2025年度网络安全漏洞分析报告

1360 数字安全集团 ● 漏洞情报服务2025 年度网络安全漏洞分析报告2目 录01 引言（Executive Summary）.................................................................402 态势综述（Overview ）............................................................................61. 漏洞总量与趋势.....................................................................................................................................................72. 全量漏洞严重程度分析......................................................................................................................................83. 漏洞类型分析..........................................................................................................................................................94. 行业漏洞数据分析............................................................................................................................................. 1003 月度全景 (Monthly Timeline)..............................................................11一月｜ AI 时代的“斯普特尼克时刻”：大模型基建化与边界防御的初步坍塌..........................12二月｜ “零点击”间谍阴云：雇佣兵式网络武器与高价值目标的精准“狩猎”............................14三月｜ 算力夺权与框架之殇：当 AI 工具链沦为攻陷全球巨头的“数字特洛伊”................... 15四月｜ 攻防演进的“点杀”时代：国家级黑客的底层渗透与开发环境的“灯下黑”..................16五月｜ 零售业的“散布之影”：医疗与商业关键基础设施的韧性大考..........................................18六月｜ 邮件即入侵，协议即跳板：老旧 IoT 设备与科研机构的“全网大沦陷”......................20七月｜ 信任链的“静默污染”：Slopsquatting 幻觉投毒与软件供应链的信用破产................22八月｜ 勒索引擎的“AI 智能化”：PromptLock 现身与身份准入核心的门禁失守...................24九月｜ 具身智能的物理冲击：从 s1ngularity 自动化扩散到朝日啤酒生产线停摆..............26十月｜ “影遁”提示词注入：AI Agent 逻辑资产泄露与电商生态的支付劫持.......................... 27十一月｜ 闪电贷逻辑坍塌与 BADCANDY 逆袭：金融合约与基础设施的极速渗透............29十二月｜ 满分漏洞与架构重塑：Web 框架底层协议级坍塌与 AI 语音诈骗的终极进化..3104 重点漏洞 (Key Vulnerabilities)........................................................... 331. Langflow 未授权代码注入漏洞 (CVE-2025-3248).............................................................................342. Microsoft SharePoint Server 远程代码执行利用链 (CVE-2025-53770、CVE-2025-53771)............................................................................................................................................................................3433. Sudo 外部资源引用不当漏洞 (CVE-2025-32463)............................................................................. 354. Docker Desktop 访问控制不当漏洞 (CVE-2025-9074)...................................................................365. WhatsApp 授权校验漏洞与苹果 Image I/O 越界写漏洞组合利用 (CVE-2025-55177、CVE-2025-43300)....................................................................................................................................................366. SGLang 大模型推理框架远程代码执行漏洞 (CVE-2025-10164)...............................................377. 宇树机器人 BLE 漏洞（CVE-2025-35027、CVE-2025-60017、CVE-2025-60250、CVE-2025-60251）................................................................................................................................................388. FortiWeb 远程代码执行漏洞(CVE-2025-64446、CVE-2025-58034)......................................399. 三星移动设备 Qura