"Cisco Talos said exploited flaws were behind nearly 40 percent of all intrusions in Q4 2025, and the speed at which attackers were harnessing those weaknesses should serve as a wake-up call for defenders. This marks the second quarter in a row that exploits led the charge for initial access, but represented a drop from Q3's rate of 62 percent, which was driven largely by widespread ToolShell attacks."
"More recently, the team pointed to the Oracle EBS and React2Shell vulnerabilities as examples of two high-profile vectors that continued to fuel the trend, both of which were taken up by attackers within hours of disclosure. Talos stated in its report: "In both cases, exploitation activity occurred around the time the vulnerability became public, demonstrating actors' speed in capitalizing on these opportunities as well as the inherent risks of internet-facing enterprise applications and default deployments embedded in widely used frameworks.""
"The Register reported at the time that a functional proof-of-concept exploit for React2Shell began circulating online within 30 hours of disclosure, for example. Likewise, AWS said Chinese state-backed attackers were exploiting the maximum-severity bug "within hours or days of disclosure." Whether organizations heed this warning is another matter, however. Patching systems, especially in large organizations, can be a painful process, but according to a BitSight analysis in 2024, private sector admins are taking months, not hours, to patch the most serious flaws."
Exploited vulnerabilities accounted for nearly 40% of intrusions in Q4 2025, marking the second consecutive quarter where exploits led initial access. Q3 had a higher rate of 62% largely due to ToolShell activity. High-profile vectors such as Oracle EBS and React2Shell were adopted by attackers within hours of disclosure. Proof-of-concept code for React2Shell circulated within about 30 hours, and state-backed actors exploited a maximum-severity bug within hours or days. Phishing remained the second-most common access vector at 32% of cases. Many organizations still take months to patch critical flaws, increasing exposure risk.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]