Exploitation of public-facing applications was the primary entry point for attackers in late 2025 amid a decrease in ransomware volume.
Enterprise leaders managing digital transformation face a disappearing boundary between internal networks and the public internet. As organisations deploy new APIs and web services to generate revenue, they expand the attack surface. Data from the final quarter of 2025 shows threat actors prioritising these exposed digital assets over other ingress methods.
The exploitation of public-facing applications accounted for nearly 40 percent of all Cisco Talos Incident Response (Talos IR) engagements in the fourth quarter. This figure dropped from over 60 percent the previous quarter, when the ToolShell campaign drove exploitation rates up, but it indicates a sustained focus on perimeter vulnerabilities rather than user-centric attacks like phishing.
This trend makes maintaining internet-facing enterprise applications a primary risk. Attackers capitalise on disclosed vulnerabilities quickly. In Q4 2025, Talos IR observed activity targeting Oracle E-Business Suite (EBS) and React Server Components, specifically a vulnerability known as React2Shell (CVE-2025-55182). In multiple instances, exploitation occurred around the time the vulnerability became public.
For executives at wholesale carriers and operators, where uptime and service availability define the business model, this speed leaves little room for delays in patch management. In one engagement, Talos IR responded to an organisation with a vulnerable internet-facing server where exploitation began shortly after public disclosure. The attackers deployed web shells related to the SAGE infection chain to maintain access.
Identity risks in connected environments
With the decline in ransomware, technical exploitation leads the statistics. However, valid identity manipulation remains a secondary threat. Phishing was the second most common tactic for initial access in Q4, rising to 32 percent of engagements from 23 percent the previous quarter.
A campaign targeting Native American tribal organisations illustrated the operational risks of identity compromise. Adversaries used compromised email accounts and legitimate but compromised web domains to distribute phishing lures. Once adversaries compromised a legitimate account, they leveraged it to send further internal phishes, bypassing perimeter email filters by originating traffic from a trusted internal source.
This “trusted insider” problem complicates defence for large enterprises. In one incident, attackers used a compromised account to issue a flood of follow-on phishing emails. Even after the victim organisation removed the compromised account, the campaign persisted by spoofing the disabled account via an external email address. The lack of multi-factor authentication (MFA) contributed to these breaches, allowing attackers to gain a foothold.
IT directors must enforce MFA policies strictly. Talos IR noted that MFA weaknesses – including misconfiguration, bypass, or simple absence – were a top security weakness alongside vulnerable infrastructure.
Public administration was the most targeted industry vertical in Q4, maintaining its position from the previous quarter. These organisations are attractive targets because they often operate with limited funding and rely on legacy equipment.
This sector’s struggle highlights a broader issue for private operators: legacy infrastructure is a liability. Entities in this sector have a low tolerance for downtime and possess sensitive data, making them prime targets for both espionage and financially-motivated groups.
Reliance on older technology often correlates with insufficient logging capabilities, which Talos IR identified as a recurring hindrance to investigations. Without centralised logging, such as a Security Information and Event Management (SIEM) solution, organisations cannot reconstruct the chain of events after a breach.
Ransomware volume decreases
Ransomware and pre-ransomware incidents constituted only 13 percent of engagements in Q4, a drop from 20 percent in Q3 and nearly 50 percent in the first half of the year.
Despite reduced volume, the actors remaining in the space – such as the dominant Qilin group – continue to pose a threat. Attackers increasingly “live off the land” by utilising legitimate remote monitoring and management (RMM) tools.
In one ransomware incident, adversaries deployed multiple RMM tools, including ScreenConnect for persistence and SoftPerfect Network Scanner for reconnaissance. This technique complicates detection because IT administrators often use these tools legitimately. Relying on multiple tools provides redundancy for the attacker; if security controls block one tool, another may succeed.
Operational priorities
The speed at which attackers weaponise new vulnerabilities in frameworks like Next.js and Oracle EBS necessitates agile patch management for public-facing assets. The delay between disclosure and exploitation is now measured in hours or days.
The prevalence of valid account abuse indicates identity governance is vital. The incidents involving tribal organisations demonstrated that an attacker holding a valid credential can navigate internal networks easily. Detecting these intrusions requires rigorous monitoring of MFA logs for abuse, such as bypass code manipulation or the registration of new devices.
The decline in ransomware implies the threat shifted toward access and data theft. With vulnerable infrastructure and MFA weaknesses accounting for the majority of security gaps, the path forward involves hardening the basics: patching exposed servers immediately and ensuring every user account uses robust authentication.
See also: Why bridging Private 5G security gaps protects enterprise networks
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including the AI & Big Data Expo. Click here for more information.
Telecoms is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
