The Federal Office for Information Security (BSI) released its 2025 report on the state of IT security in Germany, and the verdict is unequivocal: there is no all-clear. Despite notable law enforcement successes against major cybercrime groups, Germany’s IT security situation remains “tense.” The culprit? Inadequately protected attack surfaces that continue to provide easy entry points for threat actors, BSI noted. 

For the first time, the BSI, through its findings, said that while threats have somewhat stabilized, poorly managed attack surfaces are keeping risk levels dangerously high. Most concerning is that 80% of reported attacks now target small and medium-sized enterprises (SMEs)—organizations that often lack the resources and expertise to defend themselves effectively. 

Statistical Snapshot 

Threats 

• Positive developments: International law enforcement operations disrupted major cybercrime groups like LockBit and Alphv, greatly reducing their activity. 

• Botnets: Badbox and Vo1d were the most active globally. 
  The BSI participated in takedown operations through sinkholing measures. 

• Phishing and malware: Over 800 malicious websites per day were detected, though their average lifespan decreased to under two hours, showing faster countermeasures. 

Attack Surface 

• Web-based vulnerabilities remained alarming, with 119 new software vulnerabilities identified daily (+24% year-over-year). 

• Many public-facing systems remained unpatched, posing risk. 

• Germany had 13.2 million reachable [.]de domains, with 47 million vulnerable server services detected. 

• The report urges organizations to adopt attack surface management as routinely as antivirus protection. 

Attacks 

• Cyber espionage: Government institutions were the main target of APTs. 

• Ransomware: Around 950 reported cases, with 72% involving data leaks. 

• Exploitation attacks increased 38% from the prior year. 

• 80% of reported cyberattacks targeted small and medium-sized enterprises (SMEs) due to limited resources and cybersecurity know-how. 

• Critical infrastructure (energy, transport, healthcare, finance) reported dozens of cyber incidents. 

Impact 

• Data leaks surged to 461 incidents involving German institutions. 

Leaked data included: 

• Birth data (92%) 

• Physical addresses (72%) 

• Email addresses (63%) 

• Passwords, financial, and health information 

• Ransom payments decreased in frequency, but the average ransom amount reached an all-time high. 

• IoT devices (like Android smart gadgets) became a growing infection source—many shipped already compromised. 

• 30,000 BadBox-infected and 10,000 Vo1d-infected devices were mitigated via BSI coordination. 

Resilience 

The BSI enhanced its monitoring and certification: 

• 413 Common Criteria certificates issued (105 new in 2025). 

• 8,622 organizations joined the Alliance for Cyber Security. 

Incident management maturity (KRITIS operators): 

• ISMS maturity is mostly at levels 3–4. 

• BCMS maturity is improving. 

Public awareness remains mixed: 

• Citizens know on average 6.1 protection measures, but use only 3.8. 

• Many find measures “too complicated”. 

• Common protections: strong passwords, 2FA, password managers. 

• The BSI’s service center handled ~10,500 citizen inquiries on cybersecurity in 2025. 

The Numbers Tell a Sobering Story 

Germany’s web attack surface in Q2 2025 comprised approximately 13.2 million [.]de domains accessible from the internet. Of these, 8.1 million domains were reachable via both IPv4 and IPv6, while 5.1 million were accessible only through IPv4. This massive digital footprint represents an enormous challenge for security teams trying to maintain visibility and control. 

The vulnerability landscape has intensified significantly. An average of 119 new vulnerabilities in IT systems were discovered daily during the reporting period—a 24% increase compared to the previous year. This relentless pace of vulnerability disclosure, driven partly by changed reporting policies but also by the growing complexity of software systems, means that organizations face an ever-expanding list of potential weaknesses to address. 

Meanwhile, exploitation attempts have surged. The BSI’s MADCAT honeypot measurements showed a 38% increase in exploitation attacks compared to the previous reporting period. Attackers aren’t just probing systems—they’re actively exploiting weaknesses at an accelerating rate. 

The Cybercrime Landscape in Germany: Stabilization Without Relief 

The threat landscape showed some positive developments during the reporting period. International law enforcement actions against major ransomware operations led to a degree of stabilization. LockBit and AlphV, two previously dominant ransomware groups, were substantially disrupted. This represents a significant victory for coordinated international cybercrime enforcement. 

However, stabilization doesn’t mean elimination. Germany ranked third globally among cybercrime group targets at 64%, behind only the United States (94%) and the United Kingdom (71%). The cybercrime ecosystem has proven remarkably resilient, with new groups emerging to fill the void left by disrupted operations. RansomHub, Clop, Akira, Qilin, and Play were among the most active groups during the reporting period, continuing the trend of Ransomware-as-a-Service that makes sophisticated attacks accessible to less skilled criminals. 

The data leak situation has reached alarming levels. During the reporting period, 461 data leaks affected German institutions and consumers. The most commonly compromised information included birth dates (92% of leaks), physical addresses (72%), and email addresses (63%). More sensitive data, such as passwords (36%), payment information (22%), and health data (18%) were also frequently exposed. 

The IoT Botnet Threat 

Perhaps one of the most disturbing revelations in the BSI report concerns IoT botnets, particularly BadBox and Vo1d. BadBox became the largest active botnet in Germany, with up to 58% of infected systems in the country attributed to this single operation. What makes BadBox especially concerning is that devices were infected during the production phase—before they ever reached consumers. 

This represents a fundamental shift in the threat model. Traditional security advice assumes that devices are secure when purchased and become compromised through user behavior or software vulnerabilities. BadBox demonstrates that supply chain compromises can deliver pre-compromised devices directly to consumers and businesses, who have no practical way to detect the infection. 

The BSI responded through sinkholing operations, redirecting communication attempts from infected devices to BSI-controlled servers to prevent further malicious activity. Approximately 30,000 BadBox-infected IoT systems had their communications blocked, and device owners were notified. An additional 10,000 Vo1d-infected device owners received similar notifications. While these remediation efforts represent important defensive actions, they’re reactive measures addressing infections that have already occurred. 

The SME Vulnerability Gap 

The statistic that should alarm every business leader in Germany: approximately 80% of reported attacks targeted SMEs. This isn’t a random distribution—it’s a deliberate strategic shift by attackers toward softer targets. 

The dynamics are straightforward. Large enterprises have dedicated security teams, substantial budgets, and often sophisticated detection and response capabilities. Attacking them requires significant resources and expertise, with no guarantee of success. SMEs, conversely, often operate with limited IT staff, minimal security budgets, and gaps in both technical controls and security awareness. For cybercriminals conducting cost-benefit analyses, SMEs represent the optimal target: easier to compromise, less likely to detect attacks quickly, and numerous enough to provide a steady stream of victims. 

The attack pattern reflects this calculation. Rather than pursuing complex, targeted attacks against well-defended enterprises, threat actors increasingly favor volume-based approaches, hitting many SMEs with relatively simple techniques. Ransomware attacks have become particularly effective against this segment, with 72% of the 950 reported ransomware incidents involving data leaks used to pressure victims into paying. 

Interestingly, while ransom payment rates continued their multi-year decline—dropping to just 26% in Q2 2025 compared to 85% in Q1 2019—the average ransom payment reached all-time highs. This suggests that while fewer victims are paying, those who do pay are facing substantially larger demands, particularly when data leakage is involved. 

Attack Surface Management: The Missing Link 

The BSI’s conclusion is direct and unambiguous: “Protection of attack surfaces is the decisive lever for improving cybersecurity in 2026.” This isn’t merely one recommendation among many—it’s identified as the critical factor that will determine whether Germany’s cybersecurity situation improves or continues to deteriorate. 

The data support this assessment. Of the accessible IP addresses in Q2 2025, approximately 791,722 showed exposed metadata—potential indicators of security weaknesses. Known vulnerabilities in perimeter systems are patched too late or not at all far too often. Web attack surfaces, in particular, show a “worrying state” that requires more professional attention through effective attack surface management. 

The federal administration provides a microcosm of the challenge. An average of 684,000 active email addresses existed in federal networks daily, along with approximately 1,480 active social media accounts (with high numbers of unreported cases due to private employee accounts). Daily accessible IP addresses of the federal administration with suspected vulnerabilities ranged from zero to over 300 depending on severity level. Even well-resourced government agencies struggle to maintain complete visibility and control over their attack surfaces. 

The BSI argues that attack surface management must become as routine as antivirus software for email. This represents a fundamental shift in thinking—from treating attack surface visibility as an occasional audit activity to recognizing it as a continuous operational necessity. 

The Resilience Gap 

Germany has made substantial investments in cybersecurity awareness and capability building. The Alliance for Cyber Security has grown to include 8,622 companies and institutions. The BSI issued 41 cybersecurity warnings during the reporting period and provided 3,871 reports through its Warning and Information Service. Critical infrastructure operators continue to make progress in implementing Information Security Management Systems (ISMS) and Business Continuity Management Systems (BCMS), with maturity levels steadily improving. 

Yet awareness hasn’t translated to sufficient action, particularly among vulnerable groups. Consumer surveys revealed a troubling gap: respondents knew an average of 6.1 protection measures but actually used only 3.8. Both awareness and usage of protection measures declined in 2025. Many respondents cited finding the measures too complicated, suggesting that even when people know what to do, friction in implementation prevents effective security practices. 

The federal administration saw some positive trends, with daily malware attacks via email declining slightly from 772 to 753. However, blocked access attempts to malicious websites increased by 23%, from 9,212 to 11,330 daily attempts. The threat isn’t decreasing—it’s shifting to channels where defenses may be less mature. 

From Awareness to Protection 

The BSI report makes clear that incremental improvements won’t suffice. Every organization—regardless of size—must treat attack surface analysis and management as indispensable components of effective risk management. This requires several shifts in thinking and practice: 

First, organizations must move from periodic security assessments to continuous monitoring. Attack surfaces change too rapidly for annual or quarterly reviews to provide meaningful protection. What was secure yesterday may be vulnerable today. 

Second, vulnerability management must evolve from attempting comprehensive patching to intelligent prioritization. With 119 new vulnerabilities discovered daily, teams must focus on vulnerabilities that pose actual risk to their specific environments—those being actively exploited, affecting internet-facing systems, or for which exploit code exists in underground markets. 

Third, SMEs must receive targeted support. Expecting resource-constrained small businesses to independently develop sophisticated security programs isn’t realistic. Industry associations, government agencies, and technology providers must collaborate on solutions that are accessible, affordable, and appropriately scaled for SME needs. 

Fourth, supply chain security must extend beyond vendor questionnaires to continuous monitoring of partner security postures. The question isn’t whether a vendor had good security six months ago—it’s whether they’re secure right now. 

Building Proactive Defenses in a Tense Environment 

The BSI characterizes Germany’s IT security situation as “tense,” and the data justifies this assessment. Threats have stabilized at high levels rather than diminishing. Attack surfaces continue expanding faster than organizations can secure them. Risks remain elevated because too many vulnerabilities go unaddressed. Damage effects, measured in data leaks and financial costs, show no signs of declining. 

Yet the report also demonstrates that focused efforts produce measurable results. Law enforcement actions disrupted major cybercrime groups. Sinkholing operations neutralized tens of thousands of botnet infections. Critical infrastructure operators improved their security management maturity. These successes prove that the situation, while tense, isn’t hopeless. 

What’s needed is a fundamental reorientation toward proactive attack surface management. Organizations that understand what attackers see, prioritize vulnerabilities that matter, and maintain continuous visibility over their digital footprint will significantly reduce their risk exposure. Those that don’t will remain attractive targets in an increasingly hostile threat landscape. 

The BSI’s message is clear. Protect attack surfaces now, or accept increasing risk. For Germany’s businesses—particularly the SMEs absorbing 80% of attacks—this isn’t a theoretical concern. It’s an operational imperative that will determine which organizations thrive and which become the next breach statistics in next year’s report. 

Taking Action on Attack Surface Management 

The challenges identified in Germany’s BSI report aren’t unique to German organizations—they’re indicative of global trends affecting businesses worldwide. Expanding attack surfaces, persistent threats, and vulnerability management at scale are universal challenges requiring comprehensive visibility and continuous monitoring. 

Cyble’s threat intelligence platform addresses these core challenges through integrated attack surface management, real-time vulnerability intelligence, and dark web monitoring. Organizations gain visibility into their exposed assets, prioritize vulnerabilities based on active exploitation, and receive early warnings about threats emerging in underground forums—the same capabilities the BSI report identifies as critical for improving cybersecurity posture.  

For organizations looking to move from reactive security to proactive AI-driven attack surface protection, request a demo to explore how comprehensive threat intelligence can strengthen your defenses. 

Reference: 

• https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2025_Achtseiter.pdf 

• https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2025_Systematik_Lagebewertung.pdf