The 2025 Talos Year in Review is now available to view online.
The pace and scale of adversary activity in 2025 placed sustained pressure on security teams across industries. As with each annual report, our goal at Talos is to provide the security community with a clear analysis of the tactics, techniques, and procedures that shaped adversary operations, and to help organizations prioritize the actions that reduce exposure and strengthen defenses.
What defined 2025
Three themes emerged consistently across Talos’ threat research, telemetry, and incident response engagements:
1. Exploitation at both extremes
New large-scale vulnerabilities were operationalized almost immediately, but adversaries also continued to exploit CVEs that have been exposed for years. This rapid operationalization of new vulnerabilities reflects a rise in automated exploit development, public proof-of-concept code, and mature adversary coordination.
React2Shell, released in December, ranked first by year’s end only three weeks after disclosure, while a vulnerability disclosed 12 years ago ranked seventh. That range tells a story about organizational technical debt: Long-standing exposure continues to be reliably and successfully exploited.
2. The architecture of trust
In 2025, adversaries focused on the systems that manage authentication, authorization, and device trust.
Attackers who gained access through compromised credentials stealthily extended that access through internal phishing and abuse of identity controls within network infrastructure. Control of identity often meant control of the environment.
3. Targeting centralized systems for more leverage
Threat actors targeted centralized infrastructure, management platforms, and shared frameworks to expand the impact of a single compromise.
Approximately 25% of the vulnerabilities in the Top 100 targeted list affected widely used frameworks and libraries that are embedded deep within the software stack. Because these components underpin applications and network appliances across vendors, a single CVE can create mass exploitation potential across industries. Compromising these shared foundations enabled lateral movement across environments.
Read the full report
View the full report online (it’s not gated and never will be) to see where attackers are gaining ground, and how to disrupt their playbook.