In 2025, attackers didn’t only target traditional areas of vulnerability; they went after those with the least defense and the most rapid change. These include new AI technologies, web applications, and operational technology (OT) for industries such as healthcare, manufacturing, energy, government, and finance.
In fact, attacks against OT protocol rose by a whopping 84% with Modbus, Ethernet/IP, and BACnet at the forefront. IoT exploits increased to 19%, hitting cameras and video recorders the hardest, while network devices accounted for some 19% of all exploits. This is no surprise, because last year, IT, IoT, and OT saw broad expansion amid rapid infrastructure shifts.
These were some of the findings of the recent 2025 Threat Roundup by Forescout Technologies – Vedere Labs. The research aims to provide an overview of the global threat landscape and key trends that cyber defenders should be aware of in 2026 by reviewing the attack telemetry and threat actor intelligence it collects.
Most information comes from Vedere’s Adversary Engagement Environment (AEE), a group of online honeypots set up to attract attackers and track what they do. From January to December 2025, it logged over 900 million attacks, some of which targeted known vulnerabilities with specific CVE identifiers.
The report said: “Monitoring traffic to and from OT assets is now as critical as monitoring IT traffic. Attackers are continuously probing these assets for weaknesses, and many organizations remain blind because they lack visibility into OT environments. Building automation protocols, and even widely deployed protocols, such as Modbus, are present in many organizations and should be treated as high-priority targets for risk monitoring and risk reduction.”
Global Attack Distribution
When it came to global attack distribution, the report found that cyberattacks originated from 214 countries, led, unsurprisingly, by China, Russia, and Iran. The top 10 nations accounted for 61% of malicious traffic (down 22% from 2024).
The US was their main target, followed by India and Germany. Threat actors showed broader geographic spread and targeted critical sectors like manufacturing (16% actor growth), healthcare (13%), and energy (6%).
The research revealed that in 2025, China-linked threat actors targeted medical systems and enterprise software, while researchers also tracked attacks on SOHO routers to build proxy botnets and ongoing activity against telecom and critical infrastructure.
“Russia- and Iran-linked activity also included hacktivist-style personas, such as NoName057(16) and Handala Group. These groups often emphasize disruptive messaging and infrastructure impact and align operations with geopolitical flashpoints,” they added.
Infrastructure and Tactics Evolution
Infrastructure and tactics evolved, too. Abuse of Amazon and Google cloud infrastructure accounted for over 15% of attacks, up from 11% in 2024, driven by fast-changing Autonomous Systems amid law enforcement disruptions.
Web apps were again the top target at 61%, followed by remote management protocols at 15%. Post-exploitation reconnaissance soared to 91% of activities, up from 25% in 2023.
Vulnerability Trends
CISA’s Known Exploited Vulnerabilities list grew 30% year-on-year to 242 entries, while Vedere Labs added 285 vulnerabilities to its own KEV list, a staggering 213% increase.
It’s worth mentioning that nearly three-quarters (71%) of exploited flaws were absent from CISA’s catalog, including Langflow AI framework components, which could signal rising risks in AI tools and unpatched systems.
However, Forescout offered this insight for defenders: “When deciding what to patch, and when, prioritize evidence of active exploitation alongside CVSS and other severity metrics. The CISA KEV catalog is a valuable baseline, but it does not capture the full exploited vulnerability landscape. Use additional threat intelligence to prioritize vulnerability risk mitigation, including Vedere Labs’ threat feeds and other trusted sources.”
Mitigations and Defense
According to Forescout, “Organizations should prioritize extending visibility, risk assessment and proactive controls across an expanding attack surface, including network perimeter assets, operational technology environments, healthcare systems, and IoT assets.”
At a minimum, researchers advised organizations to:
- Ensure full visibility into these assets, including their presence on the network, the software they run, and their communication patterns.
- Understand asset risk profiles across vulnerabilities, weak configurations, exposure and other factors.
- Disable unused services and patch vulnerabilities to reduce the window of exploitation.
- Change default or easily guessable credentials and use strong, unique passwords for each asset.
- Enforce multifactor Authentication (MFA) whenever possible, especially for VPN access.
- Encrypt sensitive data in transit and at rest, especially personally identifiable information (PII), protected health information (PHI), and financial data.
- Avoid exposing unmanaged or legacy assets directly to the internet unless absolutely necessary.
- Apply IP-based access control lists to limit access to sensitive protocols, such as Modbus and BACnet, in OT networks.
- Segment the network to isolate IT, IoT and OT assets, limiting network connections to only authorized management and engineering workstations or to the minimum set of asset-to-asset communications required for operations.
To read the full report, click here.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.