Identity-first attacks surge

Cisco Talos published its 2025 Year in Review on March 23, 2026, saying attackers combined “speed, scale, and staying power” to operationalize new flaws and to abuse identity systems at scale. (blog.talosintelligence.com) Talos highlighted that React2Shell — disclosed in December — became the year’s single most‑targeted vulnerability, showing how quickly new CVEs moved into active exploitation. (blog.talosintelligence.com) Analysis of Talos telemetry found that 32% of top‑exploited vulnerabilities were at least ten years old and roughly 23% of top‑targeted flaws affected network devices such as VPN appliances and firewalls. (helpnetsecurity.com) Recorded Future’s 2025 Identity Threat Landscape counted 1.95 billion malware combo‑list exposures, reported an average of 87 stolen credentials per compromised device, and found 276 million indexed credentials that included active session cookies capable of bypassing MFA. (recordedfuture.com) SentinelOne’s Annual Threat Report, released March 24, 2026, labels the pattern “industrialization of the modern cyber breach,” outlines eight strategic phases of intrusions, and warns attackers are shifting to CI/CD pipelines and centralized identity objects where a single account can touch dozens of systems. (markets.financialcontent.com) IBM X‑Force reported an 84% year‑over‑year rise in emails delivering infostealers in 2024 and said identity abuse was the preferred entry vector in its 2025 index. (newsroom.ibm.com) Across these reports, vendors point to the same defensive priorities: mandate phishing‑resistant MFA, centralize logs and tiered segmentation for Tier‑0 assets, decommission end‑of‑life hardware, and implement continuous identity and session monitoring rather than relying on periodic checks. (markets.financialcontent.com) (recordedfuture.com)