Key Findings

• Exploitation velocity doubled in 2025, with new vulnerabilities weaponized within days while decade-old CVEs remain reliably exploited

• Identity systems became the primary attack surface, with compromised credentials enabling stealthy lateral movement and environment-wide control

• Approximately 25% of top exploited vulnerabilities targeted shared frameworks and libraries, amplifying blast radius across industries

• APT investigations and ransomware operations increased significantly throughout the year

• Three core themes dominated adversary operations: rapid exploitation at both extremes, abuse of trust architecture, and targeting centralized infrastructure

Background

The Talos intelligence team released their comprehensive 2025 Year in Review, analyzing threat trends across their research, telemetry data, and incident response engagements. The Beers with Talos podcast team—Hazel, Bill, Joe, and Dave—broke down these findings for the security community, providing actionable context for what shaped adversary operations throughout the year.

Exploitation at Both Extremes

Adversaries demonstrated remarkable speed in weaponizing newly disclosed vulnerabilities. React2Shell, disclosed in December, ranked as the most exploited vulnerability within just three weeks. Yet simultaneously, attackers continued hammering away at vulnerabilities disclosed over a decade ago that still ranked in the top ten.

This dual approach reflects a maturation in the adversary toolkit. Automated exploit development tools, publicly available proof-of-concept code, and well-coordinated threat actor groups enable both immediate exploitation of fresh vulnerabilities and sustained campaigns against unpatched legacy systems. Organizations carrying technical debt from years of deferred patching remain exposed.

The Architecture of Trust

Identity became the battleground in 2025. Attackers who gained initial access through compromised credentials didn't stop there—they systematically abused identity controls to extend their foothold. Internal phishing campaigns targeting privileged users and exploitation of authentication and authorization systems allowed adversaries to move laterally with minimal detection.

Control of identity systems often meant control of the entire environment. This shift reflects a strategic pivot away from brute-force network compromise toward the more subtle and persistent path of credential abuse and trust exploitation.

Targeting Centralized Infrastructure

Threat actors identified and exploited vulnerabilities in widely used frameworks and libraries embedded throughout the software supply chain. A quarter of the year's top 100 exploited vulnerabilities affected these shared components.

This strategy multiplied impact. A single CVE in a foundational framework could compromise applications and network appliances across dozens of vendors and thousands of organizations simultaneously. Compromising these shared foundations provided adversaries an efficient pathway for lateral movement across entire industrial ecosystems.

Ransomware and APT Evolution

Ransomware operations continued their evolution, with threat groups demonstrating increasingly sophisticated targeting and operational security. APT investigations spiked notably, indicating either more aggressive nation-state activity or improved detection capabilities—likely both.

What Defenders Should Prioritize

Organizations should focus on reducing their attack surface through prioritized patching of widely used components and frameworks. Identity systems require heightened monitoring and segmentation. Establishing robust credential hygiene and detecting lateral movement through identity abuse are no longer optional—they're essential.

The security community faces sustained pressure from adversary operations that have become faster, larger in scale, and increasingly difficult to contain once established. The 2025 report provides detailed guidance on disrupting adversary playbooks and strengthening defenses against these evolving threats.

Sources

• https://blog.talosintelligence.com/beers-with-talos-breaks-down-the-2025-talos-year-in-review/

• https://blog.talosintelligence.com/2025-talos-year-in-review-speed-scale-and-staying-power/

• https://talosintelligence.com/podcasts/shows/beers_with_talos