In 90 percent of ransomware incidents in 2025, attackers exploited firewalls through unpatched vulnerabilities or compromised accounts, according to research by Barracuda.
In 90 percent of ransomware incidents in 2025, attackers exploited firewalls through an unpatched vulnerability or a vulnerable account, according to the Barracuda Managed XDR Global Threat Report. Furthermore, figures show that in the fastest observed attack, there were only three hours between the initial breach and the encryption of data. Additionally, Barracuda highlights the ongoing risk of unpatched software: the most common vulnerability dates back to 2013.
Three hours
According to the research, attackers gain access to the network through vulnerable firewalls. They use existing CVEs or exploit accounts with elevated privileges. Once inside, they attempt to bypass detection and hide malicious traffic.
The fastest attack recorded by Barracuda involved Akira ransomware. Only three hours passed between the initial breach and the actual encryption of data. With such short timeframes, defenders have little time to detect and respond to attacks.
read also
The Real State of Ransomware in 2025: Lower Demands, But Lasting Impact
In 96 percent of incidents where lateral movement was detected, a ransomware attack eventually followed. Lateral movement refers to the moment an attacker spreads further through the network after initial access to an endpoint. According to the report, this is a key indicator of an imminent attack.
Old vulnerabilities
One in ten detected vulnerabilities involved a known exploit. The most common vulnerability dates back to 2013: CVE-2013-2566, a flaw in an outdated encryption algorithm still present in legacy systems and embedded applications. According to researchers, this points to the ongoing risk of unpatched software.
read also
Belgium remains in the global top ten for cyberattacks
Additionally, 66 percent of incidents were related to the supply chain or a third party. This share rose from 45 percent in 2024. Attackers exploit weaknesses in external software to gain access to targets.
The report analyzes more than two trillion IT events collected in 2025 through the company’s Managed XDR service. The dataset includes nearly 600,000 security alerts and more than 300,000 secured endpoints, firewalls, servers, and cloud environments.