A new report reveals a concerning increase in critical cybersecurity vulnerabilities across various sectors. The study, based on numerous intrusion tests conducted in 2024, highlights the current state of digital defenses and the challenges organizations face in protecting their assets.

According to the report, attackers are increasingly exploiting access control problems rather than relying on sophisticated Zero-Day exploits. This underscores the importance of basic security hygiene and robust access management practices.

Key Findings of the Cybersecurity Intrusion Report

• Critical vulnerabilities in websites, APIs, and infrastructure have doubled since 2023.
• almost 40% of vulnerabilities pose high-critical risks to organizations.
• Low-risk vulnerabilities are often leveraged to amplify the impact of more critical faults.

The report includes case studies demonstrating how ethical hackers successfully compromised external assets and internal networks, mimicking techniques used in real-world cyber attacks. In the tests, only one client successfully prevented access to sensitive data.

“The attackers do not need to exploit zero-Day flaws when they can simply act as administrators due to access control problems,”

Infrastructure Weaknesses: A Gateway to Digital Compromise

• Obsolete software and patch mismanagement remain persistent issues.
• Weak authentication and insufficient network segmentation facilitate unauthorized access.
• Nearly 60% of infrastructure flaws are classified as high or critical.

The Gap Between Reality and Regulations

The report emphasizes the need for organizations to address the practical implications of regulations like Dora and Nis2, which are now in effect in the EU.

Key Conclusions from the Report

• Regular customers who conduct periodic tests observe 70% fewer critical faults.
• Real attack scenarios exhibit predictable and repeatable patterns.
• Weak or reused credentials increase the external attack surface and amplify the consequences of internal breaches.

Forecasts for 2025

• An increase in vulnerabilities linked to AI is expected.
• Greater adoption of ethical red-teaming based on Threat Intelligence (Tiber) is anticipated.
• Faults related to access control and business logic are likely to persist.
• Ongoing risks associated with the supply chain and third-party components are expected.