Cisco Talos Reports Exploitation of Public-Facing Apps as Leading Initial Access Vector
Cisco Talos Incident Response reported that exploitation of public-facing applications remained the top initial access method for a second consecutive quarter, appearing in nearly 40% of Q4 2025 engagements (down from 60%+ in Q3, when ToolShell activity surged). Talos highlighted rapid attacker uptake of newly disclosed vulnerabilities, including Oracle E-Business Suite CVE-2025-61882 and React2Shell CVE-2025-55182 (impacting React Server Components/Next.js and related frameworks), with exploitation observed around the time the issues became public—reinforcing the operational risk of internet-facing enterprise apps and default framework deployments.
The same Talos reporting noted phishing as the second most common initial access vector, including a credential-harvesting campaign targeting Native American tribal organizations that used compromised legitimate accounts to propagate additional internal phishing. Ransomware represented roughly 13% of engagements (down from ~20% the prior quarter and far below early-2025 levels), with Qilin continuing to feature prominently and no previously unseen ransomware variants observed. Separate coverage amplified Talos’ findings as a call for faster patching, citing examples where proof-of-concept code and exploitation activity emerged within hours to ~30 hours of disclosure for high-profile bugs like React2Shell and Oracle EBS.
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Rising exploitation pressure from zero-days and known exploited vulnerabilities
Security reporting and research highlighted accelerating exploitation pressure on enterprises, driven by both **zero-day** activity and the growing backlog of **known exploited vulnerabilities (KEVs)**. A Talos retrospective counted **48,196 CVEs in 2025** and **241 KEVs** (up from 186 in 2024), with a notable share of KEVs originating from older CVEs and even vulnerabilities dating back to 2007—reinforcing that attackers continue to monetize long-lived weaknesses when patching and asset visibility lag. Talos also noted disproportionate exploitation targeting **network edge infrastructure** (e.g., firewalls/VPNs), underscoring the operational risk of unpatched or hard-to-patch appliances and legacy systems. Separate threat reporting pointed to expanding attack volume and shifting attacker tradecraft that can amplify exploitation impact. Check Point data cited by Dark Reading said **Latin America** is seeing substantially higher weekly attack volume than the US (including higher proportions of **ransomware** and **infostealer** activity), consistent with adversaries concentrating on regions with faster digital adoption and lower security maturity. CSO Online also reported that the *Coruna* **iOS exploit kit** rapidly evolved from a targeted spyware capability into broader criminal use, illustrating how advanced exploitation tooling can commoditize quickly and increase the likelihood of opportunistic compromise across a wider victim set.
1 weeks ago
Cybersecurity Predictions and Trend Roundups for 2026
Multiple outlets published early-2026 **trend and prediction** pieces describing how the threat landscape may evolve, emphasizing increased attacker scale and compressed exploit timelines. Cisco Talos forecast continued use of **infostealers**, phishing, and proxy actors conducting destructive/extortion activity amid geopolitical tension, and warned that more autonomous **AI agents** with broad internal access could drive breaches through poor governance and excessive permissions. runZero similarly predicted that 2026 will be shaped less by novel attacker capability and more by expanding exposure—especially as **OT/edge environments** become more internet-reachable through IT/cloud management—while AI accelerates the volume of low-quality exploit attempts and operational “noise.” Dark Reading also highlighted ecosystem-level shifts that complicate risk prioritization, reporting that **2025 CVE volume hit a record 48,177** and that changes in CVE issuance (e.g., increased reporting from WordPress-focused CNAs) are a major driver of the surge rather than a clear indicator of increased underlying risk. Separately, several items in the set are not predictions but point-in-time reporting on specific threats and vulnerabilities. Cisco Talos reported **UAT-8837**, assessed with medium confidence as a **China-nexus** actor, targeting North American **critical infrastructure** since at least 2025, using exploitation of vulnerable servers or compromised credentials for initial access and then deploying tools such as *Earthworm*, *SharpHound*, *DWAgent*, and *Certipy* for credential/AD discovery and persistence; Talos linked the actor’s infrastructure/TTPs to exploitation of **Sitecore ViewState deserialization zero-day `CVE-2025-53690`**. The Hacker News bulletin included a disclosure of **Redis `CVE-2025-62507` (CVSS 8.8)**, described as a stack-based buffer overflow in the `XACKDEL` command path that could enable **unauthenticated RCE** in default configurations, and noted thousands of exposed servers. Darktrace described rapid in-the-wild exploitation of **React/Next.js “React2Shell” `CVE-2025-55812`**, observing opportunistic scanning and follow-on activity (including payload delivery and cryptomining) shortly after public PoC release, with notable impact observed in cloud-hosted environments and the finance sector; Dark Reading also cited Cyble data indicating increased targeting and sales of compromised access affecting **retail and services** organizations in Australia and New Zealand.
2 months ago
Rapid Post-Disclosure Exploitation of Critical RCE Vulnerabilities
Security teams reported rapid, opportunistic exploitation of newly disclosed **unauthenticated remote code execution (RCE)** flaws, with attackers moving quickly from scanning to compromise. JPCERT/CC documented active compromise following disclosure of **React2Shell** in React Server Components (**CVE-2025-55182**), where multiple threat actors exploited the same exposed environment within days—initially dropping coin miners (e.g., `xmrig`), then deploying additional payloads including the **HISONIC** backdoor, **SNOWLIGHT** downloader, and **CrossC2**, and culminating in actions like cron-based persistence and website defacement. Separately, GreyNoise telemetry cited by BleepingComputer indicated that exploitation of two critical Ivanti Endpoint Manager Mobile (EPMM) RCEs (**CVE-2026-21962**, **CVE-2026-24061**) was heavily concentrated, with a single bulletproof-hosted source IP (193[.]24[.]123[.]42, PROSPERO OOO/AS200593) responsible for **83%** of observed activity and widespread use of OAST-style DNS callbacks consistent with initial-access validation. Several other items in the set were not tied to a single, specific exploitation event. A Help Net Security “week in review” roundup mixed interviews and assorted security items (including mention of an exploited BeyondTrust RCE) without providing a cohesive, single-incident account, while an NCSC-themed weekly highlights post primarily summarized guidance and calls for participation rather than detailing a discrete compromise. A CloudATG “insights” page contained unrelated, older recap and generic security content, and a Risky Business bulletin focused on law-enforcement developments around **IcedID** operators (including an alleged developer faking his death) rather than vulnerability exploitation activity.
1 months ago