ICS Vulnerability Disclosures Doubled in 2025

One of the key takeaways from the 87‑page report was the growing interest of various cyber threat actors in industrial control systems (ICS) and operational technology (OT) environments.

The researchers reported 2,451 ICS vulnerability disclosures made across 152 vendors in 2025, almost double the 2024 numbers which saw 1,690 such vulnerabilities across 103 vendors.

This increase was fuelled by an August activity spike, with 802 ICS vulnerabilities disclosed that month alone. The third quarter of 2025 accounted for 45.26 % of the year’s disclosures of ICS vulnerabilities.

• Siemens was the vendor with the products most affected by ICS vulnerabilities, with 1,175 reported.

• Schneider Electric ranked second with 163 ICS flaws reported over the past year.

• However, the French automated systems provider faced a higher percentage of high and critical vulnerabilities – approximately 70 % compared with less than 40 % for Siemens.

---

Threat Actors Increasingly Exploit ICS Vulnerabilities

This rise of reported ICS vulnerabilities is partly due to a growth in exploits by cyber threat actors, who increasingly scour for security gaps in human‑to‑machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems.

Cyble data showed that two of the most ICS‑system‑reliant industries—manufacturing and healthcare—were the sectors most targeted by ransomware attacks in 2025. The researchers observed 600 manufacturing and 477 healthcare entities affected over the period covered by the report.

Hacktivist groups also heavily targeted ICT‑reliant organizations, such as energy and utilities and transportation, in 2025.

Several hacktivist groups which increased their focus on ICS and OT attacks over the past year include:

• Z‑Pentest – the most active hacktivist group to target ICS, conducting repeated intrusions against a wide range of industrial technologies.

• Dark Engine (aka Infrastructure Destruction Squad) and Sector 16 – persistently targeted ICS, primarily exposing HMIs.

• A secondary tier of groups, including Golden Falcon Team, NoName057 (16), TwoNet, RipperSec and Inteid, also claimed to have conducted recurrent ICS‑disrupting attacks, albeit on a smaller scale.

Finally, Cyble highlighted that, out of all disclosed ICT vulnerabilities, 27 involve internet‑exposed assets across multiple critical‑infrastructure sectors.

Based on these findings and further investigations, the CIRL team predicted that hacktivists and cybercriminals will increasingly target exposed HMI and SCADA systems as well as conduct virtual‑network‑computing (VNC) takeovers in 2026.

---

Ransomware and Hacktivism Grew in 2025

The report noted that despite increased pressure from law enforcement and multiple successful legal actions in 2025, the cyber‑threat landscape “remained turbulent.”

• The CIRL team documented 5,967 ransomware attacks in 2025, representing a 37 % increase from 2024’s total.

• It also observed 6,979 data breaches and leaks and 2,059 incidents involving the sale of compromised initial access.

• Behind Qilin, Akira emerged as the second‑most prolific ransomware group, focusing on construction, manufacturing and professional‑services sectors.

• Cyble identified 57 new ransomware groups and 27 new extortion groups that appeared in 2025.

Hacktivism continued to grow in 2025 and “evolved into a globally coordinated threat, closely tracking geopolitical flashpoints,” the Cyble report stated.

These activities were predominantly driven by two geopolitical conflicts:

• The Israel‑Iran conflict, which sparked cyber operations by 74 hacktivist groups.

• India‑Pakistan tensions, which generated 1.5 million intrusion attempts.

“Armed conflicts, elections, trade disputes and diplomatic crises fueled intensified campaigns against state institutions and critical infrastructure, with hacktivist groups weaponizing cyber‑insurgency to advance their propaganda agendas,” explained the security researchers.