5 Threats That Defined Security in 2025 - Dark Reading

VULNERABILITIES & THREATS ENDPOINT SECURITY THREAT INTELLIGENCE APPLICATION SECURITY NEWS 5 Threats That Defined Security in 2025 2025 included a number of monumental threats, from global nation-state attacks to a critical vulnerability under widespread exploitation. Alexander Culafi,Senior News Writer,Dark Reading December 29, 2025 7 Min Read SOURCE: IMAGEBROKER.COM VIA ALAMY STOCK PHOTO 2025 marked yet another busy year in security, between big attacks, government shakeups, and dangerous flaws that echo of the past. The moments that defined this year were impactful but felt evenly spread across the year. Early in 2025, we saw China-nexus advanced persistent threat (APT) Salt Typhoon continue its assault against telecom companies as part of its espionage operations. In the summer and into the fall, we saw the Cybersecurity and Infrastructure Security Agency (CISA) face budgetary cuts and layoffs, fallout from President Trump's commitment to slim the US government at any cost. And just this past month, React2Shell was disclosed to the public — a vulnerability in React with a CVSS score of 10 that echoed of the now-infamous Log4Shell.  Though not mentioned in this list, it's also worth noting that some good things are happening too. Many key ransomware statistics (such as rate of payment) are moving in the right direction, and there have been regular coordinated international law enforcement takedowns of cybercrime operations. Related:Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos This year has been dynamic for cybercrime and security as a whole, in some ways reminiscent of what came before, and in others ways specific to this year. Here are five threats that defined security in 2025. 1. Salt Typhoon Continues Its Onslaught  Salt Typhoon is a Chinese state-sponsored threat actor best known in recent memory for targeting telecom giants — including Verizon, AT&T, Lumen Technologies, and multiple others — discovered last fall, targeting the systems used by police for court-authorized wiretapping. The group, also known as Operator Panda, uses sophisticated techniques to conduct espionage against targets and pre-position itself for longer-term attacks. Salt Typhoon's activities have continued at scale. In July, it was discovered that the APT hacked the US National Guard for nearly a year. Telecom giants including Viasat have confirmed breaches attributed to Salt Typhoon. And that only scratches the surface.  Adam Meyers, head of counter adversary operations at CrowdStrike, says Operator Panda marked one of many examples of China-nexus threat actors "evolving into highly coordinated, cross-domain operators focused on long-term persistence." "Operator Panda like many other Chinese nexus adversaries rely on vulnerabilities in Internet-connected devices such as routers, security equipment, VPN devices, and other network layer systems. These devices do not run modern security tools such as [endpoint detection and response] and often lag behind in patching," he tells Dark Reading. "Organizations need unified, cross-domain visibility and proactive threat hunting, or they risk being outmaneuvered by adversaries operating with unprecedented speed and persistence." Related:Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical 2. CISA Sees Big Layoffs and Budget Cuts CISA layoffs, indirectly, mark a threat of a different kind. At the beginning of the year, the Trump administration cut all advisory committee members within the Cyber Safety Review Board (CSRB), a group run by public and private sector experts to research and make judgments about large issues of the moment. As the CSRB was effectively shuttered, it was working on a report about Salt Typhoon. This was one of the early cyber cuts in Trump's second term, but it was far from the last. CISA faced layoffs and budget cuts throughout the year, in part due to DOGE-style commitments to a slimmer government. Another factor: Trump and Department of Homeland Security (DHS) head Kristi Noem vowing to get the agency back "on mission" and away from what Noem referred to as a "ministry of truth." For context, Trump fired former CISA director Chris Krebs in 2020 after Krebs called the 2020 presidential election "the most secure in American history" amidst Trump's unfounded claims of election fraud.  Related:Cisco SD-WAN Zero-Day Under Exploitation for 3 Years CISA provides a wide range of services for organizations, including vulnerability guidance, physical and cyber security assessments, election security, incident response support, and more.  John Bambenek, president at Bambenek Consulting, says much of the immediate impact from CISA cuts has been felt at the state and local government level, as well as organizations that can't afford commercial threat intelligence offerings.  "There is a notion that states and local governments should shoulder their own cybersecurity burden. But shifting that burden suddenly makes it hard to build the capability in time," he explains in an email. "Frankly, nation-states are targeting these organizations and it seems unfair to put a town of 10,000, possibly near a military base, in a position to counter espionage on their own." 3. React2Shell Carries Echoes of Log4Shell React2Shell describes CVE-2025-55182, a vulnerability disclosed early this month affecting the React Server Components (RSC) open source protocol. Caused by unsafe deserialization, vulnerability was considered easily exploitable and highly dangerous, earning it a maximum CVSS score of 10. Even worse, React is fairly ubiquitous, and at the time of disclosure it was thought that a third of cloud providers were vulnerable.  The vulnerability was named React2Shell in apparent reference to Log4Shell, a similarly dangerous bug from late 2021 that impacted environments with Log4j.  Exploitation hit within hours of disclosure, as did a wide range of public proof-of-concept exploits. Nation-state actors were among the first to exploit the vulnerability, but within days the range of attackers ran the gamut.   Rapid7 senior principal researcher Stephen Fewer tells Dark Reading that the appeal of React2Shell to attackers is the pervasiveness of React applications around the world "as not only is React itself quite popular, but the affected downstream frameworks, such as Next.js, are widely adopted as well." "We have seen public reporting of over half a million affected domains," Fewer adds. "These are huge numbers, and they only represent the public Internet-facing exposure of this vulnerability; the scale of affected React applications deployed on internal networks cannot be fully gauged." 4. Shai-Hulud Opens Floodgates on Self-Propagating Open Source Malware In September, a self-replicating malware emerged known as Shai-Hulud. It's an infostealer that infects open source software components; when a user downloads a package infected by the worm, Shai-Hulud infects other packages maintained by the user and publishes poisoned versions, automatically and without much direct attacker input. The cycle continues.  Justin Moore, senior manager of threat intel research for Palo Alto Networks' Unit 42, explains that the danger of Shai-Hulud is that it uses defenders' own automation (i.e., using components to build software) against them. For every one package an enterprise developer installs, Moore says, they're implicitly trusting the dozens of other packages used to build it.  "Attacks like Shai-Hulud aggressively capitalize on this reliance by corrupting the open source 'well' that thousands of companies draw from daily. This creates a significant danger because the threat isn't just common vulnerabilities; it's deeply nested, multilayer dependencies," Moore says. "This creates a massive, multilayered attack surface where a single compromise deep in the stack can cascade across thousands of companies simultaneously." Though other versions of this kind of attack happened previously, the first Shai-Hulud attack was a firecracker that led to follow-on attacks, other self-propagating malware like GlassWorm, and most importantly, many poisoned open source software packages. These attacks got so pervasive so quickly that GitHub had to come out and say it would take action to limit such incidents from occurring in the future.  5. Threat Campaigns Target Salesforce Customers Earlier this year, a threat actor breached Salesloft's GitHub account and leveraged that access to steal OAuth tokens associated with Salesloft Drift's Salesforce integration. This led to downstream attacks against hundreds of Salesforce instances.  Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, Tenable, and more were caught up in the wide blast radius of this campaign. The incident has been more or less fully addressed for months at this point, but it remains fresh in memory as one of the most prominent supply-chain incidents of the year.  This comes independently of other threat campaigns targeting Salesforce customers, including the ShinyHunters attacks and follow-on incidents from an adjacent group.  Jaime Blasco, co-Founder and chief technology officer (CTO) of Nudge Security, says Salesforce is an attractive target for threat actors "because it is where high-value business data lives, particularly credentials that customers might need to share with vendors via support tickets managed in Salesforce." "These attacks targeting Salesforce are just one example of the broader theme we are seeing where attackers are exploiting the ecosystem of SaaS applications and the integrations between them," Blasco explains. "These integrations frequently fly under the radar of conventional security controls, making them an attractive attack surface." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE