ENISA Threat Landscape 2025 — Part 5

The final chapter of European Union Agency for Cybersecurity (ENISA) Report takes us deep into the mechanics of cyberattacks — the TTPs that adversaries use to compromise systems, steal data, and cause disruption. It’s a crucial section because understanding how attackers operate helps organizations design defense indepth strategies and prioritize controls that truly reduce risk.

TTPs

1️⃣ Initial Access via Exploited Public-Facing Applications

Continues to be the most exploited initial access vector, responsible for 42% of observed incidents. Attackers increasingly exploit unpatched web applications, VPNs, and API interfaces to enter networks.

2️⃣ Valid Accounts

Compromised or stolen credentials are used in 39% of cases.

3️⃣ Command & Scripting Interpreter

Used in 34% of incidents to execute malicious scripts and automate privilege escalation.

4️⃣ Defense Evasion

Attackers are disabling or bypassing antivirus, EDR, and logging mechanisms in 51% of cases.

Photo: https://pl.freepik.com/

➡️ 81% of intrusions were malware-free.

➡️ Adversaries are increasingly using native system tools and “living-off-the-land” techniques.

➡️ Phishing remains the top initial infection method, but lateral movement now heavily depends on identity misuse and misconfigurations in AD, IAM, and SSO systems.

➡️ Cloud-based exploitation grew by 136%.

VULNERABILITIES

➡️ 64% of documented vulnerabilities use the network as the primary attack vector.

➡️ 22% exploit local privilege escalation.

➡️ 11% rely on user interaction, such as malicious attachments or links.

➡️ 3% involve physical access or removable media.

ENISA recorded over 31,000 disclosed vulnerabilities, a 12% increase year-over-year.

VENDORS & VULNERABILITIES

1️⃣ LINUX

Surprisingly, Linux distributions accounted for the largest number of disclosed vulnerabilities.

2️⃣ Microsoft

Ranked second overall in total disclosures, but first among KEV. Microsoft products remain the most actively targeted in real-world attacks across the EU.

3️⃣ Apple, Google, and Cisco follow in total volume, particularly in mobile and network device categories.

4️⃣ Adobe vulnerabilities continue to surface in creative and enterprise software.

For me, this is one of the most important and practical sections of theENISA report. It connects how attackers operate, giving a full picture of the current threat ecosystem.

➡️ 64% of vulnerabilities are exploitable via the network — meaning perimeter hardening and segmentation are still essential.

➡️ Microsoft tops the chart for exploited vulnerabilities and KEVs.

➡️ Attackers don’t need new tools — they exploit what’s already available.

That’s why vulnerability and patch management should be a cornerstone of every cybersecurity program. Every organization — regardless of size or sector — must move from reactive patching to continuous vulnerability management.

Link

Author: Sebastian Burgemejster