With 2026 officially underway, it’s a good moment to pause and look back at the year we just left behind. 2025 was another reminder that even the most advanced software systems remain fragile. Between outages, exploits, and bugs that escaped straight into production, last year reminded us that software is never quite as finished as we’d like to believe. So before we fully move on, let’s take a quick retrospective tour of the 10 worst software bugs of 2025 - the ones that broke things, surprised everyone, and definitely earned a place in the hall of fame of “how did this ship?”
Overview
| # | Bug | Security vulnerability | Misconfiguration | Outage | Cyberattack |
|---|---|---|---|---|---|
| 1 | Barclays Banking System Glitch | ✓ | |||
| 2 | GitHub Supply Chain Breach | ✓ | ✓ | ||
| 3 | Microsoft SharePoint Flaws | ✓ | ✓ | ||
| 4 | Vulnerability in Oracle E-Business Suite | ✓ | ✓ | ||
| 5 | AWS Outage | ✓ | ✓ | ||
| 6 | 7-Zip Vulnerabilities | ✓ | |||
| 7 | Cloudflare Bug | ✓ | ✓ | ||
| 8 | React2Shell | ✓ | ✓ | ||
| 9 | Rainbow Six Siege Backend Hack (MongoBleed Exploitation) | ✓ | ✓ | ✓ | |
| 10 | AI Glitches of 2025 |
1) Barclays Banking System Glitch Locks Customers Out on Payday
In February, an internal IT bug at Barclays locked thousands of customers out of their accounts on payday, causing missed payments and forcing the bank to pay millions in compensation - a reminder that non-security bugs can have very real financial consequences.
2) GitHub Supply Chain Breach Compromised Thousands of Repositories
In March, a leaked token and CI/CD misconfiguration caused a massive software supply chain compromise, affecting over 23,000 repositories and prompting urgent credential rotations and dependency audits - a stark example of how tooling bugs can cascade widely.
3) Microsoft SharePoint Flaws Put Thousands of Enterprise Servers at Risk
In July, a critical vulnerability in on-premises Microsoft SharePoint allowed attackers to steal authentication keys, leading to attacks against government agencies and enterprises. The flaw highlighted how deeply integrated enterprise software bugs can ripple into national infrastructure.
4) Zero-Day Vulnerability in Oracle E-Business Suite Enabled Data Exfiltration by Ransomware Group
From August to October, a zero-day bug in Oracle EBS (CVE-2025-61882) was weaponized by attackers such as the Cl0p ransomware group, leading to data theft and breaches across multiple organizations. This flaw was among the most actively exploited enterprise software bugs of the year.
5) AWS Outage Cripples Hundreds of Services Worldwide
In October, one of the internet’s most disruptive outages occurred when Amazon Web Services (AWS) experienced a major failure originating from a DNS resolution error in its critical US‑EAST‑1 cloud region, causing cascading breakdowns across core infrastructure like DynamoDB, EC2, and Lambda that many platforms depend on. The outage lasted for many hours and left thousands of popular apps and services-including social networks, gaming platforms, financial apps, and streaming sites-temporarily inaccessible to users around the globe, highlighting the fragility of modern cloud‑dependent digital ecosystems.
6) 7-Zip Vulnerabilities Opened the Door to Effortless Remote Code Execution
In October, significant 7-Zip bugs (CVE-2025-11001 & CVE-2025-11002) enabled remote code execution simply by opening malicious ZIP files. Because 7-Zip is widely used and doesn’t always auto-update, many systems remained exposed.
7) Cloudflare Bug Caused Two Major Outages, Disrupting Thousands of Websites
In November - and again in December, Cloudflare suffered multiple configuration-related software failures that briefly took down critical parts of the internet, knocking services like X, ChatGPT, Spotify, and others offline. The outages stemmed from bugs in core traffic-routing and firewall systems and underscored how dependent the web is on a few key providers.
8) React2Shell Exposed Millions of Web Servers to Remote Code Execution
In late November, React2Shell was disclosed. This critical remote code execution vulnerability in React.js Server Components (CVE-2025-55182) exposed sites using the popular UI library to potential unauthorized takeover. The bug showed that even mature frontend frameworks can harbor severe risks.
9) Rainbow Six Siege Backend Hack (MongoBleed Exploitation) Caused Massive In-game Currency Injections
In late December, attackers exploited a severe MongoDB flaw (nicknamed MongoBleed, CVE-2025-14847) to leak secrets and gain internal access to Ubisoft’s backend, causing massive in-game currency injections and forcing Rainbow Six Siege offline while Ubisoft remediated the breach.
10) The AI Glitches of 2025: From Deleted Databases to Dangerous Misfires
Finally, no roundup of 2025’s worst tech bugs would be complete without mentioning AI, whose failures sparked real‑world chaos and grabbed global attention. AI systems repeatedly stumbled in ways that went far beyond simple errors, with some of the worst glitches sparking real‑world impacts - from autonomous agents deleting entire production databases and fabricating fake data to an AI security system misidentifying a packet of Doritos as a gun, leading to an armed police response. These incidents weren’t isolated bugs but reflected deeper challenges in governance, safety, and alignment, underscoring that as AI becomes more integral across sectors, its risks and failures - often with serious social or security consequences - demand much more robust oversight.
Was 2025 the Year Software Had a Better Sense of Humor Than Us?
2025 reminded us that software has a sense of humor - and it’s not always the kind we enjoy. From banks locking out customers on payday to AI mistaking Doritos for guns, last year proved that even the fanciest tech can throw a tantrum at the worst possible moment. If there’s a lesson here, it’s that no amount of testing or governance can fully tame the chaos lurking in code. As we stumble into 2026, we can only hope the servers stay stable and secure... but let’s be honest, misconfigurations and vulnerabilities will probably have other plans.