Patch or perish: Vulnerability exploits now dominate intrusions

What good is a fix if you don't use it? Experts are urging security teams to patch promptly as vulnerability exploits now account for the majority of intrusions, according to the latest figures. Cisco Talos said exploited flaws were behind nearly 40 percent of all intrusions in Q4 2025, and the speed at which attackers were harnessing those weaknesses should serve as a wake-up call for defenders. This marks the second quarter in a row that exploits led the charge for initial access, but represented a drop from Q3's rate of 62 percent, which was driven largely by widespread ToolShell attacks. More recently, the team pointed to the Oracle EBS and React2Shell vulnerabilities as examples of two high-profile vectors that continued to fuel the trend, both of which were taken up by attackers within hours of disclosure. Talos stated in its report: "In both cases, exploitation activity occurred around the time the vulnerability became public, demonstrating actors' speed in capitalizing on these opportunities as well as the inherent risks of internet-facing enterprise applications and default deployments embedded in widely used frameworks." The Register reported at the time that a functional proof-of-concept exploit for React2Shell began circulating online within 30 hours of disclosure, for example. Likewise, AWS said Chinese state-backed attackers were exploiting the maximum-severity bug "within hours or days of disclosure." Cyberattack on Poland's power grid could have turned deadly in winter cold Ransomware crims forced to take off-RAMP as FBI seizes forum Everybody is WinRAR phishing, dropping RATs as fast as lightning Fortinet unearths another critical bug as SSO accounts borked post-patch Whether organizations heed this warning is another matter, however. Patching systems, especially in large organizations, can be a painful process, but according to a BitSight analysis in 2024, private sector admins are taking months, not hours, to patch the most serious flaws. Unsurprisingly, phishing was also among the most common ways in which attackers gained access to a victim's network, coming in second place just behind bug exploits with 32 percent of access cases. Some notable phishing examples included two possibly-related campaigns targeting Native American tribal organizations. Talos was involved with both of those, and the team saw successful phishes lead to email account compromises and attackers using their newfound access to launch internal and external follow-on phishing emails. The going advice is relatively unchanged from the usual stuff: patch systems quickly; implement MFA and – crucially – methods of detecting MFA abuse; and ensure systems are gathering the required logs so that responders have something to work with when they arrive on the scene. Also, when you can't patch expeditiously, limit public exposure of these vulnerable endpoints until a time when they can be protected. Finally, for some good news, ransomware is down to 13 percent of cases from 20 percent in Q3, and 50 percent in Q1 and Q2. Plus, no new criminal groups were seen either. While that sounds positive, Talos said it probably just means groups are consolidating – big gangs score big takes, while smaller outfits fall by the wayside. Stay frosty. ®