Every year, the Cisco Talos Year in Review captures the patterns shaping the threat landscape. The 2025 report paints a clear picture: Attackers are moving faster than ever, while using identity-related attacks as the primary battleground.
To unpack the biggest takeaways and what they mean for security teams, we brought together Christopher Marshall, VP of Cisco Talos, and Peter Bailey, SVP and GM of Cisco Security.
Here’s their conversation.
Old vulnerabilities, new speed
Marshall: One of the clearest trends in this year’s data is the contrast in how vulnerabilities are being exploited. We saw React2Shell disclosed in December and within weeks it became the most targeted vulnerability we tracked.
At the same time, a 12-year-old vulnerability still appeared in the top 10 most exploited list. So we’re seeing very rapid weaponization (likely fuelled by AI given the compressed timeline from initial proof of concept to large-scale exploitation, across multiple languages and platforms) alongside continued success with legacy flaws.
Bailey: There’s always a lot of focus on the latest zero-day, and rightly so. The industrialization of vulnerability exploitation is extremely concerning. But at the same time, many attacks are still leveraging vulnerabilities that have been around for years.
Organizations are dealing with complexity. Large environments. Long device lifecycles. Change management processes that take time. But attackers don’t care about those constraints. They actually count on them.
This is where we need to repeat that the fundamentals still matter. Patch management, asset visibility, lifecycle discipline... We still have work to do there as an industry.
Marshall: And then you have 40% of the top 100 exploited vulnerabilities being effective because organizations were running end-of-life devices. That’s a measurable problem. When infrastructure is no longer supported, attackers know it. They scan for it, and then they target it. Technical debt becomes operational risk.
Bailey: Absolutely. In most cases, it’s not that customers don’t want to patch. It’s that their critical networking infrastructure has been stable for years, and taking it offline can disrupt the business.
As an industry, we need to reduce that friction. Cisco is a big part of that, with built-in protections in our networking equipment that can be applied without downtime, and options to shield systems when patching can'thappen immediately.
Identity as the primary target
Marshall: If there’s one area where attackers are consistently investing their time and energy, it’s identity. In 2025, identity-based attack techniques were central to major phases of operations, like lateral movement, privilege escalation, and persistence. Controlling identity effectively means controlling access across the environment.
One of the most striking data points in the report is that fraudulent device registration increased 178 percent year over year. In many cases, attackers convinced administrators to register devices on their behalf through vishing (or voice phishing). They targeted administrator-managed registration flows at three times the rate of user-driven ones. There’s a clear preference for high-value victims.
Bailey: And unfortunately these stolen credentials are widely available. Logging in is often easier than breaking in. Once attackers obtain legitimate access, they can blend in.
For defenders, identity controls need to go beyond authentication. You need continuous monitoring. You need risk-based adjustments to access. You need to detect abnormal behavior quickly.
Marshall: We’re also seeing a rise in internal phishing. More than a third of phishing incidents we observed involved attackers sending messages from already compromised accounts.
Once inside, they create mailbox rules to hide replies and suppress visibility. They explore shared drives and collaboration platforms. They look for sensitive information that can help them expand access. This all means defenders need strong visibility into normal user behavior. If accounts suddenly start sending far more messages than usual or accessing data they never touched before, that should stand out.
Bailey: Identity is no longer just an authentication problem. It’s a monitoring and governance problem, as well.
Marshall: We observed continued evolution in state-sponsored activity throughout the year. Talos investigations into China-nexus campaigns increased nearly 75 percent in 2025. These actors are exploiting both zero-day and n-day vulnerabilities while also engaging in financially motivated activity to support their broader goals.
Russian-linked activity continues to correlate closely with geopolitical developments. We consistently see these actors exploiting unpatched networking equipment to establish long-term access.
North Korean affiliated actors refined their “Contagious Interview” campaigns. They compromised developers through fake job opportunities and expanded IT worker schemes using AI-generated personas.
Iranian-linked actors increased hacktivist-style operations by roughly 60 percent last year, and we’ve seen that type of activity rise again during the ongoing conflict in the Middle East. At the same time, actors such as ShroudedSnooper are deploying highly evasive and stealthy backdoors to maintain long-term access to critical telecommunications infrastructure.
Bailey: These groups are adaptive and pragmatic. From a defender’s perspective, the distinction between state-sponsored and criminal actors is less useful than it used to be. Techniques overlap, tools are shared, and infrastructure gets reused.
What matters is speed. These actors move quickly and often target the edge of the network through unpatched devices and legacy infrastructure.
That’s where intelligence becomes critical. At Cisco, when Talos identifies a campaign or toolset, that intelligence feeds directly into protections for customers. Speed of detection and response must match the pace of the threat.
AI and the acceleration of attacks
Marshall: In 2025, AI was most commonly used to automate and scale parts of traditional attacks, especially social engineering. It lowered the barrier to creating convincing phishing lures and fraudulent sites.
The Year in Review is based on trends throughout 2025, but we also want to call attention to the fact that the AI threat landscape is changing fast, even in the first few months of 2026. Research into threats like VoidLinkshows how AI can accelerate malware development. The tasks that previously required extended development cycles are now being completed quicker than ever.
We’re also seeing early examples of AI-enabled malware in mobile environments. Agentic capabilities can analyze screen content and determine next actions. It’s still early, but the pace of change is notable.
Bailey: Organizations also need to think about how they deploy AI internally.
We saw rapid adoption of consumer AI tools, followed by a realization that guardrails were necessary. Prompt injection, data exposure, unauthorized model access... These are real concerns.
Now we’re seeing companies implement controls such as semantic inspection of prompts, model scanning, and discovery of shadow AI deployments. Secure AI deployment will quickly become standard practice. It has to.
Marshall: We designed the Talos Year in Review to help defenders prioritize. And in terms of those priorities, I’d like to leave people with a few that stand out.
The data shows that attackers consistently pursue access for scale and leverage. They want the keys to the kingdom, so they target identity systems, administrators, and end-of-life infrastructure because it gives them broad access.
Strengthening your identity controls, understanding your environment, and safeguarding and removing EOL infrastructure are three of the most important actions organizations can take.
Bailey: I agree. Patching is still crucial, but just as important is ensuring you have visibility across devices, strong segmentation, and continuous monitoring for abnormal behavior.
We’re also seeing attacks happening faster, increasingly amplified by automation and AI. Agentic AI is opening the door to a catalogue of features that will automate manual work and allow adversaries to greatly expandtheir capabilities. Now more than ever, defenders need architectures that are resilient and observable in the face of these developments.
I encourage everyone to read the full Talos report. It’s filled with data and practical guidance.
Marshall:
Thank you, Peter. This report represents a tremendous amount of effort across Talos and it's built with our customers in mind. I'd like to extend a sincere appreciation to my team and all of our partners who contributed to its life and launch.
Our goal with the Year in Review, much like our general mission at Talos, is simple: Show where adversaries are succeeding, and provide clear guidance on how to reduce that success rate.
In addition, I would ask all of our customers to use this report to challenge us, challenge Cisco. We strive to give you the greatest protection, products, and services possible. Let us know how we can be better.