Today’s adversaries are more diverse, specialized, and aggressive than ever, blending nation-state resources, cybercrime innovation, and hacktivist opportunism. Their playbooks are constantly evolving, with newer groups and alliances joining legacy players to threaten critical infrastructure worldwide.
Threat actors seeking to cause operational disruption are targeting a narrow spectrum of vulnerabilities, predominantly affecting perimeter-facing devices such as VPN concentrators, remote desktop gateways, and OT protocol converters. These CVEs, once weaponized, provide attackers with unauthenticated remote code execution, root-level device control, and often allow direct bypass of legacy authentication and access control mechanisms. The operational impact is amplified as many of these vulnerabilities remain unpatched in critical environments due to device uptime requirements, vendor patch delays, or asset visibility gaps.
Furthermore, the convergence of IT and OT, proliferation of remote management tools, and integration with third-party vendors have created new lateral pathways for attackers. Compromised supply chain partners or third-party integrators are leveraged as trusted entry points; exposed vendor remote access services and misconfigured firewalls further erode static segmentation. Adversaries exploit trusted IT/OT bridges, unsecured field devices, and even maintenance laptops to gain direct access to process control networks and safety systems. This evolving attack surface renders legacy perimeter security models insufficient, emphasizing the need for dynamic network monitoring, continuous asset discovery, and threat-informed architecture.
Data from the X-Force Vulnerability Database indicates there have been 670 vulnerabilities disclosed in H1 2025 that could impact OT environments and of those, 11% have a CVSS Severity Rating of “Critical” (CVSS score between 9.0-10.0). Furthermore, one-fifth (21%) of critical vulnerabilities have publicly available exploit code.