CYBERSTATS

Security Intelligence

VendorsCisco Talos

Cisco Talos

Cybersecurity reports and statistics published by Cisco Talos

8 categories1 reports

Research Reports

Reports and publications from Cisco Talos

2025 Year In Review

Recent Statistics & Reports

Nearly 40% of the top-targeted vulnerabilities impacted end- of-life (EOL) devices.

VulnerabilitiesEOL Devices

23% of CVEs directly impact network devices like VPN appliances, next-generation firewalls (NGFWs), load balancers, routers, and others.

CVEsNetwork Devices

25% of the top-targeted vulnerabilities impact widely used frameworks and libraries.

VulnerabilitiesFrameworksLibraries

32% of the top-targeted vulnerabilities are at least a decade old.

Vulnerabilities

The number of device registration events reported by users as fraud increased 178% from 2024 to 2025.

FraudFraudulent Device Registrations

Technology is the top-targeted industry at 36% for MFA spray attacks.

MFA Spray AttacksTechnology

In 2025, attackers compromised victims via phishing emails in 40% of Talos IR cases.

Device compromise attacks where attackers register their own hardware as a trusted factor, increased by 178%.

Device Compromise Attacks

In 2025, 35% of Talos IR phishing cases involved internal phishing.

Internal Phishing

Application delivery controllers (ADCs) accounted for 22% of the top 50 targeted network devices.

Network DevicesApplication Delivery Controllers

Qilin was the most seen ransomware variant in 2025.

RansomwareQilin

60% of the top 20 terms appearing in phishing subject lines were the same in 2024 and 2025, such as “request,” “invoice,” “payment,” “email,” “fwd,” “message,” “report,” and “meeting.”

PhishingPhishing Subject Lines

The majority of the 50 most-targeted network infrastructure vulnerabilities (66%) affect device-specific firmware.

Network Infrastructure VulnerabilitiesDevice-Specific Firmware

According to their data leak site, in 2025, Qilin targeted more than 40 victims every month except January.

RansomwareQilin

Akira and Play, ranked as second and third most prolific ransomware groups, respectively.

RansomwareAkiraPlay

The popularity of the other groups in last year’s top five fell significantly this year, with LockBit 3.0 moving from first to 35th, RansomHub from second to eighth, and Hunter’s International from fifth to 28th.

RansomwareLockBit 3.0RansomHub

January remains least active month for ransomware activity.

RansomwareJanuary

Qilin affiliates take home a significant portion of their ransom payments (up to 80 - 85%), higher than typical RaaS payout structures.

RansomwareQilinRaaS

In 2025, nearly a third of MFA spray attacks targeted identity and access management (IAM) applications.

MFA Spray AttacksIAM

The number of investigations Talos conducted into China-nexus campaigns increased nearly 75% this year compared to 2024.

China-nexus Campaigns

Top Categories

6

Vulnerabilities

3

3

Network Devices

2

MFA Spray Attacks

2

2

1

Related Vendors

Beazley Security