Persistent Security Gaps: Why Attackers Keep Exploiting the Same Vulnerabilities

Cyber Attackers Continue to Exploit Well-Known Vulnerabilities

Cyber attackers continue to exploit well-known vulnerabilities in security programs, often gaining access through identity systems, third-party access, and poorly secured perimeter devices. A recent threat report from Barracuda, based on Managed XDR telemetry from 2025, highlights the persistence of these weaknesses.

Identity-Related Alerts Most Common Detection Type

The report reveals that identity-related alerts were the most common detection type, with suspicious logins topping the list. These detections often indicate credential theft, compromised accounts, or attackers testing access from new locations. The prevalence of identity-based compromise underscores its continued role as a reliable entry point for attackers.

Privilege Escalation Difficult to Detect

Once inside, attackers prioritize privilege escalation, which can be difficult to detect due to its resemblance to normal IT operations. The report notes that 42% of privilege escalation detections involved adding a user to a Windows group with high-risk security rights, while 27% involved removing a user from such a group. Microsoft 365 privilege escalations were also common, with 16% of detections involving the addition of a global administrator.

Remote Management Tools Remain a Growing Risk

Remote management tools remain a growing risk, with incidents involving the abuse of SonicWall SSL-VPN, ScreenConnect, RDP, PsExec, AnyDesk, and firewall VPN services. In one notable case, a malicious executable attempted to exploit a vulnerability, while another incident involved the installation of Datto RMM after attackers gained access to a domain controller.

Third-Party Access Continues to Play a Significant Role

Third-party access continues to play a significant role in security incidents, with 66% of incidents involving the supply chain or a third party. Researchers found that third-party access often persists longer than intended, particularly when vendor accounts remain active after a contract ends. In one ransomware case, attackers entered through an account created for a vendor that was never deactivated.

Vulnerability Exposure Remains a Concern

The report also highlights the ongoing issue of vulnerability exposure, with outdated encryption and certificate issues remaining common. The top detected network vulnerabilities included untrusted security certificates, certificate name mismatch, weak encryption checks, and self-signed certificates. Legacy cryptography remains widespread, with the most detected CVE being CVE-2013-2566, an RC4 encryption weakness.

Misconfiguration and Disabled Protections Contributed to Incidents

Misconfiguration and disabled protections also contributed to incidents, with endpoint protection agents accounting for 94% of disabled security feature detections. Every security incident responded to by Barracuda involved at least one unprotected or rogue endpoint, highlighting the need for consistent enforcement of endpoint coverage.

Ransomware Remains a Consistent Threat

Ransomware remains a consistent threat, with 13,514 indicators of ransomware activity identified in 2025. Firewalls played a central role in ransomware intrusions, with 90% of incidents exploiting firewalls through a CVE or vulnerable account. The speed of ransomware attacks varied widely, with some cases reaching lateral movement in 10 minutes and others lasting weeks or months.

About Author

Vaibhav

See author's posts