Forescout Technologies has released its 2025H1 Threat Review, revealing increases in zero-day exploits, ransomware incidents, and cyberattacks targeting healthcare and non-traditional devices.
The analysis examined over 23,000 vulnerabilities and 885 threat actors in 159 countries worldwide during the first half of 2025.
Among the key findings, ransomware attacks are now averaging 20 incidents per day, with a 46 per cent increase in zero-day exploits and attackers shifting focus to unconventional equipment, such as edge devices, IP cameras, and BSD servers.
Entry points and lateral movement
According to the report, cybercriminals are exploiting overlooked IoT devices and infostealers to gain initial access.
From there, they use lateral movement techniques to pivot further across IT, Operational Technology (OT), and Internet of Things (IoT) environments. This enables threat actors to compromise critical systems, sometimes without detection.
“We’re seeing attackers gain initial access through overlooked IoT devices or infostealers, then use lateral movement to pivot across IT, OT, and IoT environments,” said Sai Molige, Senior Manager of Threat Hunting at Forescout Technologies.
“Our ValleyRAT hunt, which uncovered the Chinese threat actor Silver Fox targeting healthcare systems, is a prime example. These attackers exploit blind spots to quietly escalate access. The Forescout 4D PlatformTM is purpose-built to detect hidden entry points, continuously assess their risk, and disrupt lateral movement before adversaries reach critical systems.”
The review indicated that ransomware actors are paying increased attention to non-traditional equipment, including edge devices, IP cameras, and BSD servers. Many of these do not have endpoint detection and response (EDR), making them vulnerable as entry points for further, undetected movement within networks.
Ransomware and vulnerability trends
There were 3,649 documented ransomware attacks globally in the first half of 2025, signifying a 36 per cent year-on-year increase.
Attacks averaged 608 per month, or about 20 per day. The United States accounted for 53 per cent of all ransomware incidents, with sectors such as services, manufacturing, technology, retail, and healthcare being the top targets.
The report also recorded a 15 per cent increase in published vulnerabilities, of which 45 per cent were rated high or critical.
Notably, 47 per cent of newly exploited vulnerabilities had originally been published before 2025, highlighting the ongoing risks from older, unpatched vulnerabilities. There was also a marked 80 per cent rise in Common Vulnerabilities and Exposures (CVEs) added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (CISA KEV) catalogue.
On the OT side, the report recorded that Modbus accounted for 57 per cent of OT protocol traffic in Forescout honeypots, suggesting continued focus on critical industrial protocols by threat actors.
Healthcare sector pressures
The healthcare industry emerged as the most impacted sector for data breaches.
On average, there were two healthcare breaches per day in the review period, affecting nearly 30 million individuals. Of these breaches, 76 per cent stemmed from hacking or IT incidents, with 62 per cent involving data stored on network servers and 24 per cent on email systems.
The research team identified the use of trojanised DICOM imaging software in delivering malware directly to patient systems. This form of attack further highlights the challenges facing the healthcare sector and the increasing diversity of threats.
“Cyberattacks aren’t just technical events – they have real-world consequences that put human lives at risk. From hospitals to medical devices to critical infrastructure, it is all being targeted through zero-day exploits, unconventional entry points, and nation-backed hacktivism,” said Barry Mainz, CEO of Forescout. “You can’t defend critical infrastructure with yesterday’s tools. Security today must be continuous, proactive, and device-agnostic. Forescout delivers the only platform that secures all devices – IT, OT, IoT and IoMT – across every environment, so organizations can protect what matters most.”
State-sponsored hacktivism
The blurred lines between traditional hacktivists and state-sponsored threat actors were also noted in the report.
Out of 137 threat actor updates tracked in the first half of 2025, 40 per cent were attributed to state-sponsored groups and 9 per cent to hacktivists, with the remaining 51 per cent identified as cybercriminals, including ransomware groups.
Iranian-affiliated groups such as GhostSec and Arabian Ghosts were found to be targeting programmable logic controllers tied to Israeli media and water systems. In addition, threat actors like CyberAv3ngers were seen amplifying unverified claims prior to major attacks on operational technology. These activities have continued under new identities, such as APT IRAN, and are indicative of evolving approaches to targeting critical infrastructure.
“Hacktivist operations are no longer just symbolic or isolated. They’re evolving into coordinated campaigns targeting critical infrastructure with real-world consequences,” said Daniel dos Santos, Head of Research at Forescout. “What we’re seeing from Iranian-aligned groups is a shift toward more aggressive, state-influenced disruption tactics masked as activism. As geopolitical tensions escalate, these actors are becoming faster, louder and harder to attribute, and that makes their threat even more urgent for defenders to address.”
Cyber resiliency measures
The report sets out several recommendations for reducing cyber risk.
These include using agentless discovery to monitor all connected assets, regularly assessing for vulnerabilities and enforcing robust credential practices, segmenting networks to limit lateral movement, encrypting sensitive data, and deploying comprehensive threat detection tools that integrate inputs from EDR, IDS, and firewalls.
