CyberCX Hack Report reveals top cyber vulnerabilities and exploits

Melbourne, Australia – 8 April 2025

• Report compiles data from 2,500 CyberCX penetration tests and adversary simulations last year
• Three root causes were responsible for nine in ten findings
• Industries reliant on Operational Technology (OT) like healthcare and transport have higher rates of severe risk findings

CyberCX has released its Hack Report for 2025, revealing that Application and Development Security, Identity and Access Management, and Configuration and Patch Management were responsible for 90% of findings CyberCX’s offensive testers made last year.

With more than 150 penetration testers in Australia, New Zealand, the United Kingdom and United States, CyberCX’s Security Testing and Assurance (STA) practice is the largest private sector team of ethical hackers in the southern hemisphere and one of the largest in the world.

The report includes insights and trends from more than 2,500 engagements STA performed for 800 customers in 2024, yielding 26,000 individual findings – or roughly one finding every 20 minutes. Of this, 2,500 findings were classed as severe – meaning that had a criminal or threat actor found this vulnerability before CyberCX, the consequences to that organisation could have been devastating.

Key findings in the report include:

Industries reliant on Operational Technology (OT) have the highest rates of severe risk findings – CyberCX data shows above-average rates of severe findings in Utilities and Resources, Logistics and Transport, Healthcare and Manufacturing, and the Construction industry segments – all sectors that with high use of OT systems.
Three root causes are responsible for nine in ten findings – Application and Development Security, Identity and Access Management, and Configuration and Patch Management were the dominant root causes of findings, across both severe and non-severe. Strategic security uplift should focus on these key themes instead of tactical fixes.
Application Security engagements doubled in 2024 – With over a third of severe findings in 2024 relating to weaknesses in application and development security, organisations are aware that their in-house developed applications are being heavily targeted and are taking a more proactive approach to securing them.
Internal networks remain a significant source of risk – While internet-facing attack surfaces of organisations continue to be hardened, severe findings were found in over 80% of internal networks tested, indicating that the security of organisations remain brittle and attackers who gain initial access to an internal network or insiders with existing access can relatively easily expand their access and privilege.
Government has a slightly lower rate of severe findings than industry – Despite operating in a more resource constrained environment, security tests in government found a lower rate of severe vulnerabilities compared to industry, which could reflect less OT in government networks and the advantage of frameworks like the Essential Eight.
Credential management continues to be a weak spot for organisations – Exercises where CyberCX simulates the tactics and techniques of real-world attackers demonstrate common weaknesses across organisations, particularly the misuse of legitimate credentials by attackers as initial points of entry.
Used by attackers and defenders, Artificial Intelligence (AI) is emerging as a significant security disrupter – Adversaries are using AI to improve phishing success rates, rapidly identify vulnerabilities, and accelerate the development of their tradecraft, while defenders use AI to enhance tools and data, rapidly find anomalies and address issues. So far AI presents no significant advantage for either attackers or defenders.

Liam O’Shannessy Executive Director, Security Testing & Assurance (STA) – Research & Capability said: “Our team of penetration testers, red teamers and security experts spend all hours of the day and night breaking into our customer’s networks, systems and environments – both physical and virtual – to find entry points that could be exploited by real attackers. Our objective is simple: we find these vulnerabilities before the bad guys do.

“The global threat landscape continues to evolve and cyber criminals and nation states are searching relentlessly for new vulnerabilities to exploit. Attackers and their techniques only get better – for defenders, this means that we need to focus our limited resources on activities that will address these real threats and get us ahead of the bad guys.

“By compiling the data and insights from more than 2,500 engagements we performed in 2024 our hope is that security professionals will be better informed about the state of vulnerabilities in our region and organisations will be better able to allocate their limited security resources.”

You can access the full report here: https://cybercx.com.au/resource/hack-report

ENDS

About CyberCX

CyberCX is the leading provider of end-to-end cyber security and cloud services. With a workforce of 1,400 cyber security professionals, CyberCX is a trusted partner to private and public sector organisations, helping customers confidently manage cyber risk, respond to incidents, and build resilience in an increasingly complex and challenging threat environment.