In 2025 the pace and sophistication of cyber hacks reached alarming levels. A sweeping cyber espionage campaign targeting Microsoft SharePoint servers compromised roughly 100 organizations in July. Only one month later, the automotive industry was hit when Jaguar Land Rover faced what’s been called the costliest cyberattack in U.K. history. And across dozens of industries, from retail to education, data breaches exploded as hackers found open doors in exposed endpoints and flat networks, gaps that encrypted connections could have closed.
2025 wasn’t an anomaly; it was a warning.
This past year exposed how fragile modern networks still are — flat, overexposed, and dependent on centralized infrastructure. The biggest damage didn’t come from clever phishing emails. It came from open doors, shared blast radiuses, and brittle network design.
Here, we count down the 10 most impactful cyberattacks and failure modes of 2025, and what they reveal heading into 2026.
10. Beware 2026: The Rise of AI-Driven Malware
AI was everywhere in 2025, including in the cyber hack conversation. According to Experian’s newly released 2026 Data Breach Industry Forecast, cyber threats in 2026 will be dramatically reshaped by the adoption of AI — not just by defenders, but by attackers.
One highlight example in 2025 was Anthropic’s report on the manipulation of its AI coding tool, Claude Code, by a China-linked group to perform “the first reported AI-orchestrated cyber espionage campaign” that required significantly less human tactical work for a large-scale attack.
Some of the key predictions in Experian’s report included how attackers will leverage synthetic profiles and autonomous AI agents to craft highly realistic and personalized attacks. Instead of broad, generic phishing or spam, hackers may use AI-generated “deep identity” profiles to impersonate real people, with convincing nuances in language, behavior, and even social connections.
The report also stated to expect a rise in “shape-shifting malware,” or malware powered by AI that can dynamically evolve, adapt to defensive measures, or evade detection. Cybercriminals could employ self-modifying code, AI-driven polymorphism, or behavior that changes based on the environment or detection mechanisms. As Experian put it: “Technology is evolving at breakneck speed, and cybercriminals are often the first to adopt tools like AI to outpace defenses and exploit vulnerabilities.”
Why this matters: Static defenses won’t survive adaptive threats. Reducing attack surface beats chasing signatures.
9. Salesforce: Third-Party Data Theft
In August 2025, hackers leveraged compromised login tokens tied to a trusted Salesloft Drift third-party integration to access hundreds of Salesforce customer instances. They then systematically exported sensitive corporate data. The campaign, which was tracked by Google Threat Intelligence, wasn’t a direct flaw in Salesforce. Instead, it was a failure in the trust model around live SaaS integrations that gave hackers broad access once a connected dependency was breached. More than 700 organizations were potentially impacted, with harvested credentials, including AWS access keys and other sensitive tokens that may be used to unlock deeper infrastructure access.
Why this matters: This hack showed how trusted tooling and API integrations can become a mass blast radius when implicit trust is assumed — a threat that properly employed identity-centric networking can dramatically reduce.
8. Microsoft Azure: Front Door Misconfiguration
On October 29, Microsoft Azure suffered a global outage caused by a single faulty configuration change.
Authentication failed. Content couldn’t be served. Businesses were stuck and major online tools went down, including Snapchat, Slack, and Amazon.com. Risk analytics firm CyberCube estimated insured losses could have reached up to about $581 million from the outage’s impact on businesses.
Why this matters: Massive cloud scale doesn’t equal resilience. Architecture matters more than branded services.
7. Microsoft SharePoint: The Zero-Day Trust Gap
In July 2025, attackers exploited a zero-day vulnerability in Microsoft SharePoint, compromising roughly 100 organizations, including government and financial institutions. What turned a single software flaw into a multi-organization incident wasn’t just the exploit itself, but tight coupling and flat internal networks that let attackers move unchecked across trusted dependencies.
One compromised service became a cascading failure because everything connected to it implicitly trusted it.
Why this matters: Resilience comes from decoupling and identity-based segmentation. When access is granted by cryptographic identity instead of implicit trust, a single compromised dependency doesn’t become an enterprise-wide failure.
6. Ivanti: When the Front Door Becomes a Master Key
In 2025, legacy VPN appliances continued to be soft targets. In mid-March 2025, attackers exploited a critical Ivanti Connect Secure VPN vulnerability to breach remote access appliances and gain persistent footholds, illustrating how compromised VPN infrastructure can lead to broad network access when internal trust isn’t segmented.
Why this matters: VPNs assume trust based primarily on location. A fully secure networking platform assumes trust based on cryptographic identity — a fundamental shift.
5. Trinity of Chaos: Hacker Supergroups
Previously independent threat actors have now begun collaborating, sharing tooling, access, and intelligence at greater levels. This is projected to potentially extend further into nation-state supported hacking groups. In 2025, the China-linked Salt Typhoon group continued attacks on U.S. telecom and communications companies and their infrastructure, including giants like AT&T, Verizon, and Cox Communications. The result: faster attacks, wider impact, and fewer gaps between intrusion and exploitation.
Why this matters: Speed kills perimeter defenses. Cryptographic identity and least-privilege networking can slow attackers down, or stop them cold.
4. Change Healthcare: Flat Networks Enabling Lateral Movement
Across retail, education, healthcare, insurance, and manufacturing, breaches followed the same pattern: One exposed endpoint led to unrestricted east-west movement which led to total environment compromise.
Throughout 2025, organizations were still dealing with the fallout from the Change Healthcare breach, where attackers entered through a single exposed access point in 2024 and were able to move laterally across a flat internal network. This triggered nationwide disruption to healthcare payments and pharmacy systems.
Why this matters: Most damage happens after initial access. A secure networking platform offers microsegmentation that eliminates this class of attack entirely.
3. Cloudflare: When “The Internet’s Firewall” Goes Down — Twice
In November, and again in December, Cloudflare outages took massive portions of the web offline, including SaaS platforms, fintech apps, and enterprise services.
Ironically, one outage was triggered by a security-related firewall change.
Why this matters: Security tooling itself can become a failure domain when everything flows through it. This can be particularly problematic when large swaths of internet real estate pass through major providers. Secure networking platforms break the blast radius by ensuring traffic flows directly between trusted endpoints, not through shared security bottlenecks.
2. Jaguar Land Rover: Nation-State Espionage Goes Industrial
Cyber operations once focused on data theft. In 2025, they disrupted manufacturing, logistics, and operations. Late August’s Jaguar Land Rover attack, now being dubbed the costliest cyber attack in U.K. history, halted production for weeks. The Cyber Monitoring Centre estimated the total cost to the U.K. economy was about $2.5 billion USD. Outside of Jaguar, other industrial and logistics attacks also proliferated in 2025, including those on food supply and distribution companies.
Why this matters: Operational networks were never designed for hostile environments. Identity-first networking is no longer optional, it’s required.
1. AWS’s Failure: Cascading Dependency Failures
On October 20, a failure in AWS’s most relied-upon region caused cascading DNS failures across the internet.
Banking, e-commerce, SaaS, and internal enterprise tools went dark for hours, including Venmo, Canva, and Robinhood. The incident underscored a harsh reality: a single point of failure at a major cloud provider can paralyze large swaths of the internet, highlighting how critical infrastructure, and even basic services, remain deeply exposed.
Why this matters: Centralized cloud regions are single points of failure. Direct, peer-to-peer networking reduces dependency on any one provider.
The Bottom Line
The defining failures of 2025 weren’t exotic exploits. They were architectural due to flat networks, overtrusted internal traffic, centralized infrastructure, and identity treated in legacy ways of thinking. This is the environment attackers thrive in.
Prepare for 2026: How ZeroTier Can Help Tackle These Risks
A secure networking platform, like ZeroTier, gives enterprises a way to shrink their attack surface without adding complexity. ZeroTier’s identity-centric architecture means every device is authenticated with cryptographic keys, not locations or brittle IP rules. This alone eliminates entire classes of lateral-movement attacks.
Because ZeroTier builds direct, encrypted peer-to-peer links, an enterprise’s traffic never has to depend on a single vendor-controlled hop. Even if part of the internet is congested or a provider is compromised, ZeroTier automatically reroutes across the best available path. And because ZeroTier works across cloud, on-prem, edge, and remote environments, an enterprise’s entire footprint can be unified under one resilient networking fabric.
The bottom line: ZeroTier makes secure connectivity an enabler, not a risk. As 2026 brings more coordinated, fast-moving threats, organizations need networking that’s flexible, encrypted end-to-end, and immune to single points of failure.
Want to learn more about how ZeroTier can help reduce your enterprise’s attack surface? Request a demo today.