The pace and scale of cyber adversaries' activities in 2025 placed significant pressure on security teams. According to Cisco Talos, three key themes emerged: the rapid exploitation of new vulnerabilities, attacks on systems managing authentication and trust, and targeting centralized infrastructure for greater impact.
Firstly, adversaries exploited both newly disclosed vulnerabilities and those that had been known for years. The React2Shell vulnerability, which was publicly disclosed in December 2025, became the seventh-most-exploited CVE just three weeks after its disclosure. This underscores the increasing sophistication of automated exploit development and the rapid spread of public proof-of-concept code.
Secondly, attackers focused on systems that manage authentication, authorization, and device trust. Compromised credentials were often used to extend access through phishing attacks or abuse of identity controls within network infrastructure. Control over these identity systems frequently meant control over the broader environment.
Thirdly, threat actors targeted centralized infrastructure such as management platforms and shared frameworks. Approximately 25% of the Top 100 vulnerabilities affected widely used frameworks and libraries embedded deep in software stacks, underscoring their mass exploitation potential across various vendors and applications.