In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations.

Phishing

In 2025, phishing attacks were used for initial access in 40% of incidents, maintaining their prevalence. Attackers ramped up cascaded phishing campaigns, where attackers leveraged the trust of the initial compromised account to create specialized phishing attempts, within the network and out of it, aimed at trusted partners and third parties.

Email composition trends

The content of phishing emails changed somewhat. Transitioning away from spam offers, they took the form of workflow-style emails — IT, travel, and other everyday business tasks that look familiar to employees and executives. Travel and logistics lures in particular surged, while political lures dropped off. Internal expensing and travel emails, even when legitimate, are often repetitive and come from disparate sources with changeable formats or poorly-rendered templates, leading to a lowered guard toward spotting malicious intent. Attackers were likely aiming to steal credentials, payment information, or MFA tokens via fake single sign-on (SSO) pages.

In reviews of thousands of blocked-email keywords, 60% contained subject lines with "request," "invoice," "fwd," "report," and similar. IT-focused phishing keywords turned more technical, to words like "tampering," "domain," "configuration," "token," and others, showing that attackers were making plays toward IT and security workflows.

Attackers also abused Microsoft 365 Direct Send to capitalize on internal email trust. Direct Send is the method by which networked devices like printers and scanners deliver documents to users. The messages appear to be sent and received by the same email address. These internal messages do not receive the same scrutiny that external emails do, from employees or automated email filters. Direct Send allowed attackers to spoof internal email addresses and deliver highly convincing lures from inside the organization, without compromising real accounts, to target key attack services and deliver high-impact damage.

MFA and identity attacks

Identity and access management (IAM) applications have grown popular with organizations hoping to consolidate user privileges. Unfortunately, it has also grown in popularity with attackers. Nearly a third of 2025 MFA spray attacks targeted IAM, turning the tools companies used to maintain access control into a point of failure. Device compromise surged by 178%, largely driven by voice phishing designed to trick administrators into registering malicious devices.

MFA spray and device compromise

MFA attack strategy changed by sector. A successful attack could glean SSO tokens and give adversaries the ability to change user roles and credentials, or even the MFA policies themselves. Attackers increasingly exploited authentication workflows to gain and maintain access.

Spray attacks were deployed against networks with predictable identity behavior, while diverse, unmanaged, or high-turnover device ecosystems proved weaker to device compromise attacks.

Notably, higher education was the most targeted device compromise sector. Several factors could contribute to the trend:

·       Diverse unmanaged device population

·       Poorly patched and managed operating systems

·       Necessarily low new-device verification policies

·       Large, public-facing directories for targeted phishing

Higher education was a very unfavorable target for MFA spray attacks, however. Passwords and MFA are also highly varied and segmented, and most universities have strong login portal policies, enforced lockouts, and login attempt limits.

Guidance for defenders

As always, prioritize based on your own environment.

Organizations should keep in mind that living-off-the-land binaries (LOLBins) and open-source and dual-use tools, which are not inherently malicious, are key to further exploitation. Blocking external IPs from using a feature, enabling Microsoft’s newer “Reject Direct Send” control, tightening SPF/DMARC enforcement, and treating “internal-looking” emails with the same scrutiny as inbound mail are currently the most effective defenses.

Likewise, MFA attack protection should be tailored to the style of environment and sector.

MFA spray attacks work well on stable, scaled identity controls. Counter these attacks with strong lockout policies, good password hygiene, and conditional access.

Device compromise works best on variable networks where devices change over fast and MFA use is spotty. Work on establishing better device hardening and management, session controls, and strict phishing-resistant MFA with enrollment governance. Solutions such as Cisco Duo provide controls for phishing-resistant MFA, device trust, and secure enrollment, helping reduce risk from phishing and identity-based attacks.

This blog only scratched the surface on 2025 threat trends. See the full Year in Review report for a detailed explanation of Microsoft 365 Direct Send and how it was used for attacks, infographic breakdowns of MFA spray vs. device compromise attacks, the full list of targeted tools and sectors by percentage, and more.

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one Foxit Reader vulnerability, and six LibRaw file reader vulnerabilities.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Foxit use-after-free vulnerability

Discovered by KPC of Cisco Talos.

Foxit Reader allows users to view, edit, and sign PDF documents, among other features. Foxit aims to be one of the most feature-rich PDF readers on the market, and contains many similar functions to that of Adobe Acrobat Reader.

TALOS-2026-2365 (CVE-2026-3779) is a use-after-free vulnerability in the way Foxit Reader handles an Array object. A specially crafted JavaScript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

LibRaw heap-based buffer overflow and integer overflow vulnerabilities

Discovered by Francesco Benvenuto of Cisco Talos.

LibRaw is a library and user interface for processing RAW file types and metadata created by digital cameras. Talos analysts found 6 vulnerabilities in LibRaw.

TALOS-2026-2330 (CVE-2026-20911), TALOS-2026-2331 (CVE-2026-21413), TALOS-2026-2358 (CVE-2026-20889), and TALOS-2026-2359 (CVE-2026-24660) are heap-based buffer overflow vulnerabilities in LibRaw, and TALOS-2026-2363 (CVE-2026-24450) and TALOS-2026-2364 (CVE-2026-20884) are integer overflow vulnerabilities. Specially crafted malicious files can lead to heap buffer overflow in all cases. An attacker can provide a malicious file to trigger these vulnerabilities.

Speed and age shouldn’t be allowed to pair up, but that is the theme of the Talos 2025 Year in Review vulnerability findings.

The year was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e.g., Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of 2025. Agentic AI's capacity for building and deploying new proofs-of-concepts and exploit kits lowered attacker time-to-exploit, and the landscape shifted for defenders. 

“The speed at which these CVEs climbed into the top tier reflects a larger systemic challenge: Newly disclosed vulnerabilities in widely deployed software can generate significant, organization-wide impact long before typical patch cycles catch up, leaving defenders with small reaction windows and escalating consequences for even short-lived exposure.” – 2025 Talos Year in Review

Top-targeted infrastructure 

Outdated infrastructure continues to expand the attack surface. Components like PHPUnit, ColdFusion, and Log4j are often embedded within applications, tightly coupled to legacy applications. Technologies age quickly, and companies are under pressure to adopt first, ask questions later. Low-use systems in a network can fossilize, unnoticed and unpatched. Others become mainstays that often cannot be swapped out or even patched without destabilizing an organization.  

Attackers prioritized software and firmware inside network appliances, identity-adjacent systems, and widely deployed open-source components: 

• Remote code execution (RCE) flaws, which enable access without requiring user interaction, avoiding a need for social engineering  
• Legacy systems and widely used components 
• Perimeter devices, especially without endpoint detection and response (EDR) 

The theme was identity, identity, identity. Controlling identity meant controlling access, so attackers focused on components that authenticate users, enforce access decisions, and broker trust between systems. A small number of vulnerabilities targeting these vectors drove outsized risk. This can invalidate multi-factor authentication (MFA) checks and bypass segmentation. 

Defender recommendations 

Attacker prioritization is now guided less by vulnerability age or maturity and more by exposure, exploitability, and proximity to trust, reshaping how organizations must think about risk in modern environments. 

Attackers exploit patching gaps and policy weaknesses in vendor lifecycles. Organizations should evaluate their identity-centric network components and management platforms and prioritize patching of network devices accordingly. 

For a more in-depth analysis of these trends, as well as how company size impacted CVE targeting trends, why the management plane matters, and the shortening window defenders have for putting defenses in place, see the 2025 Year in Review report.

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a vulnerability in HikVision, as well as 10 in TP-Link, and 19 in Canva.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Canva Affinity vulnerabilities

Discovered by KPC of Cisco Talos.

Canva Affinity is a free-to-use tool for pixel and vector art manipulation used in graphic and document design.

Talos researchers found 19 vulnerabilities in Affinity. Eighteen of them are out-of-bounds read vulnerabilities in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit these vulnerabilities to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

• TALOS-2025-2311 (CVE-2025-64776)
• TALOS-2025-2310 (CVE-2025-64301)
• TALOS-2025-2300 (CVE-2025-64733)
• TALOS-2025-2319 (CVE-2025-66042)
• TALOS-2025-2321 (CVE-2025-62403)
• TALOS-2025-2314 (CVE-2025-58427)
• TALOS-2025-2298 (CVE-2025-62500)
• TALOS-2025-2299 (CVE-2025-61979)
• TALOS-2025-2317 (CVE-2025-61952)
• TALOS-2025-2316 (CVE-2025-47873)
• TALOS-2025-2318 (CVE-2025-66503)
• TALOS-2025-2324 (CVE-2026-20726)
• TALOS-2025-2301 (CVE-2025-66000)
• TALOS-2025-2320 (CVE-2025-65119)
• TALOS-2025-2325 (CVE-2026-22882)
• TALOS-2025-2315 (CVE-2025-66617)
• TALOS-2025-2313 (CVE-2025-66633)
• TALOS-2025-2312 (CVE-2025-64735)

The last vulnerability is TALOS-2025-2297 (CVE-2025-66342), a type confusion vulnerability in the EMF functionality of Canva Affinity. A specially crafted EMF file can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution.

TP-Link vulnerabilities

Discovered by Lilith >_> of Cisco Talos.

The TP-Link Archer AX53 is a dual band gigabit Wi-Fi router. Talos researchers found 10 vulnerabilities in the router functionality.

TALOS-2025-2290 (CVE-2025-62673) is a stack-based buffer overflow vulnerability in the tdpServer ssh port update functionality of Tp-Link AX53. A specially crafted network packet can lead to stack-based buffer overflow.

These eight vulnerabilities exist in the tmpServer opcode of the AX53:

• TALOS-2025-2283 (CVE-2025-59482): Buffer overflow
• TALOS-2025-2284 (CVE-2025-62405): Stack-based buffer overflow
• TALOS-2025-2285 (CVE-2025-59487): Write-what-where
• TALOS-2025-2286 (CVE-2025-61983): Out-of-bounds write
• TALOS-2025-2287 (CVE-2025-62404): Stack-based buffer overflow
• TALOS-2025-2288 (CVE-2025-61944): Out-of-bounds write
• TALOS-2025-2289 (CVE-2025-58455): Stack-based buffer overflow
• TALOS-2025-2294 (CVE-2025-58077): Heap-based buffer overflow

A specially crafted set of network packets can be sent to trigger these vulnerabilities, which can lead to arbitrary code execution.

TALOS-2025-2291 (CVE-2025-62501) is a misconfiguration vulnerability in the SSH Hostkey functionality. A specially crafted man-in-the-middle attack can lead to credentials leak.

HikVision buffer overflow vulnerability

Discovered by a member of Cisco Talos.

HikVision creates AI-trained machine perception for use in security surveillance and other monitoring hardware, including Ultra Face Recognition Terminals for authentication.

Talos researchers found TALOS-2025-2281 (CVE-2025-66176), a stack-based buffer overflow vulnerability, in the SADP XML parsing functionality of Hangzhou Hikvision Digital Technology Co., Ltd. Ultra Face Recognition Terminal 3.7.60_250613 and Face Recognition Terminal for Turnstyle 3.7.0_240524 (under emulation). A specially crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability.

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in the BioSig Project Libbiosig library and OpenCFD OpenFOAM, as well as an unpatched vulnerability in Microsoft DirectX.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, apart from the DirectX vulnerability. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Microsoft DirectX local privilege escalation vulnerability

Discovered by KPC of Cisco Talos. 

The Microsoft DirectX End-User Runtime installs runtime libraries from the legacy DirectX SDK for some certain games. It comes pre-installed on Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, Windows Vista, Windows 7, Windows 8.0, Windows 8.1, Windows 10, and Windows Server equivalents.

Talos discovered a local privilege escalation vulnerability in the installation process of DirectX End-User Runtime: TALOS-2025-2293 (CVE-2025-68623). A low-privileged user can replace an executable file during the installation process, which may result in unintended elevation of privileges.

OpenFOAM arbitrary code execution vulnerability

Discovered by Dimitrios Tatsis of Cisco Talos.

OpenFOAM is an open-source computational fluid dynamics (CFD) software developed primarily by OpenCFD Ltd.

Talos discovered TALOS-2025-2292 (CVE-2025-61982), an arbitrary code execution vulnerability in the Code Stream directive functionality of OpenCFD OpenFOAM 2506. A specially crafted OpenFOAM simulation file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Libbiosig out-of-bounds read, heap-based buffer overflow vulnerabilities

Discovered by Mark Bereza of Cisco Talos.

BioSig is an open source software library for biomedical signal processing. The BioSig Project seeks to encourage research in biomedical signal processing by providing open source software tools. Libbiosig is a library dependency for BioSig.

Talos discovered TALOS-2025-2323 (CVE-2025-64736), an out-of-bounds read vulnerability in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

Talos also discovered two heap-based buffer overflow vulnerabilities, TALOS-2026-2361 (CVE-2026-22891) and TALOS-2026-2362 (CVE-2026-20777), in the Intan CLP parsing and Nicolet WFT parsing functionalities of the BioSig Project, respectively. A specially crafted CLP or WFT file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Foxit PDF Editor, one in the Epic Games Store, and twenty-one in MedDream PACS.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Foxit privilege escalation and use-after-free vulnerabilities

Discovered by KPC of Cisco Talos.

Foxit PDF Editor is a popular PDF handling platform for editing, e-signing, and collaborating on PDF documents. Talos found three vulnerabilities:

TALOS-2025-2275 (CVE-2025-57779) is a privilege escalation vulnerability in the installation of Foxit PDF Editor via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in elevation of privileges.

TALOS-2025-2277 (CVE-2025-58085) and TALOS-2025-2278 (CVE-2025-59488)  are use-after-free vulnerabilities, one in the way Foxit Reader handles a Barcode field object, and one in the way Foxit Reader handles a Text Widget field object. A specially crafted JavaScript code inside a malicious PDF document can trigger these vulnerabilities, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger these vulnerabilities. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Epic Games local privilege escalation vulnerability

Discovered by KPC of Cisco Talos.

Epic Games Store is a storefront application for purchasing and accessing video games. Talos found TALOS-2025-2279 (CVE-2025-61973), a local privilege escalation vulnerability in the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in elevation of privileges.

MedDream PACS reflected cross-site scripting vulnerabilities

Discovered by Marcin “Icewall” Noga of Cisco Talos.

MedDream PACS server is a medical-integration system for archiving and communicating about DICOM 3.0 compliant images. Talos found 21 reflected cross-site scripting (XSS) vulnerabilities across several functions of MedDream PACS Premium 7.3.6.870. An attacker can provide a specially crafted URL to trigger these vulnerabilities, which can lead to arbitrary JavaScript code execution. 

• TALOS-2025-2253 (CVE-2025-54817): autoPurge functionality 
• TALOS-2025-2254 (CVE-2025-53516): downloadZip functionality
• TALOS-2025-2255 (CVE-2025-54495): emailfailedjob functionality
• TALOS-2025-2256 (CVE-2025-54157): encapsulatedDoc functionality
• TALOS-2025-2257 (CVE-2025-54778): existingUser functionality
• TALOS-2025-2258 (CVE-2025-46270): fetchPriorStudies functionality 
• TALOS-2025-2259 (CVE-2025-55071): modifyAnonymize functionality 
• TALOS-2025-2260 (CVE-2025-54852): modifyAeTitle functionality 
• TALOS-2025-2261 (CVE-2025-54814): modifyAutopurgeFilter functionality
• TALOS-2025-2262 (CVE-2025-54861): modifyCoercion functionality
• TALOS-2025-2263 (CVE-2025-57881): modifyEmail functionality
• TALOS-2025-2264 (CVE-2025-58080): modifyHL7App functionality 
• TALOS-2025-2265 (CVE-2025-53854): modifyHL7Route functionality 
• TALOS-2025-2266 (CVE-2025-57787): modifyRoute functionality
• TALOS-2025-2267 (CVE-2025-53707): modifyTranscript functionality
• TALOS-2025-2268 (CVE-2025-54853): modifyUser functionality
• TALOS-2025-2269 (CVE-2025-57786): notifynewstudy functionality
• TALOS-2025-2270 (CVE-2025-44000): sendOruReport functionality 
• TALOS-2025-2271 (CVE-2025-58087-CVE-2025-58095): config.php functionality
• TALOS-2025-2272 (CVE-2025-36556): ldapUser functionality
• TALOS-2025-2273 (CVE-2025-53912): encapsulatedDoc functionality