This report from Cisco Talos summarizes key defender priorities based on observed attacker behaviors in 2025. Attackers exploit valid credentials and MFA weaknesses, rapidly weaponize new vulnerabilities, and continue to leverage long-standing legacy vulnerabilities. Critical systems like identity and access management, network infrastructure, and management platforms are frequent targets. The report emphasizes the importance of establishing baselines for normal user behavior to detect anomalies, prioritizing patching based on exposure rather than just CVSS scores, improving visibility into embedded legacy components, and securing systems that broker trust. Despite automation and AI accelerating attacks, attackers still generate detectable patterns of unusual activity that defenders can leverage for detection and response.

Attackers increasingly rely on credential abuse, MFA exploitation, and trusted access paths to compromise environments, enabling lateral movement and persistence. Rapid exploitation of newly disclosed vulnerabilities and continued exploitation of old, high-value vulnerabilities increase risk exposure. Legacy and embedded vulnerabilities in EOL systems create persistent blind spots. Compromise of network management and control-plane systems can provide attackers with broad operational control. AI-driven automation accelerates attack lifecycles but does not eliminate detectable anomalous behavior. These factors collectively increase the complexity and speed of attacks, challenging defenders to prioritize and focus on high-impact controls and detection strategies.

The vendor advisory does not indicate that the threat is already mitigated or that no action is required. Recommended mitigations include treating identity infrastructure as critical assets with strong monitoring and protection, securing MFA device registration with strict verification, enforcing rate limiting and anomaly detection on authentication systems, and building behavioral baselines for user activity. Prioritize patching vulnerabilities based on external exposure and access impact, reduce time-to-patch for internet-facing systems, and continuously reassess reachable attack surfaces. Improve visibility into legacy and embedded components, isolate or retire legacy systems, and secure management-plane and control-plane systems with enhanced monitoring and access controls. Focus detection on anomalous patterns rather than isolated alerts, reduce alert fatigue by prioritizing meaningful detections, and support investigation with automation alongside human analysis.