Cisco Talos Reports Exploitation of Public-Facing Apps as Leading Initial Access Vector
Cisco Talos Incident Response reported that exploitation of public-facing applications remained the top initial access method for a second consecutive quarter, appearing in nearly 40% of Q4 2025 engagements (down from 60%+ in Q3, when ToolShell activity surged). Talos highlighted rapid attacker uptake of newly disclosed vulnerabilities, including Oracle E-Business Suite CVE-2025-61882 and React2Shell CVE-2025-55182 (impacting React Server Components/Next.js and related frameworks), with exploitation observed around the time the issues became public—reinforcing the operational risk of internet-facing enterprise apps and default framework deployments.
The same Talos reporting noted phishing as the second most common initial access vector, including a credential-harvesting campaign targeting Native American tribal organizations that used compromised legitimate accounts to propagate additional internal phishing. Ransomware represented roughly 13% of engagements (down from ~20% the prior quarter and far below early-2025 levels), with Qilin continuing to feature prominently and no previously unseen ransomware variants observed. Separate coverage amplified Talos’ findings as a call for faster patching, citing examples where proof-of-concept code and exploitation activity emerged within hours to ~30 hours of disclosure for high-profile bugs like React2Shell and Oracle EBS.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Cisco Talos publishes Q4 2025 incident response trends report
On January 29, 2026, Cisco Talos published its Q4 2025 IR trends report, highlighting exploitation as the top initial access vector for the second consecutive quarter and warning that attackers are weaponizing vulnerabilities within hours. The report also emphasized recurring defensive gaps in patching, MFA, and centralized logging.
Ransomware incidents fall in Q4 2025 as Qilin remains dominant
Cisco Talos found ransomware and pre-ransomware incidents declined to about 13% of engagements in Q4 2025, down from 20% in Q3 and roughly 50% in Q1 and Q2. Qilin remained the dominant ransomware family in Talos IR cases, while DragonForce reappeared after about a year.
Phishing campaign targets Native American tribal organizations
Talos observed a credential-harvesting phishing campaign aimed at Native American tribal organizations during Q4 2025. Compromised accounts were then reused for internal and external follow-on phishing, with MFA weaknesses contributing to access.
Talos observes suspected Cisco appliance compromises using BadCandy and AquaShell
In Q4 2025 incident response work, Talos saw implants previously associated with APT-linked operations, including BadCandy on Cisco IOS XE and AquaShell in a suspected Cisco Secure Management Appliance compromise. Talos said neither case showed follow-on interactive activity.
React2Shell proof-of-concept circulates within about 30 hours
A functional proof-of-concept for the React2Shell vulnerability was reported to be circulating roughly 30 hours after public release. The rapid availability of exploit code underscored how quickly newly disclosed flaws were being operationalized.
Attackers rapidly exploit Oracle EBS and React2Shell flaws in Q4 2025
During Q4 2025, Talos observed threat actors exploiting Oracle E-Business Suite CVE-2025-61882 and React Server Components/Next.js-related CVE-2025-55182 ('React2Shell') shortly after public disclosure. In one case, exploitation led to deployment of the XMRig Monero cryptominer.
ToolShell exploitation drives most intrusions in Q3 2025
Cisco Talos reported that exploitation of public-facing applications accounted for about 62% of incident response engagements in Q3 2025, largely driven by ToolShell activity. This established exploitation as the leading initial access vector heading into the next quarter.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Exploited vulnerabilities drive the most cyber intrusions | SC Media
scworld.com
Open sourceI'm locked in!
blog.talosintelligence.com
Open sourceVulnerability exploits now dominate intrusions • The Register
go.theregister.com
Open sourceIR Trends Q4 2025: Exploitation remains dominant, phishing campaign targets Native American tribal organizations
blog.talosintelligence.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Rising exploitation pressure from zero-days and known exploited vulnerabilities
Security reporting and research highlighted accelerating exploitation pressure on enterprises, driven by both **zero-day** activity and the growing backlog of **known exploited vulnerabilities (KEVs)**. A Talos retrospective counted **48,196 CVEs in 2025** and **241 KEVs** (up from 186 in 2024), with a notable share of KEVs originating from older CVEs and even vulnerabilities dating back to 2007—reinforcing that attackers continue to monetize long-lived weaknesses when patching and asset visibility lag. Talos also noted disproportionate exploitation targeting **network edge infrastructure** (e.g., firewalls/VPNs), underscoring the operational risk of unpatched or hard-to-patch appliances and legacy systems. Separate threat reporting pointed to expanding attack volume and shifting attacker tradecraft that can amplify exploitation impact. Check Point data cited by Dark Reading said **Latin America** is seeing substantially higher weekly attack volume than the US (including higher proportions of **ransomware** and **infostealer** activity), consistent with adversaries concentrating on regions with faster digital adoption and lower security maturity. CSO Online also reported that the *Coruna* **iOS exploit kit** rapidly evolved from a targeted spyware capability into broader criminal use, illustrating how advanced exploitation tooling can commoditize quickly and increase the likelihood of opportunistic compromise across a wider victim set.
Mar 21, 2026
Cybersecurity Predictions and Trend Roundups for 2026
Multiple outlets published early-2026 **trend and prediction** pieces describing how the threat landscape may evolve, emphasizing increased attacker scale and compressed exploit timelines. Cisco Talos forecast continued use of **infostealers**, phishing, and proxy actors conducting destructive/extortion activity amid geopolitical tension, and warned that more autonomous **AI agents** with broad internal access could drive breaches through poor governance and excessive permissions. runZero similarly predicted that 2026 will be shaped less by novel attacker capability and more by expanding exposure—especially as **OT/edge environments** become more internet-reachable through IT/cloud management—while AI accelerates the volume of low-quality exploit attempts and operational “noise.” Dark Reading also highlighted ecosystem-level shifts that complicate risk prioritization, reporting that **2025 CVE volume hit a record 48,177** and that changes in CVE issuance (e.g., increased reporting from WordPress-focused CNAs) are a major driver of the surge rather than a clear indicator of increased underlying risk. Separately, several items in the set are not predictions but point-in-time reporting on specific threats and vulnerabilities. Cisco Talos reported **UAT-8837**, assessed with medium confidence as a **China-nexus** actor, targeting North American **critical infrastructure** since at least 2025, using exploitation of vulnerable servers or compromised credentials for initial access and then deploying tools such as *Earthworm*, *SharpHound*, *DWAgent*, and *Certipy* for credential/AD discovery and persistence; Talos linked the actor’s infrastructure/TTPs to exploitation of **Sitecore ViewState deserialization zero-day `CVE-2025-53690`**. The Hacker News bulletin included a disclosure of **Redis `CVE-2025-62507` (CVSS 8.8)**, described as a stack-based buffer overflow in the `XACKDEL` command path that could enable **unauthenticated RCE** in default configurations, and noted thousands of exposed servers. Darktrace described rapid in-the-wild exploitation of **React/Next.js “React2Shell” `CVE-2025-55812`**, observing opportunistic scanning and follow-on activity (including payload delivery and cryptomining) shortly after public PoC release, with notable impact observed in cloud-hosted environments and the finance sector; Dark Reading also cited Cyble data indicating increased targeting and sales of compromised access affecting **retail and services** organizations in Australia and New Zealand.
Mar 21, 2026
Rapid Post-Disclosure Exploitation of Critical RCE Vulnerabilities
Security teams reported rapid, opportunistic exploitation of newly disclosed **unauthenticated remote code execution (RCE)** flaws, with attackers moving quickly from scanning to compromise. JPCERT/CC documented active compromise following disclosure of **React2Shell** in React Server Components (**CVE-2025-55182**), where multiple threat actors exploited the same exposed environment within days—initially dropping coin miners (e.g., `xmrig`), then deploying additional payloads including the **HISONIC** backdoor, **SNOWLIGHT** downloader, and **CrossC2**, and culminating in actions like cron-based persistence and website defacement. Separately, GreyNoise telemetry cited by BleepingComputer indicated that exploitation of two critical Ivanti Endpoint Manager Mobile (EPMM) RCEs (**CVE-2026-21962**, **CVE-2026-24061**) was heavily concentrated, with a single bulletproof-hosted source IP (193[.]24[.]123[.]42, PROSPERO OOO/AS200593) responsible for **83%** of observed activity and widespread use of OAST-style DNS callbacks consistent with initial-access validation. Several other items in the set were not tied to a single, specific exploitation event. A Help Net Security “week in review” roundup mixed interviews and assorted security items (including mention of an exploited BeyondTrust RCE) without providing a cohesive, single-incident account, while an NCSC-themed weekly highlights post primarily summarized guidance and calls for participation rather than detailing a discrete compromise. A CloudATG “insights” page contained unrelated, older recap and generic security content, and a Risky Business bulletin focused on law-enforcement developments around **IcedID** operators (including an alleged developer faking his death) rather than vulnerability exploitation activity.
Mar 21, 2026