As cybersecurity professionals, it's essential to anticipate the cyber threats we'll face in 2025. We must also consider what our adversaries—hackers—are preparing for in the coming year.
In this blog, we'll outline the key cybersecurity trends to watch in 2025, including the increasing use of AI by both attackers and defenders, the rise of IoT-based threats, and the vulnerabilities emerging within Web3 technologies. We'll also highlight how developers continue to make fundamental security mistakes, leaving their applications vulnerable.
For security leaders and teams, staying ahead of these evolving threats will require a shift in strategy and a stronger emphasis on proactive security measures. Let’s look at what 2025 holds and the new exploits hackers will likely target this year.
Time to Exploit Will Continue to Shrink
Building on recent trends—such as the reduction of time-to-exploit (TTE) to just five days in 2023, as reported by Google— artificial intelligence (AI)’s role in hacking is poised to revolutionize exploitation, shifting the dynamics of attack and defense. In 2025, Hadrian predicts AI will drive the TTE for zero-day vulnerabilities to record-breaking lows.
.png)
{{quote-1}}
AI, particularly large language models (LLMs), has emerged as a double-edged sword in cybersecurity. Platforms like ChatGPT, Claude, and Gemini, along with open-source innovations, have been repurposed by cybercriminals to automate the discovery and exploitation of vulnerabilities. These models allow for rapid reconnaissance, planning, and execution of attacks, significantly lowering the barrier to entry for malicious actors.
Sophisticated frameworks such as PENTESTGPT, which was developed at the Nanyang Technological University, automate many penetration testing tasks. In their paper, PENTESTGPT was assessed for its ability to perform a variety of tasks from straightforward web enumeration and port scanning to more complex command injection and cryptanalysis.
Other researchers have developed a multi-agent framework for cybersecurity exploits namel HPTSA. There are three major components of HPTSA: a hierarchical planner, a variety of task-specific agents, and an agent manager. The same team has reportedly exploited 87% of common vulnerabilities and exposures using just a single LLM.
The new AI exploit frameworks will likely be utilized against exposed high-value targets such as cloud infrastructure and software supply chains. Professional cybercrime organizations, already well-resourced, are leveraging AI to weaponize new vulnerabilities and execute sophisticated attacks faster than ever.
The National Cyber Security Centre (NCSC) has stated that current AI hacking frameworks currently require human expertise to maximize their potential. The NCSC also notes that nation-states will likely have the data needed to train highly effective AI models for hacking that require little human intervention.
However, highly advanced cybercrime organizations such as Killsecurity, CL0P, and GXC Team also have access to the expertise and resources. It is believed that CL0P earned over $75 million from their MOVEit extortion attack alone, allowing them to invest in weaponizing AI.
Hadrian researchers believe that advancements in AI will enable attackers to use LLMs to chain low- and medium-severity CVEs across different systems. This could create exploit sequences that human attackers might overlook, turning previously "unexploitable" vulnerabilities into critical risks.
We predict that by the end of 2025, there will be small-scale testing of AI exploitation frameworks by cybercriminal gangs. Over time these will likely be developed into “as-a-service” offerings and sold on the dark web.
Search Results Will Become a Popular Vector for Phishing
Hackers are getting smarter—and in 2025, they’ll be increasingly using an innovative tactic to trick users: manipulating search engine results. Subdomain takeovers will become a major vector for phishing, malware distribution, and data theft. Vulnerability to takeovers was already one of the most common issues discovered by Hadrian in 2024, but now, cybercriminals aren’t just hijacking subdomains—they’re making them rank at the top of search results.
Subdomain takeovers are commonly used to host phishing sites on hijacked subdomains, tricking users into providing sensitive information, such as login credentials or financial details. Additionally, attackers may use compromised subdomains to distribute malware, potentially leading to data breaches and unauthorized access to systems.
A more recent development is attackers' ability to optimize hijacked subdomains—or newly registered domains that resemble trusted brands—to rank higher in search engine results. By leveraging weaknesses in search algorithms and AI-generated content, cybercriminals can quickly make these malicious domains appear credible, luring unsuspecting users into revealing sensitive information or completing fraudulent transactions.
This new vector exploits users' implicit trust that search engine results, especially top-ranking results, have undergone some form of security verification. As a result, the technique will be more successful than phishing emails which users have been trained to watch for.
Retail and banking organizations are particularly vulnerable due to the high value of the data they handle. Subdomain takeovers targeting these industries often involve AI-driven cloning of legitimate websites, complete with realistic phishing pages designed to harvest login credentials, payment card details, and other sensitive data. This results in not only financial losses but also long-term reputational damage that can erode customer trust.
“Subdomain takeover allows hackers to leverage both the brand and SEO of the organization they are impersonating, this technique will gain popularity in 2025. One of the most likely targets will be e-commerce businesses which have large attack surfaces.” - Arpit Borawake, Security Engineer at Hadrian
Hadrian predicts that AI will accelerate the discovery and exploitation of these vulnerabilities, automating processes like reconnaissance, vulnerability identification, and exploitation. This will lower the barrier of entry for attackers, enabling even less skilled individuals to execute highly targeted, fast, and large-scale attacks. With search engines acting as unwitting accomplices, this phishing evolution could make 2025 the year cybercriminals turn SEO into a weapon.
Security Gaps in Software Development Will Grow
Despite a growing emphasis on secure development practices and regulatory frameworks, the rapid pace of technological advancement has created fertile ground for software vulnerabilities. As frameworks, tools, and technologies evolve, so too do the opportunities for attackers to exploit weaknesses, especially with the aid of artificial intelligence (AI).
For example, even with compliance standards like PCI DSS Requirement 6 mandating the mitigation of injection attacks, Hadrian’s research in 2024 revealed that 57% of identified critical vulnerabilities were injection-related. Since the release of ChatGPT, AI has changed development practices, enabling both developers to operate with increased efficiency. Generative AI tools are increasingly used by developers when coding, but AI models often lack the contextual understanding necessary to produce secure code.
Without proper safeguards, AI-generated code can inadvertently introduce vulnerabilities, such as cross-site scripting (XSS) or SQL injection, into the development pipeline. Research shows that junior and less experienced developers are especially at risk of introducing software vulnerabilities. Yet, organizations often deprioritize developer training on secure coding practices, with an ISC2 report showing that 65% of companies lack regular security training for developers using generative AI.
Developers may expect development frameworks like React to have built-in security features to address common vulnerabilities, but gaps remain. For instance, React struggles with safely handling javascript or data: URLs and provides unsafe properties like dangerouslySetInnerHTML, which bypasses HTML sanitization. While frameworks aim to simplify development and enhance security, their effectiveness relies heavily on developers’ understanding and implementation of their features. Furthermore, developers may rely on users’ browsers to mitigate common techniques like XSS, but these features are now being deprecated, putting them at risk.
{{quote-2}}
As organizations grapple with integrating robust security processes into their software development lifecycles, hackers will continue to exploit the resulting vulnerabilities. To effectively mitigate these threats, teams must rethink and strengthen their approach to application security.
IoT Exploitation Will Surge
For the last few years, the impact of IoT on cybersecurity alongside the deployment of the IoT devices themselves. With the number of IoT devices projected to exceed 20 billion in 2025, Hadrian predicts that IoT will become a cornerstone for malicious actors seeking to exploit vulnerabilities for massive distributed denial-of-service (DDoS) attacks, supply chain infiltration, and other forms of cybercrime.
.png)
“The exponential growth of insecure IoT devices is creating a perfect storm for attackers, with AI turning these vulnerabilities in edge devices into large-scale threats.” - Himanshu Patri, Security Engineer at Hadrian
Attackers are already leveraging IoT devices for hyper-volumetric DDoS attacks. Cloudflare recently reported a record-breaking attack delivering 5.6 terabits per second of traffic, enabled by a botnet of 13,000 compromised IoT devices infected with a Mirai malware variant. There are suspected links between this botnet and new vulnerabilities in AVTECH Cameras and Huawei HG532 routers. These services—advertised for as little as $20 per day—are already accessible to a wide range of attackers, and AI will likely enhance their efficiency and success rates. As a result, DDoS attacks, like those that rose by 1885% in late 2024, we expect this trend to continue.
IoT devices will become critical entry points for supply chain attacks. Their interconnectivity with broader networks makes them an attractive target for attackers seeking to infiltrate large systems via weaker links. Research indicates that the average IoT device harbors 25 vulnerabilities, and delayed patch management exacerbates the problem. With AI, attackers will increasingly identify and exploit these weaknesses to gain access to larger networks and valuable data.
Hadrian believes that in 2025 disruption due to DDoS attacks by IoT botnets and the number of incidents originating from an IoT vulnerability will reach an all-time high. There will also be more by low skill hackers that are looking to gain access to corporate networks, which they will then sell on the dark web.
Web3 Will Create New Vulnerabilities
As Web3 grows, its reliance on Web2 infrastructure—like DNS, APIs, and centralized hosting–creates critical vulnerabilities. While blockchain technology offers decentralization and trustless systems, hybrid applications that merge Web2 and Web3 inherit risks from traditional centralized systems. Hadrian predicts that attackers will exploit this intersection, targeting Web2 components with phishing, DNS hijacking, and API vulnerabilities to compromise Web3 applications.
The Ronin bridge hack, where cybercriminals stole cryptocurrency worth $615 million, highlights the dangers of such hybrid systems. Cross-chain protocols and bridges, which connect different blockchain networks, rely on Web2 for communication and authentication, exposing them to attacks. These centralized components serve as a weak link, making them a priority target for sophisticated attackers.
“Web3 introduces new attack vectors for hackers to exploit, but in many cases, implementations are built on Web2 infrastructure, which hackers can exploit with their existing skills and knowledge.” - Yash Sodha, Security Engineer at Hadrian
New vulnerabilities are introduced with Web3 that target the interface and infrastructure sides of decentralized systems. Smart contracts, which are integral to Decentralized Finance (DeFi), manage significant financial value, making them prime targets for cybercriminals. Despite rigorous audits and security practices, exploits like reentrancy attacks, price oracle manipulations, and logic errors continue to plague the space, leading to devastating financial losses. Open-source code reuse exacerbates these risks, as vulnerabilities in one contract can cascade across multiple platforms.
As the total value locked (TVL) in DeFi exceeds hundreds of billions of dollars, attackers are broadening their scope. Lesser-known DeFi platforms, often lacking robust audits, are emerging as attractive targets. Flash loan attacks, where cybercriminals exploit market mechanisms to manipulate prices or drain liquidity pools, are becoming increasingly prevalent due to their low-cost, high-impact nature. Additionally, as smart contracts grow in complexity, novel attack vectors are likely to emerge, targeting specific flaws in contract logic or interactions with other contracts.
Hadrian predicts that, in 2025, hackers will target organizations adopting Web3 technologies, focusing on vulnerabilities in both smart contracts and the Web2 components that support them. Centralized elements, such as APIs, are likely to be prime targets for exploitation.
