By compromising an ADC or a VPN, an attacker doesn’t just break in—they become a trusted user. This allows them to bypass Multi-Factor Authentication (MFA), steal session tokens, and move laterally across the entire network undetected. Compounding this risk is the fact that nearly 40% of top-targeted vulnerabilities in 2025 impacted end-of-life (EOL) devices that can no longer be patched.
The siege on MFA and identity
The report highlights a staggering 178% surge in device compromise attacks, where attackers register their own hardware as a trusted factor in a victim’s MFA account.
- Social engineering dominates: Attackers are finding it easier to target the person who holds the key rather than the lock itself. Voice phishing (vishing) aimed at IT administrators was three times more common than user-managed registration fraud.
- Industry-specific tactics: The Technology sector faced frequent MFA spray attacks due to its standardized infrastructure, while Higher Education was plagued by device compromise due to its diverse, unmanaged, and messy device environment.
- Manufacturing under pressure: This sector remained the #1 target for ransomware because of its low tolerance for downtime and complex hybrid (IT/OT) environments.
State-sponsored sophistication
Geopolitical tensions directly fueled cyber activity in 2025:
- China-Nexus: Investigations into Chinese state-sponsored activity rose by 74%. These groups demonstrated extraordinary speed, weaponizing the ToolShell zero-day (SharePoint) instantaneously after disclosure.
- Russia: Activity was highly correlated with the war in Ukraine and the announcement of international sanctions. Groups like Static Tundra continued to successfully exploit vulnerabilities that were five to seven years old in networking software.
- North Korea: Beyond record-breaking cryptocurrency thefts ($1.5 billion in a single heist), they successfully placed fake IT workers within Fortune 500 companies using AI-generated personas.
The agentic shift: AI as a dual-edged sword
As we move into 2026, we are witnessing an agentic shift in AI. In 2025, AI was used to augment parts of the attack chain—like creating more convincing phishing lures or deepfakes. Now, we are seeing the rise of autonomous agents capable of evaluating screen content and determining the next steps in an attack.
Recommendations for security and networking teams
To navigate this landscape, organizations must move beyond a patch-only mindset and adopt a strategy focused on structural integrity.
- Secure the management plane. Management platforms (like vCenter or Cisco Security Manager) are the keys to the kingdom. A single compromise here grants access equivalent to dozens of edge devices. Action: Isolate management interfaces, enforce phishing-resistant MFA for all admin accounts, and treat management software with the same rigor as your most critical infrastructure.
- Bridge the EOL gap. With 40% of top threats targeting EOL devices, the gap between vendor lifecycles and organizational patch management is a primary entry point. Action: Audit your perimeter for EOL network hardware and prioritize their retirement or isolation. Since these devices often lack EDR visibility, they are blind spots that attackers routinely exploit.
- Harden identity verification. Attackers are successfully vishing IT help desks to register fraudulent MFA devices. Action: Implement mandatory live video interviews for high-risk identity changes and use liveness detection for ID verification. Move toward phishing-resistant MFA (like FIDO2) wherever possible.
- Strategic defensive windows. Ransomware activity consistently dips every January, likely due to regional holidays in Eastern Europe. Action: Use this strategic window in January to test your readiness. Run tabletop exercises, test your backup restoration processes, and implement major security fixes before the inevitable spring surge in attacks.
The 2025 data proves that modern security is no longer just about the lock; it’s about the systems that validate who holds the key. As networking and security teams, the goal for 2026 must be to secure the identity and management planes with the same intensity that our adversaries are using to attack them.
