Rising exploitation pressure from zero-days and known exploited vulnerabilities
Security reporting and research highlighted accelerating exploitation pressure on enterprises, driven by both zero-day activity and the growing backlog of known exploited vulnerabilities (KEVs). A Talos retrospective counted 48,196 CVEs in 2025 and 241 KEVs (up from 186 in 2024), with a notable share of KEVs originating from older CVEs and even vulnerabilities dating back to 2007—reinforcing that attackers continue to monetize long-lived weaknesses when patching and asset visibility lag. Talos also noted disproportionate exploitation targeting network edge infrastructure (e.g., firewalls/VPNs), underscoring the operational risk of unpatched or hard-to-patch appliances and legacy systems.
Separate threat reporting pointed to expanding attack volume and shifting attacker tradecraft that can amplify exploitation impact. Check Point data cited by Dark Reading said Latin America is seeing substantially higher weekly attack volume than the US (including higher proportions of ransomware and infostealer activity), consistent with adversaries concentrating on regions with faster digital adoption and lower security maturity. CSO Online also reported that the Coruna iOS exploit kit rapidly evolved from a targeted spyware capability into broader criminal use, illustrating how advanced exploitation tooling can commoditize quickly and increase the likelihood of opportunistic compromise across a wider victim set.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Cisco issues emergency patches for critical firewall flaws
CSO Online reported that Cisco released emergency patches for critical firewall vulnerabilities. The reference does not specify the affected products or CVE identifiers.
LeakBase marketplace taken offline in 14-country law enforcement operation
CSO Online reported that the LeakBase marketplace was disrupted and taken offline through a law enforcement operation involving 14 countries. No further operational details or exact takedown date were provided in the reference.
Coruna iOS exploit kit shifts to mass criminal use
CSO Online reported that the Coruna iOS exploit kit moved from a spy tool to a mass criminal campaign in under a year. The reference does not provide a more specific date for when the transition occurred.
Check Point reports Latin America averaging 3,100 weekly cyber threats
An unpublished March 2026 Check Point update shared with Dark Reading said organizations in Latin America were facing about 3,100 cyber threats per week on average, compared with just under 1,500 in the United States. The report also highlighted higher regional shares of ransomware, infostealers, banking malware, and botnet activity, with email serving as the dominant initial access vector in Latin America.
AI-related CVE count rises year over year in 2025
Talos said its keyword-based tracking found AI-related CVEs increased from 168 to 330 year over year in 2025. The company cautioned that CVE counts do not capture broader AI security risks such as jailbreaking or model inversion.
CISA KEV catalog grows to 241 entries during 2025
Cisco Talos reported that CISA's Known Exploited Vulnerabilities catalog reached 241 entries in 2025, up from 186 in 2024. Talos said many of the added exploited flaws were older CVEs, including some dating back to 2007.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Zero-day exploits hit enterprises faster and harder | CSO Online
csoonline.com
Open sourceLatAm Now Faces 2x More Cyberattacks Than US
darkreading.com
Open sourceCoruna iOS exploit kit moved from spy tool to mass criminal campaign in under a year | CSO Online
csoonline.com
Open sourcePatch, track, repeat: The 2025 CVE retrospective
blog.talosintelligence.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cybersecurity Predictions and Trend Roundups for 2026
Multiple outlets published early-2026 **trend and prediction** pieces describing how the threat landscape may evolve, emphasizing increased attacker scale and compressed exploit timelines. Cisco Talos forecast continued use of **infostealers**, phishing, and proxy actors conducting destructive/extortion activity amid geopolitical tension, and warned that more autonomous **AI agents** with broad internal access could drive breaches through poor governance and excessive permissions. runZero similarly predicted that 2026 will be shaped less by novel attacker capability and more by expanding exposure—especially as **OT/edge environments** become more internet-reachable through IT/cloud management—while AI accelerates the volume of low-quality exploit attempts and operational “noise.” Dark Reading also highlighted ecosystem-level shifts that complicate risk prioritization, reporting that **2025 CVE volume hit a record 48,177** and that changes in CVE issuance (e.g., increased reporting from WordPress-focused CNAs) are a major driver of the surge rather than a clear indicator of increased underlying risk. Separately, several items in the set are not predictions but point-in-time reporting on specific threats and vulnerabilities. Cisco Talos reported **UAT-8837**, assessed with medium confidence as a **China-nexus** actor, targeting North American **critical infrastructure** since at least 2025, using exploitation of vulnerable servers or compromised credentials for initial access and then deploying tools such as *Earthworm*, *SharpHound*, *DWAgent*, and *Certipy* for credential/AD discovery and persistence; Talos linked the actor’s infrastructure/TTPs to exploitation of **Sitecore ViewState deserialization zero-day `CVE-2025-53690`**. The Hacker News bulletin included a disclosure of **Redis `CVE-2025-62507` (CVSS 8.8)**, described as a stack-based buffer overflow in the `XACKDEL` command path that could enable **unauthenticated RCE** in default configurations, and noted thousands of exposed servers. Darktrace described rapid in-the-wild exploitation of **React/Next.js “React2Shell” `CVE-2025-55812`**, observing opportunistic scanning and follow-on activity (including payload delivery and cryptomining) shortly after public PoC release, with notable impact observed in cloud-hosted environments and the finance sector; Dark Reading also cited Cyble data indicating increased targeting and sales of compromised access affecting **retail and services** organizations in Australia and New Zealand.
Mar 21, 2026
Cisco Talos Reports Exploitation of Public-Facing Apps as Leading Initial Access Vector
Cisco Talos Incident Response reported that **exploitation of public-facing applications** remained the top initial access method for a second consecutive quarter, appearing in **nearly 40%** of Q4 2025 engagements (down from **60%+** in Q3, when **ToolShell** activity surged). Talos highlighted rapid attacker uptake of newly disclosed vulnerabilities, including **Oracle E-Business Suite** `CVE-2025-61882` and **React2Shell** `CVE-2025-55182` (impacting React Server Components/Next.js and related frameworks), with exploitation observed around the time the issues became public—reinforcing the operational risk of internet-facing enterprise apps and default framework deployments. The same Talos reporting noted **phishing** as the second most common initial access vector, including a credential-harvesting campaign targeting **Native American tribal organizations** that used compromised legitimate accounts to propagate additional internal phishing. **Ransomware** represented roughly **13%** of engagements (down from ~20% the prior quarter and far below early-2025 levels), with **Qilin** continuing to feature prominently and no previously unseen ransomware variants observed. Separate coverage amplified Talos’ findings as a call for **faster patching**, citing examples where proof-of-concept code and exploitation activity emerged within hours to ~30 hours of disclosure for high-profile bugs like React2Shell and Oracle EBS.
Mar 21, 2026
Vulnerability Prioritization Shifts Toward Known-Exploited Risk and Centralized Scanning
Security teams are increasingly de-emphasizing *CVSS-only* approaches in favor of prioritizing **known exploited vulnerabilities (KEV)**, driven by evidence that only a small fraction of disclosed CVEs are exploited in the wild. Reporting citing VulnCheck research highlighted that roughly **1% of 40,000+** vulnerabilities disclosed in the prior year saw in-the-wild exploitation, with **network edge devices** disproportionately targeted (reported as **28%** of KEV-impacted products) and recurring exposure across major enterprise stacks including **Microsoft, VMware, Oracle, Ivanti, SonicWall, and Fortinet**. The same research pointed to high-profile exploitation waves such as **SharePoint zero-days** impacting **400+ organizations** and rapid weaponization dynamics like **React2Shell**, which reportedly accumulated **236 public exploits** within a month. In the UK public sector, the Department for Science, Innovation and Technology (DSIT) reported operational improvements from a centralized **Vulnerability Monitoring Service** that continuously scans internet-facing systems across roughly **6,000 organizations** and drives remediation of about **400 confirmed vulnerabilities per month**. DSIT said median remediation time for critical domain-related weaknesses fell to **eight days** (from ~50), other vulnerabilities to **32 days** (from 53), and the backlog of unresolved critical flaws dropped by about **three-quarters**—positioning automated discovery and faster patch cycles as a practical response to long-standing government security shortfalls, even as officials did not quantify exploitation rates or overall compromise trends.
Mar 26, 2026