Zero day exploitation surged by 46% year-over-year in the first six months of 2025, according to the Forescout Research – Vedere Labs H1 2025 Threat Review.
Products from 27 vendors were found to be impacted by zero days, with Microsoft making up around a third (30%).
Google products experienced the second highest volume of zero day exploits, at 11%, followed by Apple (8%), Ivanti (6%), Qualcomm (5%) and VMware (5%).
Read now: Hackers Regularly Exploit Vulnerabilities Before Public Disclosure, Study Finds
A total of 23,583 vulnerabilities were published in the first half of 2025, averaging 130 new CVEs per day or 3930 per month. This represents a 15% increase compared to the same period in 2024.
Additionally, 132 CVEs were added to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog in H1 2025, an 80% year-over-year rise.
Of these, 47% were originally published before 2025, many of which targeted perimeter infrastructure.
Six impacted end of life products, meaning no patches are available for this equipment.
Ransomware Actors Target Non-Traditional Equipment
The Forescout report, published on August 4 during Black Hat USA, found that ransomware actors increasingly targeted non-traditional equipment, such as edge devices, IP cameras and Berkeley Software Distribution (BSD) servers.
This approach is designed to bypass defenses, as such devices often lack endpoint detection and response (EDR).
These devices are then used as footholds to enable lateral movement across IT, OT and IoT environments.
One example of this tactic highlighted by the researchers was the deployment of Akira ransomware to Windows endpoints via a compromised IP camera in March 2025.
Another was the VanHelsing group introducing a multi-platform encryptor that includes support for BSD UNIX.
“We expect both asset types – IP cameras and BSD systems – to be increasingly targeted in the near future,” the researchers noted. “BSD, while niche, is gaining attention from ransomware operators.”
The study also found that ransomware attacks grew 36% year-over-year, with 3649 documented attacks in H1 2025.
Ransomware victims were recorded in 112 countries over the six-month period, a 9% increase from the 103 countries impacted in H1 2024.
Nation State and Hacktivist Gangs Prevalent
Forescout observed 137 threat actors undertake notable activity in H1 2025. Of these, 51% were attributed as financially motivated cybercriminals, 40% state-sponsored actors and 9% hacktivists.
China was the country of origin for the highest proportion of these threat actors, at 33. This was followed by Russia (22 groups), Iran (eight), Turkey (four) and Brazil (three).
The country of origin was unknown for 45 of the active tracked groups.
The researchers also highlighted the blurred lines between hacktivists and nation-state groups, with Iran-aligned hacktivist groups heavily targeting critical OT environments.
Daniel dos Santos, head of research at Forescout, commented: “What we’re seeing from Iranian-aligned groups is a shift toward more aggressive, state-influenced disruption tactics masked as activism. As geopolitical tensions escalate, these actors are becoming faster, louder and harder to attribute, and that makes their threat even more urgent for defenders to address.”
Read now: Hacktivism Reborn: How a Fading Cyber Threat Has Become a Modern Battleground
