Attackers exploit old vulnerabilities as zero-day exploits surge


New analysis from Forescout of more than 23,000 vulnerabilities and 885 threat actors across 159 countries worldwide during the first half of 2025 finds 47 percent of newly exploited vulnerabilities were originally published before 2025, and zero-day exploitation has increased 46 percent.
The report also shows ransomware attacks are averaging 20 incidents per day, zero-day exploits increased 46 percent, and attackers are increasingly targeting non-traditional equipment, such as edge devices, IP cameras and BSD servers. These footholds are often used for lateral movement across IT, OT, and IoT environments, allowing threat actors to get deeper into networks and compromise critical systems.
“We’re seeing attackers gain initial access through overlooked IoT devices or infostealers, then use lateral movement to pivot across IT, OT, and IoT environments,” says Sai Molige, senior manager of threat hunting at Forescout Technologies. “Our ValleyRAT hunt, which uncovered the Chinese threat actor Silver Fox targeting healthcare systems, is a prime example. These attackers exploit blind spots to quietly escalate access. The Forescout 4D Platform is purpose-built to detect hidden entry points, continuously assess their risk, and disrupt lateral movement before adversaries reach critical systems.”
Ransomware have risen 36 percent year-on-year, with 3,649 documented attacks in the first half of the year, with the US being the top target, accounting for 53 percent of incidents. The top sectors targeted are services, manufacturing, technology, retail and healthcare.
In the first half of 2025, the healthcare sector emerged as the most impacted for data breaches. Nearly 30 million individuals were affected by breaches in this period and 76 percent of breaches stemmed from hacking or IT incidents. 62 percent of the breaches involved data stored on network servers, while 24 percent were on email systems.
Forescout tracked 137 threat actor updates in the first half of 2025, with 40 percent being attributed to state-sponsored groups and nine percent to hacktivists. The remaining 51 percent were cybercriminals, such as ransomware groups.
“Hacktivist operations are no longer just symbolic or isolated. They’re evolving into coordinated campaigns targeting critical infrastructure with real-world consequences,” says Daniel dos Santos, head of research at Forescout. “What we’re seeing from Iranian-aligned groups is a shift toward more aggressive, state-influenced disruption tactics masked as activism. As geopolitical tensions escalate, these actors are becoming faster, louder and harder to attribute, and that makes their threat even more urgent for defenders to address.”
You can read more and get the full report on the Forescout blog.
Image credit: weerapat/depositphotos.com