Patch or perish: Vulnerability exploits now dominate intrusions
Summary
Cisco Talos reports that exploited vulnerabilities were responsible for nearly 40% of intrusions in Q4 2025, making exploits the leading initial access vector for the second consecutive quarter. Although this is down from Q3’s 62% (largely due to ToolShell activity), high-profile bugs such as Oracle EBS and React2Shell were weaponised within hours of disclosure. Talos and AWS note attackers — including state-linked actors — move very quickly to exploit publicised flaws. Phishing remains the second-most common vector (32%). Ransomware incidents declined to 13% of cases, suggesting consolidation among criminal groups rather than a reduced threat. The usual defensive advice is reiterated: patch fast, use MFA and detect MFA abuse, collect logs, and reduce public exposure for unpatched endpoints.
Key Points
- Cisco Talos: exploited vulnerabilities accounted for ~40% of intrusions in Q4 2025.
- This is the second quarter in a row that exploits led initial access, though below Q3’s 62% spike.
- High-profile vectors (Oracle EBS, React2Shell) were adopted by attackers within hours of disclosure.
- Proof-of-concept code for React2Shell circulated within ~30 hours of disclosure; AWS observed rapid exploitation by state-linked actors.
- Phishing remains a major entry point (≈32% of access cases), often used for follow-on attacks.
- Ransomware fell to 13% of incidents, likely reflecting consolidation of larger criminal groups.
- Recommended mitigations: expedite patching, enforce MFA and monitor for its abuse, gather sufficient logs, and limit public exposure until fixes are applied.
Context and relevance
This report underlines a persistent industry trend: attackers exploit newly disclosed vulnerabilities extremely fast. For security teams, the finding sharpens focus on vulnerability management and compensating controls for internet-facing apps and default deployments in popular frameworks. The slow patching behaviour identified in previous analyses (eg BitSight 2024) remains a critical operational risk — organisations that take weeks or months to patch are effectively leaving the door wide open. The decline in ransomware prevalence is notable but probably tactical consolidation rather than a lasting reduction in danger.
Why should I read this?
Short version: if you run systems, this is your wake-up call. Attackers are grabbing holes within hours, so the days of patching at leisure are over. Read this to get the quick facts you need to prioritise fixes, tighten MFA and logging, and decide when to take exposed endpoints offline until they’re safe. We’ve done the combing — you get the headline actions.