Talos, Cisco’s cyber intelligence division, has detected a significant increase in attacks perpetrated by cybercriminals during 2025, especially those related to identity attacks.

The latest Cisco Talos Year in Review report identifies three primary attack vectors: widespread exploitation of vulnerabilities across the entire lifecycle (from newly disclosed flaws to decades-old legacy issues); attacks targeting the ‘trust architecture’ (identity and authentication); and the exploitation of centralized and widely used frameworks to maximize impact.

“Adversaries move at breakneck speed to exploit vulnerabilities – often in a matter of hours –, leaving security teams with virtually no time to react between detection and infiltration,” says Ángel Ortiz, Director of Cybersecurity at Cisco Spain. “In this dangerous race against time, we see a heavy reliance on legacy and obsolete infrastructures, which provide an ‘open door’ for attackers. Add to this the skyrocketing increase in identity-based attacks, and organizations must replace the old reactive patching model with a proactive, identity-centric security strategy.”

Cisco Talos Key Takeaways

  • Identity is the main objective. Device compromise techniques targeting multi-factor authentication (MFA) and identity infrastructure increased by 178% during 2025. By compromising credentials, attackers are able to stealthily extend their reach through internal phishing and abuse of identity controls, effectively gaining control of the entire environment and facilitating persistent lateral movement.
  • Exploitation across the entire spectrum of vulnerabilities. Although attackers are rapidly exploiting new, high-profile vulnerabilities (such as React2Shell, which became the most attacked vulnerability of the year just three weeks after its disclosure), they continue to systematically exploit old vulnerabilities.
  • The risk of legacy systems remains. 32% of the 100 most attacked vulnerabilities were more than a decade old.
  • Exposure to outdated systems. Nearly 40% of the most attacked vulnerabilities affect systems that can no longer receive security patches.
  • Risk of shared frameworks. Approximately 25% of the 100 most attacked vulnerabilities affected widely used frameworks and libraries, allowing attackers to exploit a single vulnerability across multiple sectors.
  • Industrialized ransomware: Qilin was the most prevalent ransomware variant in 2025, with around 40 victims per month. The manufacturing sector has continued to be the most attacked.

The risk of legacy systems persists as e32% of the 100 most attacked vulnerabilities were more than a decade old

Cisco recommends security teams go beyond reactive measures and focus on the pillars that actually stop attackers. As Ortiz concludes, “to build a strong defense, organizations must prioritize three key actions: quickly patch new vulnerabilities to stay ahead of the shrinking scope for exploitation, strengthen identity infrastructure with phishing-resistant MFA authentication, and dismantle outdated systems that act as permanent backdoors for attackers.”

It is possible to consult the complete Cisco Talos 2025 Year in Review report.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.