Identity is the new perimeter
Security talk has flipped — defenders now see identity control (human and machine) as the primary battlefield, with stolen credentials enabling quiet cloud intrusions and machine identities “exploding” across estates . CISA is blunt: patch VPNs within 24–48 hours of CVEs, enable MFA on admin interfaces, segment networks and hunt for web shells as frontline measures .
CISA’s Emergency Directive ED 25‑03, published Sept. 25, 2025, explicitly names CVE‑2025‑20333 and CVE‑2025‑20362 as exploitable flaws in Cisco ASA and Firepower (FTD) and supplies a list of fixed software releases organisations must run to mitigate them. (cisa.gov) The directive was paired with an accelerated remediation timeline—CISA added the CVEs to its Known Exploited Vulnerabilities catalog and reporting outlets noted federal agencies were ordered to patch devices within roughly 24–48 hours amid active exploitation. (thehackernews.com) Internet-wide tracking showed the scale: Shadowserver was reporting more than 30,000 Cisco devices still vulnerable (down from ~45,000 earlier), a figure CISA used to justify immediate, wide-ranging hunts for compromises. (bleepingcomputer.com) Web‑shells remain a central forensic priority—Microsoft’s telemetry previously documented ~140,000 active web shells per month during peak campaigns, and CISA’s mitigation playbook specifically directs teams to hunt and evict web shells from web servers and management interfaces. (fedtechmagazine.com) Machine identities are surging: CyberArk’s 2025 State of Machine Identity Security, based on a survey of 1,200 security leaders, reports that machine identities now outnumber human identities and that 77% of respondents view every undiscovered machine identity as a potential compromise point. (cyberark.com) Permission sprawl compounds the risk—Veza’s recent State of Identity & Access research found the average identity holds roughly 96,000 entitlements, 38% of accounts are dormant, and about 13% of users across analysed enterprises lacked MFA on at least one account. (morningstar.com) Threat reporting shows why identity control matters: Mandiant’s M‑Trends 2025 found stolen credentials rose to the second‑most common initial access vector (16% of investigations), while industry analysis estimated some 1.8 billion credentials were exfiltrated in the first half of 2025—access that can be bought on underground markets for as little as $100–$500 for small‑organization accounts. (cloud.google.com)
