External Publication
Visit Post

Cisco Talos 2025 year in review and lessons learned

Network World [Unofficial] March 23, 2026
Source

The 2025 cybersecurity landscape was defined by a ruthless paradox: the lightning-fast weaponization of the new alongside the stubborn persistence of the old. This week at the RSAC 2026 conference, Cisco released its Talos 2025 Year in Review report, and it shows a new narrative has emerged for networking and security professionals. Attackers have moved beyond simple endpoint compromise, shifting their focus to the identity, supply chain, and management planes that govern the modern enterprise.

For those of us managing complex environments, the report offers a sobering look at our systemic vulnerabilities, delivers a roadmap for hardening our defenses in 2026, and emphasizes the need to rethink security strategies.

The new speed of exploitation vs. legacy longevity

Perhaps the most striking trend of 2025 is the near-instant weaponization of new vulnerabilities. The React2Shell flaw (CVE-2025-55182), despite being disclosed only in December, surged to become the No. 1 most targeted vulnerability of the entire year. This reflects a fundamental shift where automated tooling allows adversaries to strike almost immediately upon disclosure, leaving defenders with virtually zero reaction time.

[ Related: More Cisco news and insights**]**

Yet the classics haven’t gone away. Log4j (Log4Shell) remains in the top 10 four years after its discovery because it is so deeply embedded in enterprise software stacks that full eradication remains elusive.

Attackers aren’t choosing between “new” and “old” exploits; they are choosing exposure and proximity to trust. If a vulnerability is widely deployed and easy to automate, it is a priority target regardless of its age.

The network is the new identity gateway

In 2025, network infrastructure became a primary battleground. Attackers are increasingly prioritizing application delivery controllers (ADC), VPN gateways, and network management platforms. Why? Because these systems are the de facto brokers of trust.

By compromising an ADC or a VPN, an attacker doesn’t just break in—they become a trusted user. This allows them to bypass Multi-Factor Authentication (MFA), steal session tokens, and move laterally across the entire network undetected. Compounding this risk is the fact that nearly 40% of top-targeted vulnerabilities in 2025 impacted end-of-life (EOL) devices that can no longer be patched.

The siege on MFA and identity

The report highlights a staggering 178% surge in device compromise attacks, where attackers register their own hardware as a trusted factor in a victim’s MFA account.

  • Social engineering dominates: Attackers are finding it easier to target the person who holds the key rather than the lock itself. Voice phishing (vishing) aimed at IT administrators was three times more common than user-managed registration fraud.
  • Industry-specific tactics: The Technology sector faced frequent MFA spray attacks due to its standardized infrastructure, while Higher Education was plagued by device compromise due to its diverse, unmanaged, and messy device environment.
  • Manufacturing under pressure: This sector remained the #1 target for ransomware because of its low tolerance for downtime and complex hybrid (IT/OT) environments.

State-sponsored sophistication

Geopolitical tensions directly fueled cyber activity in 2025:

  • China-Nexus: Investigations into Chinese state-sponsored activity rose by 74%. These groups demonstrated extraordinary speed, weaponizing the ToolShell zero-day (SharePoint) instantaneously after disclosure.
  • Russia: Activity was highly correlated with the war in Ukraine and the announcement of international sanctions. Groups like Static Tundra continued to successfully exploit vulnerabilities that were five to seven years old in networking software.
  • North Korea: Beyond record-breaking cryptocurrency thefts ($1.5 billion in a single heist), they successfully placed fake IT workers within Fortune 500 companies using AI-generated personas.

The agentic shift: AI as a dual-edged sword

As we move into 2026, we are witnessing an agentic shift in AI. In 2025, AI was used to augment parts of the attack chain—like creating more convincing phishing lures or deepfakes. Now, we are seeing the rise of autonomous agents capable of evaluating screen content and determining the next steps in an attack.

Recommendations for security and networking teams

To navigate this landscape, organizations must move beyond a patch-only mindset and adopt a strategy focused on structural integrity.

  1. Secure the management plane. Management platforms (like vCenter or Cisco Security Manager) are the keys to the kingdom. A single compromise here grants access equivalent to dozens of edge devices. Action: Isolate management interfaces, enforce phishing-resistant MFA for all admin accounts, and treat management software with the same rigor as your most critical infrastructure.
  2. Bridge the EOL gap. With 40% of top threats targeting EOL devices, the gap between vendor lifecycles and organizational patch management is a primary entry point. Action: Audit your perimeter for EOL network hardware and prioritize their retirement or isolation. Since these devices often lack EDR visibility, they are blind spots that attackers routinely exploit.
  3. Harden identity verification. Attackers are successfully vishing IT help desks to register fraudulent MFA devices. Action: Implement mandatory live video interviews for high-risk identity changes and use liveness detection for ID verification. Move toward phishing-resistant MFA (like FIDO2) wherever possible.
  4. Strategic defensive windows. Ransomware activity consistently dips every January, likely due to regional holidays in Eastern Europe. Action: Use this strategic window in January to test your readiness. Run tabletop exercises, test your backup restoration processes, and implement major security fixes before the inevitable spring surge in attacks.

The 2025 data proves that modern security is no longer just about the lock; it’s about the systems that validate who holds the key. As networking and security teams, the goal for 2026 must be to secure the identity and management planes with the same intensity that our adversaries are using to attack them.

More Cisco news:

  • Cisco Talos 2025 year in review and lessons learned
  • How Cisco’s platform mindset is meeting the AI era
  • Cisco extends AgenticOps across networking, security, observability products
  • Cisco amps up Silicon One line, delivers new systems and optics for AI networking
  • Takeaways from Cisco’s AI Summit
  • Cisco: Infrastructure, trust, model development are key AI challenges
  • AI, security tailwinds signal promising 2026 for Cisco
  • Cisco adds intelligent policy enforcement to mesh firewall family
  • Actively exploited Cisco UC bug requires immediate, version‑specific patching
  • Cisco’s 2026 agenda prioritizes AI-ready infrastructure, connectivity
  • Cisco finally patches seven-week-old zero-day flaw in Secure Email Gateway products
  • Cisco routers knocked out due to Cloudflare DNS change

Discussion in the ATmosphere

Loading comments...