32% of top-exploited vulnerabilities are over a decade old
Exploitation timelines continued to compress in enterprise environments, with newly disclosed flaws reaching active use almost immediately and older weaknesses remaining active years after disclosure.
(Source: Cisco Talos)
Findings from Cisco Talos’ 2025 Year in Review show how attackers combined rapid weaponization with long-term exposure spanning infrastructure, identity systems, and user workflows.
Top-targeted vulnerabilities show speed and persistence
Newly disclosed vulnerabilities moved into active exploitation with little delay. React2Shell became the most targeted vulnerability of 2025 despite being released in December, illustrating how quickly attackers operationalize new flaws.
At the same time, older vulnerabilities remained active. Log4Shell CVEs remained among the top 10 most targeted vulnerabilities, highlighting continued exploitation since 2021 as Log4j remains embedded in enterprise applications, third-party integrations, legacy systems, and internet-facing services.
“Components like PHPUnit, ColdFusion, and Log4j often end up buried inside applications where defenders may not even realize they exist and/or be tightly coupled to legacy applications, making updates disruptive and resource intensive,” researchers warn.
Long-term exposure also appeared in broader vulnerability trends. Nearly 40% of the top-targeted vulnerabilities affected end-of-life devices, and 32% of vulnerabilities were at least 10 years old. These figures point to persistent gaps between vendor lifecycle timelines and enterprise patching practices.
Attackers continued to focus on scalable weaknesses. About 25% of vulnerabilities impacted widely used frameworks and libraries, and 23% directly affected network devices such as VPN appliances and firewalls.
The type of vulnerability also mattered. Remote code execution accounted for 80% of the top 100 vulnerabilities, reflecting a preference for flaws that allow direct access without relying on user interaction.
Talos looked at where vulnerabilities sit in the stack to understand how far their impact can spread. Most of the top 50 network infrastructure vulnerabilities, about 66%, affect device firmware and tend to stay limited to specific hardware models.
A smaller share hits shared platforms, embedded services, or management systems, and these carry broader impact. Platform software makes up 14% of CVEs, though a single flaw can expose routers, switches, and controllers at the same time.
Ransomware activity centers on identity and consistency
Ransomware activity remained steady, with attackers maintaining consistent targeting patterns and operational methods. Manufacturing remained the most targeted sector, due to low downtime tolerance and broad attack surfaces.
Qilin emerged as the most active ransomware group in 2025, accounting for 17% of posts to data leak sites, followed by Akira at 10% and Play at 6%.
January recorded the lowest volume of ransomware activity in both 2024 and 2025, with increases later in the year.
“It may be wise for security teams to consider testing ransomware defenses in months where activity levels are generally lower, such as January, as there is a reduced chance of interfering with real incidents,” Cisco Talos wrote.
Identity played a central role in ransomware operations. Common techniques relied on valid accounts at multiple stages of the attack lifecycle, supported by tools such as RDP, PsExec, and PowerShell that require user credentials.
Attacks against MFA concentrate on identity systems
MFA became a primary target, with attackers focusing on both large-scale and targeted techniques.
MFA spray attacks concentrated on identity systems. In 2025, 30% of these attacks targeted identity and access management applications, up from 24% in 2024. Technology companies accounted for 36% of MFA spray activity due to predictable login patterns and standardized environments.
More targeted methods also increased. Fraudulent device registration events rose by 178% from 2024 to 2025. These attacks allow adversaries to register their own device as a trusted authentication factor, enabling persistent access.
Administrator-managed registration accounted for 77% of device compromise cases, compared to 12% for user-managed registration and 5% for link-initiated registration.
Industry targeting varied by attack type. Higher education ranked first for device compromise attacks, driven by diverse and unmanaged device environments, while spray attacks concentrated in sectors with consistent identity practices.
Email threats align with business workflows
Email remained a primary access vector, with phishing used in 40% of incident response cases. Attackers also reused phishing after initial access, with 35% of phishing cases involving internal email activity from compromised accounts.
In one quarter, 75% of phishing-based intrusions originated from trusted accounts, increasing the likelihood of user interaction.
Lure themes remained stable at the core. About 60% of the top phishing subject terms matched those seen in 2024, including invoice, payment, and meeting-related language.
Travel-related terms such as “airport,” “itinerary,” and “boarding” increased in frequency, reflecting targeting of corporate travel workflows. Technical language also grew more common, including terms like “error,” “domain,” and “configuration,” which align with IT operations messaging.
A separate trend involved infrastructure abuse. Attackers exploited Microsoft 365 Direct Send to spoof internal email addresses without compromising accounts, allowing messages to bypass standard authentication checks.
AI expands attacker capabilities
AI continued to influence attacker behavior without replacing existing methods. AI lowered barriers for social engineering and enabled more convincing impersonation through deepfake technology.
Organizations faced new categories of risk tied to AI usage, including prompt injection and context manipulation. At the same time, defenders applied AI to triage alerts and correlate activity across environments.