The report highlights that compromised perimeter security appliances, particularly Virtual Private Networks (VPNs), were the primary entry point for ransomware attacks in 2024.

According to the index, a staggering 58% of ransomware incidents originated from vulnerabilities in VPNs and firewalls, significantly outpacing other attack vectors. Remote desktop products accounted for 18% of exploits.

In addition to analysing past trends, Coalition’s report forecasts a surge in software vulnerabilities for 2025, anticipating over 45,000 new discoveries. This prediction underscores the growing challenge businesses face in maintaining robust cybersecurity defenses.

Cyber technology to minimise ‘alert fatigue’

Coalition leverages advanced technology, including artificial intelligence, honeypots, and expert analysis, to prioritise vulnerability alerts based on their exploitation likelihood. The approach aims to minimise alert fatigue for policyholders, enabling them to focus on the most critical threats. Notably, Coalition’s proactive monitoring resulted in policyholders receiving critical alerts for only 0.15% of published vulnerabilities in the first ten months of 2024, with 90% receiving no alerts at all.

The report also reveals the effectiveness of Coalition’s proactive approach, with policyholders successfully remediating over 32,000 vulnerabilities in 2024 as a result of timely notifications. This data emphasizes the importance of active risk management in mitigating the escalating threat of cyberattacks.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much—they’re still going after the same tried and true technologies with many of the same methods,” commented Alok Ojha, Coalition’s Head of Products, Security. “This means that businesses can have a reliable playbook, too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident.”

Other key findings from the report include:

• The total number of published software vulnerabilities will increase to over 45,000 in 2025, a rate of nearly 4,000 per month and a 15% jump over the first 10 months of 2024.
• Across all ransomware claims, the most common initial access vectors (IAVs) were stolen credentials (47%) and software exploits (29%). Vendors such as Fortinet®, Cisco®, SonicWall®, Palo Alto Networks®, and Microsoft® build the most commonly compromised products.
• Exposed logins are an underappreciated driver of ransomware risk. Coalition detected over 5 million internet-exposed remote management solutions and tens of thousands of exposed login panels across the internet. When applying for cyber insurance, most businesses (65%+) had at least one internet-exposed web login panel.

“This year’s report focuses on the most crucial security risks that under-resourced organizations should understand to better calibrate their defensive investments to bolster resilience,” said Daniel Woods, Senior Security Researcher at Coalition.

“Calibration involves balancing security investment across vulnerabilities, misconfigurations, and threat intelligence while also responding to emerging threats, such as zero-day vulnerabilities exploited in the wild. That’s why Coalition issues Zero-Day Alerts to help businesses, especially SMBs with limited security resources, stay ahead of these vulnerabilities and reduce alert fatigue by prioritizing those posing the greatest risk.”

The Cyber Threat Index 2025 serves as a crucial resource for businesses seeking to understand and address the evolving cybersecurity threats in the digital age. To read Coalition’s full findings and download the report, visit here.