Yearly, the Cisco Talos Yr in Assessment captures the patterns shaping the risk panorama. The 2025 report paints a transparent image: Attackers are shifting quicker than ever, whereas utilizing identity-related assaults as the first battleground.
To unpack the largest takeaways and what they imply for safety groups, we introduced collectively Christopher Marshall, VP of Cisco Talos, and Peter Bailey, SVP and GM of Cisco Safety.
Right here’s the highlights of their dialog. For the total dialogue, head over to the Cisco Talos weblog the place you can too obtain the Yr in Assessment report.
Outdated vulnerabilities, new velocity
Marshall: One of many clearest developments on this 12 months’s information is the distinction in how vulnerabilities are being exploited. We noticed React2Shell disclosed in December and inside weeks it grew to become essentially the most focused vulnerability we tracked.
On the identical time, a 12-year-old vulnerability nonetheless appeared within the high 10 most exploited checklist. So we’re seeing very fast weaponization (probably fuelled by AI given the compressed timeline from preliminary proof of idea to large-scale exploitation, throughout a number of languages and platforms) alongside continued success with legacy flaws.
Bailey: There’s all the time numerous concentrate on the most recent zero-day, and rightly so. The industrialization of vulnerability exploitation is extraordinarily regarding. However on the identical time, many assaults are nonetheless leveraging vulnerabilities which have been round for years.
Organizations are coping with complexity. Massive environments. Lengthy gadget lifecycles. Change administration processes that take time. However attackers don’t care about these constraints. They really depend on them.
That is the place we have to repeat that the basics nonetheless matter. Patch administration, asset visibility, lifecycle self-discipline… We nonetheless have work to do there as an trade.
Marshall: After which you will have 40% of the highest 100 exploited vulnerabilities being efficient as a result of organizations have been operating end-of-life gadgets. That’s a measurable drawback. When infrastructure is now not supported, attackers understand it. They scan for it, and then they aim it. Technical debt turns into operational danger.
Bailey: Completely. In most instances it’s not that prospects don’t wish to patch. It’s that their crucial networking infrastructure has been steady for years, and taking it offline can disrupt the enterprise.
As an trade, we must cut back that friction. Cisco is an enormous a part of that, with built-in protections in our networking gear that may be utilized with out downtime, and choices to protect methods when patching can’t occur instantly.
Identification because the main goal
Marshall: If there’s one space the place attackers are constantly investing their time and vitality, it’s id. In 2025, identity-based assault methods have been central to main phases of operations, like lateral motion, privilege escalation, and persistence. Controlling id successfully means controlling entry throughout the surroundings.
One of the hanging information factors within the report is that fraudulent gadget registration elevated 178 p.c 12 months over 12 months. In lots of instances, attackers satisfied directors to register gadgets on their behalf by vishing (or voice phishing). They focused administrator-managed registration flows at 3 times the speed of user-driven ones. There’s a transparent desire for high-value victims.
Bailey: And sadly these stolen credentials are extensively obtainable. Logging in is usually simpler than breaking in. As soon as attackers receive official entry, they’ll mix in.
For defenders, id controls want to transcend authentication. You want steady monitoring. You want risk-based changes to entry. You must detect irregular habits shortly.
Marshall: We’re additionally seeing an increase in inner phishing. Greater than a 3rd of phishing incidents we noticed concerned attackers sending messages from already compromised accounts.
As soon as inside, they create mailbox guidelines to cover replies and suppress visibility. They discover shared drives and collaboration platforms. They search for delicate data that may assist them develop entry. This all means defenders want robust visibility into regular person habits. If accounts all of the sudden begin sending much more messages than regular or accessing information they by no means touched earlier than, that ought to stand out.
Bailey: Identification is now not simply an authentication drawback. It’s a monitoring and governance drawback, as properly.
Learn full publish on the Cisco Talos weblog
We’d love to listen to what you assume! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media