Forescout Technologies has released its 2025H1 Threat Review – analysing more than 23,000 vulnerabilities and 885 threat actors across 159 countries worldwide during the first half of 2025. The key findings show that ransomware attacks are averaging 20 incidents a day, zero-day exploits increased 46%, and attackers are increasingly targeting non-traditional equipment like Edge devices, IP cameras, and BSD servers.
“We’re seeing attackers gain initial access through overlooked IoT devices or infostealers, then use lateral movement to pivot across IT, OT, and IoT environments,” said Sai Molige, Senior Manager of Threat Hunting, Forescout Technologies. “Our ValleyRAT hunt, which uncovered the Chinese threat actor Silver Fox targeting healthcare systems, is a prime example. These attackers exploit blind spots to quietly escalate access. The Forescout 4D Platform is purpose-built to detect hidden entry points, continuously assess their risk, and disrupt lateral movement before adversaries reach critical systems.”
“Cyberattacks aren’t just technical events — they have real-world consequences that put human lives at risk. From hospitals to medical devices to critical infrastructure, it is all being targeted through zero-day exploits, unconventional entry points, and nation-backed hacktivism,” added Barry Mainz, CEO of Forescout. “You can’t defend critical infrastructure with yesterday’s tools. Security today must be continuous, proactive, and device-agnostic. Forescout delivers the only platform that secures all devices — IT, OT, IoT and IoMT — across every environment, so organisations can protect what matters most.”
Key findings
- Exploits shift to older vulnerabilities and unconventional devices: 47% of newly exploited vulnerabilities were published before 2025. Published vulnerabilities increased 15%, with 45% rated high or critical
- Ransomware rises 36% year over year: attacks gerew to 608 per month, or roughly 20 per day. The US was the top target and accounted for 53% of all incidents
- Healthcare is under siege: in the first half of 2025, it emerged as the most impacted industry for data breaches. Almost 30 million individuals were affected by breaches in H1 2025
- Lines blurring between hacktivists and state-sponsored actors: Forescout tracked 137 threat actors with 40% attributed to state-sponsored groups and 9% as hacktivists. The remaining 51% were cyber criminals
“Hacktivist operations are no longer just symbolic or isolated. They’re evolving into coordinated campaigns targeting critical infrastructure with real-world consequences,” said Daniel dos Santos, Head of Research, Forescout. “What we’re seeing from Iranian-aligned groups is a shift toward more aggressive, state-influenced disruption tactics masked as activism. As geopolitical tensions escalate, these actors are becoming faster, louder and harder to attribute, and that makes their threat even more urgent for defenders to address.”
Reducing risk and building cyber resiliency
- Use agentless discovery to identify and monitor all connected assets—IT, OT, IoT and healthcare systems
- Regularly assess for vulnerabilities, apply patches, disable unused services and enforce strong, unique credentials with multi-factor authentication
- Segment networks to isolate device types and limit lateral movement in case of compromise
- Encrypt all sensitive data in transit and at rest, especially PII, PHI and financial information
- Deploy threat detection tools that ingest data from EDR, IDS and firewalls while enabling detailed logging of user and system activity
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.