SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
IAM
#
Construction
#
Utilities

Key security vulnerabilities revealed in 2025 hack report

Today
Author image
By Sean Mitchell, Publisher

The CyberCX Hack Report for 2025 has been published, revealing key cyber vulnerabilities and exploits identified over the course of the previous year.

The report draws on data from more than 2,500 penetration tests conducted for 800 customers, producing 26,000 individual findings. The findings indicate that Application and Development Security, Identity and Access Management, and Configuration and Patch Management were responsible for 90% of last year's findings by CyberCX's offensive testers.

CyberCX's Security Testing and Assurance (STA) practice, with more than 150 penetration testers across Australia, New Zealand, the United Kingdom, and the United States, is among the largest private sector teams of ethical hackers worldwide. Of the findings, 2,500 were classified as severe—highlighting vulnerabilities that, if discovered by threat actors, could have had dire consequences for the affected organisations.

The report outlines several critical areas, noting that industries heavily reliant on Operational Technology (OT) such as Utilities and Resources, Logistics and Transport, Healthcare, Manufacturing, and Construction sectors exhibit higher rates of severe risk findings. These sectors, which extensively utilise OT systems, show above-average rates of significant vulnerabilities.

CyberCX attributes nine out of ten findings to three main issues: Application and Development Security, Identity and Access Management, and Configuration and Patch Management. These findings suggest that strategic security efforts should concentrate on these key areas rather than on short-term, tactical fixes.

There was a doubling in Application Security engagements in 2024. Over a third of severe findings related to weaknesses in application and development security, signalling that organisations are increasingly aware of the risks targeting their in-house developed applications and are working proactively to secure them.

Significant risks remain within internal networks. While organisations have been hardening their internet-facing attack surfaces, severe vulnerabilities were discovered in over 80% of internal networks tested. This suggests that the internal security posture of organisations remains fragile, allowing attackers who gain initial access to expand their access and privilege with relative ease.

Government entities showed a slightly lower rate of severe findings compared to industry, despite often operating within resource constraints. This trend may reflect less reliance on OT within government networks and the adoption of frameworks like the Essential Eight.

Credentials management persists as a weak point across many organisations. Simulations of real-world attacker tactics by CyberCX frequently revealed the misuse of legitimate credentials as entry points for attackers.

Artificial Intelligence (AI) is emerging as a substantial disruptor in security, used by both attackers to enhance phishing strategies and quickly identify vulnerabilities, and defenders to enhance tools, identify anomalies, and address issues rapidly. The report notes that AI thus far provides no significant advantage to either attackers or defenders.

Liam O'Shannessy, Executive Director of Security Testing & Assurance at CyberCX, stated: "Our team of penetration testers, red teamers and security experts spend all hours of the day and night breaking into our customer's networks, systems and environments – both physical and virtual – to find entry points that could be exploited by real attackers. Our objective is simple: we find these vulnerabilities before the bad guys do."

He continued, "The global threat landscape continues to evolve and cyber criminals and nation states are searching relentlessly for new vulnerabilities to exploit. Attackers and their techniques only get better – for defenders, this means that we need to focus our limited resources on activities that will address these real threats and get us ahead of the bad guys."

O'Shannessy added, "By compiling the data and insights from more than 2,500 engagements we performed in 2024 our hope is that security professionals will be better informed about the state of vulnerabilities in our region and organisations will be better able to allocate their limited security resources."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Cequence Security earns AWS Security Competency status
Semperis study reveals critical cyber threats to utilities
Bill O'Connell appointed Chief Security Officer at Commvault
Cloudflare named leader in Web Application Firewalls by Forrester
World Backup Day highlights crucial data protection needs
Top stories
Open-source AI gains favour among new developers globally
Cloudflare unveils new AI tools to boost agentic development
Check Point Infinity named top AI cyber security platform
N-able expands IT & cybersecurity offerings with new partners
Identities over intrusions: Identity Management Day sparks new considerations