Rising exploitation pressure from zero-days and known exploited vulnerabilities
Security reporting and research highlighted accelerating exploitation pressure on enterprises, driven by both zero-day activity and the growing backlog of known exploited vulnerabilities (KEVs). A Talos retrospective counted 48,196 CVEs in 2025 and 241 KEVs (up from 186 in 2024), with a notable share of KEVs originating from older CVEs and even vulnerabilities dating back to 2007—reinforcing that attackers continue to monetize long-lived weaknesses when patching and asset visibility lag. Talos also noted disproportionate exploitation targeting network edge infrastructure (e.g., firewalls/VPNs), underscoring the operational risk of unpatched or hard-to-patch appliances and legacy systems.
Separate threat reporting pointed to expanding attack volume and shifting attacker tradecraft that can amplify exploitation impact. Check Point data cited by Dark Reading said Latin America is seeing substantially higher weekly attack volume than the US (including higher proportions of ransomware and infostealer activity), consistent with adversaries concentrating on regions with faster digital adoption and lower security maturity. CSO Online also reported that the Coruna iOS exploit kit rapidly evolved from a targeted spyware capability into broader criminal use, illustrating how advanced exploitation tooling can commoditize quickly and increase the likelihood of opportunistic compromise across a wider victim set.
Related Entities
Malware
Organizations
Sources
Related Stories
Cybersecurity Predictions and Trend Roundups for 2026
Multiple outlets published early-2026 **trend and prediction** pieces describing how the threat landscape may evolve, emphasizing increased attacker scale and compressed exploit timelines. Cisco Talos forecast continued use of **infostealers**, phishing, and proxy actors conducting destructive/extortion activity amid geopolitical tension, and warned that more autonomous **AI agents** with broad internal access could drive breaches through poor governance and excessive permissions. runZero similarly predicted that 2026 will be shaped less by novel attacker capability and more by expanding exposure—especially as **OT/edge environments** become more internet-reachable through IT/cloud management—while AI accelerates the volume of low-quality exploit attempts and operational “noise.” Dark Reading also highlighted ecosystem-level shifts that complicate risk prioritization, reporting that **2025 CVE volume hit a record 48,177** and that changes in CVE issuance (e.g., increased reporting from WordPress-focused CNAs) are a major driver of the surge rather than a clear indicator of increased underlying risk. Separately, several items in the set are not predictions but point-in-time reporting on specific threats and vulnerabilities. Cisco Talos reported **UAT-8837**, assessed with medium confidence as a **China-nexus** actor, targeting North American **critical infrastructure** since at least 2025, using exploitation of vulnerable servers or compromised credentials for initial access and then deploying tools such as *Earthworm*, *SharpHound*, *DWAgent*, and *Certipy* for credential/AD discovery and persistence; Talos linked the actor’s infrastructure/TTPs to exploitation of **Sitecore ViewState deserialization zero-day `CVE-2025-53690`**. The Hacker News bulletin included a disclosure of **Redis `CVE-2025-62507` (CVSS 8.8)**, described as a stack-based buffer overflow in the `XACKDEL` command path that could enable **unauthenticated RCE** in default configurations, and noted thousands of exposed servers. Darktrace described rapid in-the-wild exploitation of **React/Next.js “React2Shell” `CVE-2025-55812`**, observing opportunistic scanning and follow-on activity (including payload delivery and cryptomining) shortly after public PoC release, with notable impact observed in cloud-hosted environments and the finance sector; Dark Reading also cited Cyble data indicating increased targeting and sales of compromised access affecting **retail and services** organizations in Australia and New Zealand.
2 months ago
Cisco Talos Reports Exploitation of Public-Facing Apps as Leading Initial Access Vector
Cisco Talos Incident Response reported that **exploitation of public-facing applications** remained the top initial access method for a second consecutive quarter, appearing in **nearly 40%** of Q4 2025 engagements (down from **60%+** in Q3, when **ToolShell** activity surged). Talos highlighted rapid attacker uptake of newly disclosed vulnerabilities, including **Oracle E-Business Suite** `CVE-2025-61882` and **React2Shell** `CVE-2025-55182` (impacting React Server Components/Next.js and related frameworks), with exploitation observed around the time the issues became public—reinforcing the operational risk of internet-facing enterprise apps and default framework deployments. The same Talos reporting noted **phishing** as the second most common initial access vector, including a credential-harvesting campaign targeting **Native American tribal organizations** that used compromised legitimate accounts to propagate additional internal phishing. **Ransomware** represented roughly **13%** of engagements (down from ~20% the prior quarter and far below early-2025 levels), with **Qilin** continuing to feature prominently and no previously unseen ransomware variants observed. Separate coverage amplified Talos’ findings as a call for **faster patching**, citing examples where proof-of-concept code and exploitation activity emerged within hours to ~30 hours of disclosure for high-profile bugs like React2Shell and Oracle EBS.
1 months ago
Vulnerability Prioritization Shifts Toward Known-Exploited Risk and Centralized Scanning
Security teams are increasingly de-emphasizing *CVSS-only* approaches in favor of prioritizing **known exploited vulnerabilities (KEV)**, driven by evidence that only a small fraction of disclosed CVEs are exploited in the wild. Reporting citing VulnCheck research highlighted that roughly **1% of 40,000+** vulnerabilities disclosed in the prior year saw in-the-wild exploitation, with **network edge devices** disproportionately targeted (reported as **28%** of KEV-impacted products) and recurring exposure across major enterprise stacks including **Microsoft, VMware, Oracle, Ivanti, SonicWall, and Fortinet**. The same research pointed to high-profile exploitation waves such as **SharePoint zero-days** impacting **400+ organizations** and rapid weaponization dynamics like **React2Shell**, which reportedly accumulated **236 public exploits** within a month. In the UK public sector, the Department for Science, Innovation and Technology (DSIT) reported operational improvements from a centralized **Vulnerability Monitoring Service** that continuously scans internet-facing systems across roughly **6,000 organizations** and drives remediation of about **400 confirmed vulnerabilities per month**. DSIT said median remediation time for critical domain-related weaknesses fell to **eight days** (from ~50), other vulnerabilities to **32 days** (from 53), and the backlog of unresolved critical flaws dropped by about **three-quarters**—positioning automated discovery and faster patch cycles as a practical response to long-standing government security shortfalls, even as officials did not quantify exploitation rates or overall compromise trends.
2 weeks ago