权校验漏洞与苹果ImageI/O越界写漏洞组合利用(CVE-2025-55177、 CVE-2025-43300)....................................................................................................................................................36 6.SGLang大模型推理框架远程代码执行漏洞(CVE-2025-10164)...............................................37 7.宇树机器人BLE漏洞（CVE-2025-35027、CVE-2025-60017、CVE-2025-60250、 CVE-2025-60251）................................................................................................................................................38 8.FortiWeb远程代码执行漏洞(CVE-2025-64446、CVE-2025-58034)......................................39 9.三星移动设备Quram图像解析库远程代码执行漏洞(CVE-2025-21042)............................40 10.ReactServerComponents代码注入漏洞(CVE-2025-55182)..................................................41 05关键趋势(KeyTrends)...........................................................................42 1.AI武器化与反制(AIWeaponization&Defense)...............................................................................43 2.边缘设备与物联网失陷(Edge&IoTCompromise)..........................................................................43 3.供应链信任危机(SupplyChainFragility)................................................................................................43 4.漏洞利用“零日化”与高速化(RapidExploitation)................................................................................44 5.关键基础设施勒索常态化(CriticalInfrastructureRansomware).................................................44 06CISO指南(CISOInsights)......................................................................45 1.从“AI应用”转向“AI治理”，构建模型级防御体系..............................................................................46 2.重塑身份边界，应对“零点击”与机器身