An analysis of cybersecurity attacks published today by the X-Force arm of IBM finds there was a 44% increase in the exploitation of public-facing applications in 2025.

More troubling still, out of the 40,000 vulnerabilities tracked by IBM X-Force, more than half (56%) didn’t require any type of authentication for an attacker to bypass before exploiting.

In total, public-facing applications accounted for 40% of incidents, compared to 32% of incidents where cybercriminals were able to gain access to a set of valid credentials.

According to X-Force, the deployment of malware was the most observed action being taken by cybercriminals, making up 41% of cases. Of all the malware cases, 18% included the deployment of ransomware, while another 18% deployed webshells. Infostealers and backdoors both made up 10% of malware cases. The next most observed action on objective was the use of legitimate tools for malicious purposes, accounting for 28% of cases. Those efforts reflect utilization of hands-on-keyboard post-exploitation efforts and the deployment of utilities that enable lateral movement and privilege escalation.

Chris Caridi, a strategic threat analyst for IBM X-Force, said that lack of fundamental authentication suggests that far too many organizations are not adhering to secure-by-design principles when building and deploying software.

More challenging still, there are more new vulnerabilities being introduced into software supply chains, noted Caridi. It’s not clear to what degree that trend reflects weaknesses across the complex ecosystem relied on to build software or if researchers are simply discovering and reporting more vulnerabilities, but the number of vulnerabilities being created as developers rely more on artificial intelligence (AI) coding tools to create software is only going to increase. Unfortunately, adversaries are also increasingly using AI tools to not only discover vulnerabilities faster but also generate exploits quicker than ever.

Of course, the path of least resistance remains stealing credentials. Among the most valuable credentials, not surprisingly, are ones that malicious actors can use to access generative AI platforms. According to IBM X-Force researchers, more than 300,000 ChatGPT credentials were observed for sale on various forums in 2025.

Continuous integration and continuous delivery (CI/CD) platforms that are used to build and deploy applications have also become prime targets for credential theft and workflow abuse. Malicious scripts are capable of harvesting tokens, application programming interface (API) keys and cloud credentials directly from DevOps pipelines, while compromised personal access tokens provide long-term access across repositories and cloud environments. Once attackers obtain developer or CI/CD credentials, they can easily pivot into cloud platforms using legitimate API calls to create unauthorized admin accounts and extract sensitive data, the IBM X-Force report noted.

Finally, the IBM X-Force report noted there was a 49% increase in active ransomware groups compared to 2024, with 109 different ransomware extortion groups identified by X-Force in 2025.

The challenge, as always, is to not only prevent as many breaches as possible but also limit the blast radius whenever they inevitably occur. As such, there is no substitute for cybersecurity fundamentals, said Caridi. The issue, of course, is that given the ever-expanding size of the attack surface that needs to be defended, it’s still too easy for even the most experienced IT professional to make a mistake.