Cybersecurity dominated headlines throughout 2025, with a year marked by high-profile breaches, evolving attack techniques and major shifts in industry practices.
From critical zero-day vulnerabilities and supply chain threats to AI-driven risks and vendor shake-ups, the security landscape has been anything but static.
In this roundup, we’ll dive into some of Infosecurity Magazine’s most-read stories of the year, covering the incidents, innovations and trends that shaped the conversation in cybersecurity.
Cyber Threat Detection Vendors Pull Out of MITRE Evaluations Test
Three major cybersecurity firms, Microsoft, SentinelOne and Palo Alto Networks, did not participate in MITRE’s 2025 ATT&CK Evaluations. Microsoft exited in June 2025, with SentinelOne and Palo Alto following.
Industry analysts suggested that increasing test complexity along with concerns that the evaluations have become more of a promotional exercise than a genuine security benchmark, contributed to their withdrawal.
MITRE’s CTO, Charles Clancy, emphasized that the annual ATT&CK Evaluations, which began in 2019 to create consistency in security solution testing, are intentionally made progressively tougher to drive industry improvements. He acknowledged this year’s test may have been overly demanding. MITRE plans to reinstate a vendor forum to prepare for the test before the 2026 cycle to rebuild industry confidence.
Criminal Proxy Network Infects Thousands of IoT Devices
A criminal proxy network infected thousands of internet-of-things (IoT) and end-of-life consumer devices worldwide, primarily residing in an infrastructure based in Turkey, turning them into an open “proxy-for-rent” service that enables anonymous malicious activities like ad fraud, distributed denial-of-service (DDoS), brute‑force attacks and data exploitation.
Although law enforcement and Lumen’s Black Lotus Labs disrupted parts of the criminal network’s command‑and‑control infrastructure, the persistence of vulnerable, unpatched devices means similar threats are likely to endure.
NIST Launches Metric to Measure Likelihood of Vulnerability Exploits
In May, NIST introduced a new metric called Likely Exploited Vulnerabilities (LEV), which builds on the Exploit Prediction Scoring System (EPSS) to statistically estimate whether a CVE has already been exploited, using historical EPSS data and Known Exploited Vulnerabilities (KEV) list information.
Designed to enhance vulnerability prioritization, LEV provides detailed insights, such as peak EPSS scores, dates and daily probabilities, enabling organizations to better identify and remediate the most likely exploited vulnerabilities.
New Hacking Group Leaks Configuration of 15,000 Fortinet Firewalls
In early 2025, a newly surfaced hacking group known as ‘Belsen Group’ emerged and leaked VPN credentials, admin usernames (some in plaintext), device certificates and firewall rules for around 15,000 FortiGate firewall units, most running FortiOS 7.0.x and 7.2.x, via a Tor-accessible dump on the dark web.
The data, believed to stem from a 2022 zero‑day exploit (CVE‑2022‑40684), was confirmed authentic by CloudSEK and security researchers, prompting urgent credential rotation and patching efforts from affected organizations.
Hackers Weaponize QR Codes in New ‘Quishing’ Attacks
Cybercriminals are increasingly using QR codes in phishing campaigns, dubbed ‘quishing’, to bypass email security filters and trick victims into scanning malicious codes that lead to credential theft or malware downloads.
Researchers have warned that the tactic is gaining traction because QR codes are harder for traditional security tools to analyze compared to standard URLs.
Open Source Community Thwarts Massive npm Supply Chain Attack
A potential npm supply chain disaster was averted in record time after attackers took over a verified developer’s credentials. It resulted in a crypto-clipper payload implanted in malicious packages published via the compromised developers’ nmp account.
A crypto clipper steals funds by swapping wallet addresses in network requests and directly hijacking crypto transactions.
Just hours after the compromise was confirmed, all impacted version of nmp packages had been taken down. While many people started calling this hack the “biggest supply chain attack in history”, others praised the speed of the open source community’s response.
Grok-4 Jailbroken Two Days After Release Using Combined Attack
Just two days after its launch, Grok-4 was jailbroken using a new attack method developed by NeuralTrust researchers. They combined two existing strategies, Echo Chamber and Crescendo, to bypass the model’s safety systems without using overtly malicious prompts.
The goal was to test if the large language model (LLM) could be manipulated into giving illegal instructions. In this case, the researchers successfully got Grok-4 to provide step-by-step directions for making a Molotov cocktail, a scenario previously used in Crescendo’s original research.
AI Hallucinations Create “Slopsquatting” Supply Chain Threat
In April, security experts warned that developers using LLMs for code generation may face a new supply chain attack dubbed “slopsquatting.” Coined by Python Software Foundation (PSF) developer in residence, Seth Larson, the term refers to attackers exploiting LLMs’ tendency to hallucinate non-existent software packages.
A threat actor can publish a malicious package matching the hallucinated name in official repositories. When other developers prompt the same LLM, they may unknowingly install the fake package. Research from Virginia Tech and other universities tested 16 LLMs with 576,000 Python and JavaScript samples, highlighting the risk’s plausibility as on average a fifth of recommended packages did not exist.
OWASP Launches Agentic AI Security Guidance
OWASP released the Securing Agentic Applications Guide v1.0 in July. The guidance offered practical security recommendations for developers building AI agents powered by LLMs.
It looks to address emerging risks as AI systems become more autonomous, tool-using and multi-agent, operating without human prompts and adapting dynamically. This autonomy introduces significant security concerns, particularly in areas like code generation and system configuration and could enable cybercriminals to automate attacks such as account takeovers.
The resource aims to help AI/ML engineers, software developers and security professionals mitigate these risks.
Fortinet Confirms Critical Zero-Day Vulnerability in Firewalls
At the start of 2025, Fortinet disclosed a critical zero-day vulnerability (CVE-2024-55591) in FortiGate firewalls and FortiProxy, rated CVSS 9.6 and actively exploited in the wild.
The flaw enables authentication bypass and follows reports from Arctic Wolf of a large-scale exploitation campaign targeting exposed FortiGate management interfaces since December 2024.
