The most striking trend of 2025 is the near-instant weaponisation of new vulnerabilities. Cisco's Talos threat intelligence team published its year-in-review report this week, painting a sobering picture: attackers have fundamentally reshaped their playbook, and defenders are struggling to keep pace.
Talos was shocked by how quickly criminals have been moving to exploit newly discovered vulnerabilities, pointing to December's React2Shell as the perfect example. Even though it was disclosed only in December, it quickly became the most-targeted vulnerability of the year. The vulnerability's immediate exploitation reflects near-instant weaponisation, driven by automated tooling and widespread internet exposure, leaving defenders little to no time between disclosure and active abuse.
The React2Shell case is instructive. Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. Within 30 hours of the patch, a publicly available proof of concept emerged that could be used to exploit any vulnerable server. This timeline reveals a cruel reality: the window for patching has collapsed from weeks to hours.
What makes this acceleration so dangerous is where attackers are directing their fire. Attackers have moved beyond simple endpoint compromise, shifting their focus to the identity, supply chain, and management planes that govern the modern enterprise. Attackers were settling on identity control points as primary targets in 2025, with the vast majority of top-targeted network infrastructure vulnerabilities falling into this category. Compromising identity control tech like VPNs or application discovery controllers (ADCs) means attackers can easily move laterally, grant themselves enhanced access, bypass MFA, achieve persistence, and the like.
The practical effect of controlling identity systems is devastating. Attackers who gained access through compromised credentials stealthily extended that access through internal phishing and abuse of identity controls within network infrastructure. Control of identity often meant control of the environment.
Phishing remains the foundation of this attack sequence. 40 percent of intrusion response cases Talos investigated in 2025 began with a successful phish. What has changed is the sophistication of the lure. The modern phishing lure is more sophisticated than ever. Gone are the misspellings, poor grammar, and other obvious errors, as AI helps attackers overcome language barriers and imitate real communications. Phishing messages increasingly came from spoofed or compromised accounts, making detection even harder.
Multi-factor authentication, once viewed as the silver bullet of identity security, has become a liability in many organisations. The report highlights a staggering 178% surge in device compromise attacks, where attackers register their own hardware as a trusted factor in a victim's MFA account. Beyond this, voice phishing (vishing) aimed at IT administrators was three times more common than user-managed registration fraud.
Cisco's recommendations do not break new theoretical ground, yet they cut against conventional security spending. The firm stresses three core areas. First, patch identity and access control systems with religious discipline. Security pros should prioritise network software and appliance patches for systems dealing with access management, when possible. Second, strengthen MFA deployment by moving toward phishing-resistant authentication and adding strong lockout policies. Move toward phishing-resistant MFA (like FIDO2) wherever possible. Third, improve user discipline through anti-phishing training that acknowledges how sophisticated modern lures have become.
The broader message is disquieting: In 2025, baddies primarily used AI to improve on elements of existing attacks, but Talos predicts that AI will soon become a fundamental back-end part of cybercrime software, much like what's already happening in the commercial world. For organisations, this means the tools attackers use will become faster, smarter, and more difficult to distinguish from legitimate activity.
For budget-conscious security teams, the implications are clear but uncomfortable. The traditional perimeter-first model, with money spent on firewalls and intrusion detection, is losing relevance. Modern security is no longer just about the lock; it's about the systems that validate who holds the key. The goal for 2026 must be to secure the identity and management planes with the same intensity that our adversaries are using to attack them.