News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Insights
  3. Cyber Threat Reports
  4. Cyber Threat Report 2025
  5. Judgement 5

Whakataunga 5 Judgement 5

Known weaknesses and unpatched vulnerabilities are providing threat actors with easy access | He māmā te uru poka noa a ngā kaiwhakatuma nā ngā ngoikoretanga me ngā whakaraeraetanga kāore i te whakatikahia

Why it matters – the global view

Headlines can often give the impression that malicious actors are highly skilled players with the tools to penetrate sophisticated defences. While that is true in some cases, many attacks succeed because organisations fail to address common weaknesses. We regularly observe that poor patching, weak credentials, and misconfigured systems provide threat actors with easy entry points.

Threat actors can move quickly to exploit known vulnerabilities, reducing the time window for patching. Applying a patch may not mean you’re protected if the threat actor has already gained access.

Compromised credentials are a common way for malicious actors to gain initial access, yet securing accounts through enforced password policies and MFA is one of the simplest mitigations an organisation can undertake. 

This highlights the importance of cyber security fundamentals: resilience often depends less on advanced tools and more on consistently applying basic practices across the entire environment.

Examples

  • A joint advisory published by NCSC and partners in July 2024 highlighted that sophisticated cyber actors possessed the capability to rapidly transform and adapt proof of concept code of new vulnerabilities, enabling them to immediately utilise them against target networks. They also regularly conducted activity to identify vulnerable, end of life, or no longer maintained devices, and continue to find success exploiting vulnerabilities dating back to 2017.

PRC MSS tradecraft in action

  • In July 2025 Microsoft advised of APTs and ransomware actors using spoofing and remote code execution vulnerabilities to exploit on-premises SharePoint servers

Disrupting active exploitation of on-premises SharePoint vulnerabilities External Link

  • Technical advice published by NCSC and partners in August 2025 highlighted that actors had considerable success exploiting publicly known common vulnerabilities and exposures and other avoidable weaknesses within compromised infrastructure to gain initial access. 

China state-sponsored actors targe networks globally

Tactics and techniques

Exploiting known vulnerabilities remains a high-use tactic for both criminals and state actors. Common gaps include:

  • unpatched software,
  • reused passwords, and
  • unsecured remote access.

Threat actors often scan the internet for exposed systems, compromising them at scale.

Common vulnerabilities and exposures (CVEs) often have information about how to exploit them in the public domain, which enables threat actors to quickly use available exploits against unprotected systems. Where this information exists for a particular vulnerability, there is an increased urgency for organisations to patch and review logging for signs of compromise prior to the patch being applied. 

Keeping software and systems up to date remains critically important, especially in a fast-evolving environment. The growing rate of software vulnerabilities exposed each year highlights that software updates are not optional or intermittent - patching requires ongoing, proactive attention to keep pace with vulnerability disclosures.

Meanwhile, remote work has expanded the attack surface due to poorly secured endpoints and cloud services.

Compromised credentials is another common avenue for access. Valid credentials are of high value to cyber actors and enable a range of malicious activities across the adversary lifecycle.

Analysis: The long tail of vulnerability exploitation

In 2025, the NCSC contributed to analysis alongside international partners of CVEs routinely and frequently exploited by malicious cyber actors in 2023.

This analysis found that threat actors continue to have success exploiting vulnerabilities up to two years after public disclosure of the vulnerability. 

Although the majority of vulnerabilities were initially exploited as a zero-day, the reality is that many malicious actors can use the same techniques even once a fix has been made available, due to the fact organisations have not taken advantage of updates.

The New Zealand landscape 

Failure to patch devices or software in time has been a contributing factor in a significant proportion of the NCSC's recorded high impact incidents over the last five years.

In the past year, the NCSC observed the targeting, scanning and exploitation of historical and recently disclosed CVEs. This included a CVE dating back to 2018. 

The exploitation of public-facing applications continues to be a prevalent initial access vector for malicious cyber actors.

We continue to record high numbers of incidents involving public-facing applications, including devices used to provide internet access and security to private networks. These incidents consisted of the targeting, scanning and/or exploitation of both zero-day vulnerabilities, and historical or recently disclosed CVEs in a range of applications. Malicious cyber actors may also exploit end-of-life devices and misconfigured devices - for example, with permissive defaults or poor security settings.

Case study 1 illustrated how recently disclosed vulnerabilities enabled cyber actors to compromise an organisation’s network during 2024/25. 

Case study 1 - Network compromise for espionage purposes

In the 2024/25 year, the NCSC also recorded a range of activity involving the misuse of credentials. Malicious cyber actors published compromised credentials online, used brute-force techniques (repetitive guessing of passwords) to access accounts, and phished for credentials or to compromise accounts. Some of these incidents involved business email compromise (BEC), in which a cyber actor compromises the legitimate email account of a trusted contact to extract information from another. 

Of the moderate to significant credential-based incidents, government organisations were highly impacted, likely due to the targeting of sensitive information. 

 

hands on laptop

Case study 5: Device vulnerability

In August 2025, the NCSC received a report from New Zealand Police with information that devices owned by 19 New Zealand organisations had been compromised by a suspected ransomware group. 

Implications for organisations

Threat actors – particularly advanced ones – are quick to exploit the time between vulnerability disclosure and patching. This means that organisations must focus on vulnerability management.

Additionally, organisations should ensure that second-order defences such as network segmentation, principle of least privilege, MFA, and software allow-lists are in place. These measures can reduce the impact of clicking on bad links, or zero-day vulnerabilities being exploited against public-facing applications.

Poor credential practices also offer opportunities to threat actors, especially with the rising adoption of cloud-based services that can be accessed from anywhere in the world.

As New Zealand organisations adopt a cloud-first strategy for storing and processing their sensitive information, malicious cyber actors will almost certainly ‘follow the data’ and target application programming interface (API) endpoints, mobile endpoints and credentials to gain cloud accesses. Credential and account compromises will continue to be an important part of malicious cyber tradecraft, enabling cyber actors to steal sensitive information. 

Readiness considerations

Three questions leaders should be asking:

  1. Do we have an ongoing process for understanding the systems within our environment?
  2. How effective is our patch management programme, and do we allow downtime to address vulnerabilities?
  3. Are we confident our systems are not exposed through misconfiguration or unmonitored endpoints?
Top