What Cisco Talos’ 2025 Year in Review tells us about modern cyber risk and what organisations should do next
The Cisco Talos 2025 Year in Review makes one thing abundantly clear: cyber attackers are no longer winning because they are more sophisticated, they are winning because they are faster.
Across vulnerabilities, ransomware, identity attacks and phishing, 2025 was defined by rapid weaponisation, long‑lived exposure, and a relentless focus on identity and access. For UK organisations, this has important implications for how we prioritise security investment and operational effort in 2026.
Speed now matters more than severity
One of the most striking findings is how quickly new vulnerabilities are exploited. React2Shell, disclosed in December 2025, became the most targeted vulnerability of the entire year within weeks. Similarly, the Microsoft SharePoint ToolShell flaws surged into the top five almost immediately after disclosure.
At the same time, decade‑old vulnerabilities such as Log4j, PHPUnit and Adobe ColdFusion continue to be heavily exploited. Not because they are new, but because they are deeply embedded in applications, third‑party software and legacy systems.
The takeaway:
Attackers prioritise exposure and reach, not age. Organisations can no longer rely on traditional patch cycles alone, visibility and speed of response are critical.
Identity is the new perimeter
Throughout 2025, attackers consistently targeted systems that validate trust and broker access. Rather than attacking individual endpoints, threat actors focused on:
- VPN gateways
- Application Delivery Controllers (ADCs)
- Firewalls and identity‑aware network devices
- Network and security management platforms
Compromising these systems allows attackers to bypass MFA, steal session tokens, impersonate users and move laterally at scale. In many cases, a single exploited device provided access to entire environments.
The takeaway:
Network infrastructure is now part of your identity layer. Devices such as firewalls, VPNs and ADCs must be protected and monitored with the same rigour as identity platforms.
MFA is under sustained attack
Multi‑factor authentication remains essential but attackers are increasingly finding ways around it.
In 2025, Talos observed:
- A rise in MFA spray attacks targeting cloud IAM platforms
- A 178% increase in MFA device compromise incidents
- Heavy use of voice phishing (vishing) to trick IT administrators into registering attacker‑controlled devices
Once an attacker controls a registered MFA device, they gain persistent, high‑trust access that bypasses future authentication challenges.
The takeaway:
MFA alone is not enough. Strong MFA enrolment controls, phishing‑resistant MFA, and device governance are now essential.
Ransomware continues to evolve but patterns remain
Ransomware remained one of the most disruptive threats in 2025, with manufacturing once again the most targeted sector due to low tolerance for downtime and complex hybrid environments.
While new ransomware groups appear frequently, a small number of operators (including Qilin, Akira and Play) demonstrated unusual longevity and operational maturity. Most ransomware attacks relied on:
- Stolen or valid credentials
- Built‑in administrative tools
- Identity‑based lateral movement
Interestingly, ransomware activity consistently dipped in January, likely due to regional holidays offering a valuable window for testing defences.
The takeaway:
Ransomware is still fundamentally an identity‑driven attack. Backups, segmentation and detection are vital but preventing credential abuse remains key.
Phishing looks more like everyday business
Email threats became more convincing in 2025. Rather than generic spam, attackers increasingly mimicked normal business workflows, including:
- IT alerts and system notifications
- Travel itineraries and booking confirmations
- Financial approvals and compensation messages
A particularly notable trend was the abuse of Microsoft 365 Direct Send, which allowed attackers to spoof internal emails without compromising any accounts, bypassing traditional email authentication controls.
The takeaway:
“Internal‑looking” emails cannot be trusted by default. Email security controls must treat internal and external messages with equal scrutiny.
AI is accelerating both attack and defence
AI did not fully automate attacks in 2025 but it dramatically lowered the barrier for social engineering and increased the scale and realism of phishing, impersonation and fake identities.
Threat actors also began experimenting with AI‑enabled malware and autonomous tooling, while defenders increasingly relied on AI for alert triage and correlation.
The takeaway:
AI is now a permanent feature of the threat landscape. Organisations must prepare for faster, more scalable attacks while responsibly adopting AI in their own security operations.
What this means for organisations in 2026
The core lesson from the Cisco Talos report is simple but challenging:
Modern security is no longer just about patching systems, it is about protecting identity, access and control planes at speed.
Organisations should prioritise:
- Faster vulnerability response for internet‑facing systems
- Treating network devices as identity infrastructure
- Strong MFA enrolment and device governance
- Identity‑centric detection and monitoring
- Regular testing of ransomware and incident response readiness
At Advania, we see these trends reflected daily across customer environments. The organisations that fare best are those that combine strong identity foundations, clear visibility, and operational discipline, not just more tools.
If you would like to discuss how these findings apply to your environment, or how to strengthen identity‑centric security in practice, the Advania team would be happy to help.