Every year brings a surge in new vulnerabilities, and 2025 follows that trend. Thor’s analysis of this year’s CVE data clears away much of the noise, providing practical advice on where organisations should reinforce their defences. The findings yield some pointed suggestions for those managing IT infrastructure.
The usual culprits remain persistent—out-of-date software, misconfigured systems, and patching delays. However, recent data also highlights three areas demanding greater attention: vulnerabilities in authentication, flaws within supply chain dependencies, and the growing attack surface due to hybrid and multi-cloud deployments.
Concerning authentication, a significant number of critical CVEs stemmed from design flaws or poor implementation. Multi-factor authentication (MFA) can offer benefits but is not effective unless properly configured. Robust identity controls, ongoing monitoring for credential abuse, and avoiding reliance on any single method are all necessary to strengthen authentication.
The shift to greater reliance on third-party SaaS and open-source components has brought supply chain risks further into focus. Rigorous vendor risk assessment and diligent use of software composition analysis tools have become essential practices, rather than optional extras.
Hybrid and multi-cloud setups are rapidly expanding organisational attack surfaces, making asset visibility and consistent policy enforcement increasingly challenging. Automated processes and continuous monitoring are crucial to maintaining control amid growing complexity.
In practical terms, focus on thorough patch management and accurate asset inventory, maintain stringent credential hygiene, and closely track all third-party dependencies. The evolving threat landscape demands active, sustained vigilance—the complexity of infrastructure must not become an excuse for complacency. CVE trends should inform priorities and drive action, rather than causing paralysis.
Original source: https://blog.talosintelligence.com/patch-track-repeat-the-2025-cve-retrospective/
