Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
CyberCX’s 2025 Hack Report reveals the most commonly exploited vulnerabilities and how AI is reshaping both sides of the cyber security landscape.
Australian cyber security firm CyberCX employs 150 penetration testers around the world and in 2024, this team performed more than 2,500 engagements with 800 customers from a raft of industries.
This resulted in 26,000 individual findings or instances where a hacker could have exploited and compromised a network, of which 2,500 were considered severe, that is, if a cyber criminal had found the vulnerability before CyberCX’s pen testers, “the consequences to that organisation could have been devastating”.
Based on all this data, CyberCX has released its 2025 Hack Report, which revealed some of the most commonly found business vulnerabilities.
“Our team of penetration testers, red teamers and security experts spend all hours of the day and night breaking into our customers’ networks, systems and environments – both physical and virtual – to find entry points that could be exploited by real attackers. Our objective is simple: we find these vulnerabilities before the bad guys do,” Liam O’Shannessy – executive director, security testing & assurance (STA) – research & capability at CyberCX – said in a statement.
According to the report, application and development security, identity and access management, and configuration and patch management were the root cause of 90 per cent of all CyberCX’s findings in 2024 and industries that rely upon operational technology, such as healthcare, transport, utilities, and manufacturing, are most likely to have severe security issues.
Government entities, however, have a lower rate of severe findings, most likely due to a lack of OT infrastructure in government agencies.
CyberCX’s report also found that credential management was a particular weak spot, while internal networks commonly lack the necessary security to slow down an attacker that has already gained access via an internet-facing point of entry.
“The global threat landscape continues to evolve and cyber criminals and nation states are searching relentlessly for new vulnerabilities to exploit. Attackers and their techniques only get better – for defenders, this means that we need to focus our limited resources on activities that will address these real threats and get us ahead of the bad guys,” O’Shannessy said.
“By compiling the data and insights from more than 2,500 engagements we performed in 2024 our hope is that security professionals will be better informed about the state of vulnerabilities in our region and organisations will be better able to allocate their limited security resources.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
