Q4 2025 Talos IR: Public-Facing Exploits and Phishing
🔒 Talos Incident Response (Talos IR) reports that in Q4 2025 threat actors again favored exploitation of public-facing applications, appearing in nearly 40% of engagements, while phishing rose to the second-most common initial access vector. Notable exploit activity targeted Oracle E-Business Suite (CVE-2025-61882) and React2Shell (CVE-2025-55182), and attackers rapidly weaponized these flaws close to disclosure. Talos also observed deployment of APT-linked implants such as BadCandy and AquaShell, plus campaigns that targeted Native American tribal organizations for credential harvesting. The report emphasizes timely patching, strong MFA controls, centralized logging, and rapid incident response to limit impact.
