Kaspersky experts have reported a significant increase in cyberattacks targeting Linux systems during the fourth quarter of 2025, highlighting a growing trend in both broad and targeted exploitation. Analysis of vulnerabilities exploited in the wild shows that while the threat landscape varies between attack types, several patterns are consistent. Broad attacks saw Linux exploitation surge, accounting for nearly half of all observed attacks in the quarter, driven not only by attacks on servers but also by the rising adoption of Linux on desktops. Attackers continued to focus heavily on legacy flaws, including Dirty Pipe and Netfilter vulnerabilities identified as CVE-2022-0847, CVE-2019-13272, CVE-2021-22555, and CVE-2023-32233, largely exploiting systems where users had failed to apply updates. Meanwhile, exploitation rates targeting Windows systems declined to their lowest levels of 2025, although they remain higher than early 2024, with older vulnerabilities such as CVE-2017-11882 and CVE-2018-0802 in Microsoft Office’s Equation Editor and CVE-2017-0199 in Microsoft Office and WordPad continuing to dominate attack attempts.
Both targeted and widespread campaigns increasingly exploited vulnerabilities in archiving software. In 2025, attackers successfully leveraged flaws in WinRAR, including CVE-2023-38831, CVE-2025-6218, and CVE-2025-8088, as well as CVE-2025-11001 in 7-Zip. These vulnerabilities allowed attackers to execute code through manipulated archives, which has become a popular vector due to the widespread use of archiving tools across enterprise and personal systems. The trend underscores the need for organizations and individuals to regularly update and patch software, especially commonly used utilities, to prevent exploitation by attackers who often target overlooked or undermaintained applications.
Targeted attacks were dominated by recent vulnerabilities discovered in the previous six months. Kaspersky highlighted that React4Shell attacks were the most frequent, followed by exploitation of CVE-2025-61882 in Oracle E-Business Suite and CVE-2025-8088 in WinRAR. Analysts noted that many of these vulnerabilities are likely to remain active threats for extended periods, as mitigating them requires structural changes to affected applications and widespread updates across user systems. In addition to exploiting software flaws, attackers frequently deploy command and control frameworks post-exploitation, with Silver, Mythic, Havoc, and Metasploit reported as the most commonly observed C2 tools in active campaigns.
The detailed Kaspersky report on Securelist provides an extensive overview of these trends, linking specific attacker tools to vulnerabilities exploited throughout 2025. It offers critical insights into the evolution of attack patterns, highlighting the most exploited flaws and demonstrating the continued importance of proactive patch management, monitoring, and the use of security frameworks capable of detecting and mitigating exploitation attempts. Analysts emphasize that both enterprises and individual users should remain vigilant, particularly when legacy systems or commonly targeted applications are in use, as threat actors continue to adapt their techniques to maximize impact and bypass conventional security measures.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
