Attackers most commonly gained initial access through public-facing applications in late 2025, even as reported ransomware activity declined.
Enterprise leaders overseeing digital transformation are confronting a fading boundary between internal networks and the public internet. As organisations publish APIs and web services to drive revenue, they broaden their external attack surface. Data from Q4 2025 shows threat actors concentrating on these exposed digital assets more than other entry methods.
Exploitation of public-facing applications represented nearly 40 percent of Cisco Talos Incident Response (Talos IR) engagements in the fourth quarter. That is down from more than 60 percent the previous quarter—when the ToolShell campaign pushed exploitation rates higher—but still highlights a persistent emphasis on perimeter vulnerabilities rather than primarily user-focused techniques like phishing.
This trend makes the upkeep of internet-facing enterprise applications a top risk. Attackers rapidly weaponise disclosed vulnerabilities. In Q4 2025, Talos IR observed exploitation attempts against Oracle E-Business Suite (EBS) and React Server Components, including activity linked to a vulnerability tracked as React2Shell (CVE-2025-55182). In several cases, exploitation began around the time the vulnerability became public.
For executives at wholesale carriers and operators—businesses where uptime and service availability are critical—this rapid exploitation leaves little margin for delayed patching. In one engagement, Talos IR responded to an organisation with a vulnerable internet-facing server that was attacked shortly after disclosure; the threat actors deployed web shells tied to the SAGE infection chain to maintain access.
Identity risks in connected environments
Although ransomware declined, technical exploitation led the statistics, while identity compromise remained a significant secondary threat. Phishing was the second most common initial access vector in Q4, rising to 32 percent of engagements from 23 percent the previous quarter.
A campaign against Native American tribal organisations illustrated the operational hazards of credential compromise. Adversaries used breached email accounts and legitimate but compromised web domains to distribute phishing lures. After gaining control of a legitimate account, attackers used it to send additional internal phishing messages, bypassing perimeter email filters because the traffic originated from trusted internal sources.
This “trusted insider” problem complicates defence for large enterprises. In one case, attackers used a compromised account to launch a flood of subsequent phishing emails. Even after the organisation disabled the compromised account, the campaign continued by spoofing the disabled address from external domains. The absence or misconfiguration of multi-factor authentication (MFA) contributed to these breaches, enabling adversaries to establish footholds.
IT leaders should enforce MFA consistently. Talos IR identified MFA weaknesses—misconfiguration, bypass, or outright absence—as a top security deficiency alongside vulnerable infrastructure.
Public administration remained the most targeted vertical in Q4, retaining its position from the prior quarter. These organisations are attractive to attackers because they often operate with limited budgets and rely on legacy systems.
The sector’s struggles underscore a broader problem for private operators: ageing infrastructure is a liability. Many public administration entities demand high availability, hold sensitive data, and therefore are prime targets for espionage and financially motivated groups.
Dependence on legacy technology also often means weak or incomplete logging, which Talos IR repeatedly identified as hampering investigations. Without centralised logging—such as a Security Information and Event Management (SIEM) system—organisations cannot reliably reconstruct events after a breach.
Ransomware volume decreases
Ransomware and pre-ransomware incidents made up only 13 percent of Talos IR engagements in Q4, down from 20 percent in Q3 and about 50 percent in the first half of the year.
Despite lower volume, active ransomware groups such as Qilin remain dangerous. Attackers are increasingly “living off the land” by abusing legitimate remote monitoring and management (RMM) tools.
In one ransomware case, adversaries used multiple RMM tools—including ScreenConnect for persistence and SoftPerfect Network Scanner for reconnaissance. Because IT teams commonly use these utilities, their misuse by attackers makes detection more difficult. Employing several tools gives attackers redundancy: if one tool is blocked by security controls, another may succeed.
Operational priorities
The pace at which threat actors weaponise vulnerabilities in frameworks like Next.js and Oracle EBS requires organisations to adopt agile patch management for public-facing assets. The window between disclosure and exploitation is increasingly measured in hours or days.
The frequency of valid account abuse shows that identity governance must be a priority. Incidents involving tribal organisations demonstrated that an attacker with legitimate credentials can move through internal networks with relative ease. Detecting such intrusions requires careful monitoring of MFA and authentication logs to spot abuse—examples include bypass code manipulation or unexpected device registrations.
The drop in ransomware suggests that the threat landscape has shifted toward access and data theft. With vulnerable infrastructure and MFA weaknesses accounting for many security gaps, organisations should focus on fundamental controls: promptly patch exposed servers and enforce strong authentication for every user account.
See also: Why bridging Private 5G security gaps protects enterprise networks
Want to learn more about cybersecurity from industry leaders? Attend Cyber Security & Cloud Expo, held in Amsterdam, California, and London. The event is part of TechEx and is co-located with other technology shows including the AI & Big Data Expo.
Telecoms is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars through TechForge’s events listings.