Thor’s 2025 CVE retrospective points to persistent vulnerability trends—outdated software, poor patching and misconfigured systems remain common entry points. The analysis spotlights three areas needing extra focus: authentication weaknesses, supply chain dependencies, and expanded risk from hybrid/multi-cloud set-ups.
Critical authentication CVEs arise mainly from flawed design and improper MFA deployment; layered identity controls and vigilant monitoring are advised. Supply chain risk is amplified by reliance on third-party SaaS and open source, necessitating rigorous vendor checks and software composition analysis.
Hybrid/multi-cloud deployments broaden attack surfaces; automated asset management and continuous policy enforcement are vital. The key takeaway: precise patching, asset inventory, and credential hygiene—plus sustained vigilance—must inform infrastructure priorities, not complacency.
Key Takeaways from the 2025 CVE Landscape: Infrastructure Priorities for the Year Ahead
