Research Update: Our 2025 Threat Roundup report is here. See the data.

2025H1 Threat Review

Vulnerabilities, Threat Actors, and Ransomware

Once again, Forescout Research – Vedere Labs widens its mid-year lens with a macro look at the most pressing cybersecurity risks to date. From 3,649 ransomware attacks to state-sponsored intrusions to new trends in lateral movement, here are the new threat patterns and cyber attack behavior you need to know right now.

Get the research get the newsletter

 

Year Over Year Increases: By the Numbers

80%+

CISA KEV additions

46%+

0-day exploits

36%+

Ransomware attacks

20/day

Ransomware attacks

137 Threat Actors, Origins, and Countries Targeted

China, Russia and Iran have the highest number of threat actors. The US, India, the UK, Germany, and Australia are the countries most targeted by threat actors.

read the blog

Key Trends: Attackers Move Across the Network

What we predicted in our 2022 “R4IoT” research scenario is now a reality: IP cameras and BSD systems are now common targets increasingly used for lateral movement or operational impact in ransomware campaigns. These asset types often fall outside the coverage of traditional endpoint protections.

Key Trends: Is It Hacktivism or a State-Sponsored Attack?

In today’s geo-political landscape, this line is increasingly blurred, often by design. Identity-shifting threat actors use this ambiguity to confuse attribution and complicate response. The image is from the group “APT Iran” who has claimed many attacks against Israel and the US in 2025, but have not been independently verified.

Attacks Targeting Industries

The most targeted industries are government, technology, financial services, telecommunications, and energy. Financial services dropped from second to third place while energy rose from eighth to fifth — reflecting increased threat activity against this sector.

Exploited Zero Days by Targeted Vendor

In 2025H1, 63 vulnerabilities were exploited as 0-days, up from the 43 in 2024H1. These 0-days impacted products from 27 vendors: 2025 is on track to exceed the record 100 exploited 0-days from 2024.
IoMT devices – pump controllers, medication dispensing systems and workstations – have some of the most dangerous vulnerabilities – and highlight healthcare security risks.

Ransomware Attacks Per Industry

The top five industries remain in the top 5 with a minor change: Healthcare had more attacks than retail last year. Financial services: +72% more ransomware in 2025H1. Retail increased 66% YoY. Technology rose by 48%. Manufacturing increased by 24%.

2025H1 Threat Review Report Cover Shadow

Dive Into the Research

Stay on top of this year’s trends, so you can know where to focus your cybersecurity and OT defenses. Get all the data and analysis, including:

  • What’s really happening in state-sponsored activity against OT/ICS —including a deep dive on ‘APT Iran’ and shifting identities
  • Threat actor trends by name, including new threat actor groups and new uses of ClickFix and initial access brokers in infostealer campaigns
  • Why aggressive EDR bypass techniques are now taking over defense evasion over obfuscation
  • And much more …
get the report

See the Research, Share the Presentation

Vedere Labs shares an overview of the research in a presentation format for you and your security team to use and share. Get all the details of this mid-year threat report, key findings, and our recommendations for mitigating risk.

get the deck

How Forescout Helps

Discover. Assess. Control. Govern.

Your journey to Universal Zero Trust Network Access starts with the Forescout 4D platform™: the only platform for UZTNA powered by agentic AI. Continuously identify, protect, and ensure the compliance of all assets – IT, IoT, IoMT and OT – regardless of location, automatically. Deliver cloud-native network security intelligence boosted by agentic workflows from the pioneer of traditional NAC.

Shift from reactive firefighting to proactive risk management. Get continuous visibility into what’s actually exposed across every connected asset — managed or not, physical or virtual. The result? Priorities managed. Peace of mind.

See the Platform
Demo RequestForescout PlatformTop of Page