Fortinet, a California-based cybersecurity firm, has recorded a 389% rise in confirmed ransomware victims in 2025, while exploitation windows compressed to 24–48 hours, according to its 2026 Global Threat Landscape Report.
FortiGuard Labs described the broader threat landscape as a move from isolated campaigns to a system built on reusable exploit code, stolen credentials and automation.
The report is based on FortiGuard Labs telemetry from millions of sensors worldwide and covers 2025 activity or the most recent 12-month window available for each dataset.
The cybersecurity firm recorded 640 billion reconnaissance events, down 45%, 67.65 billion brute-force attempts, down 22%, and 121.99 billion exploitation attempts, up 25%.
Although the scanning and brute-force volumes decreased, it did not equate to reduced attacker activity. The report described attackers as more selective, while exploitation continued to rise.
The race to patch public exploits
The exploitation pressure is now tied to code availability. Of 635 vulnerabilities Fortinet observed under active exploitation, 53.86% had public proof-of-concept code and 31.18% had fully working exploit code.
Its time-to-exploit table cites same-day exploitation for Fortra GoAnywhere, Oracle E-Business Suite and Apache Tomcat flaws, while Cisco ASA/FTD and React2Shell vulnerabilities reached first observed exploitation within one day.
CISA’s Known Exploited Vulnerabilities catalog reinforces that remediation priority is increasingly tied to real-world exploitation. The agency maintains the catalog as an authoritative source of vulnerabilities exploited in the wild and says organizations should use it as an input to vulnerability-management prioritization.
Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged vulnerabilities within CISA-set timelines, with default deadlines of two weeks for most newer CVEs and six months for pre-2021 CVEs.
Manufacturing and retail bear the brunt
Ransomware supplied the report’s clearest impact measure. FortiRecon counted 7,831 confirmed ransomware victims in 2025, compared with about 1,600 the year before. Manufacturing led with 1,284 victims, followed by business services at 824 and retail at 682. The U.S. recorded 3,381 victims, the largest single-country total in Fortinet’s dataset.
The same report puts identity exposure upstream of many intrusions. FortiRecon observed 4.62 billion stealer logs traded or shared on darknet markets, up 79.07% from 2024.
In cloud environments, Fortinet said identity compromise remained the dominant intrusion vector, with valid credentials serving as the exploit and APIs as the execution layer.
A separate Verizon breach dataset supports the focus on credentials and vulnerabilities. Verizon’s 2025 Data Breach Investigations Report analyzed more than 22,000 incidents and 12,195 confirmed breaches, finding credential abuse at 22% and vulnerability exploitation at 20% among leading initial attack vectors. Verizon also reported that third-party involvement doubled to 30% of breaches.
For cloud teams, Fortinet’s control findings are concrete. The FortiCNAPP section lists high-severity actions tied to long-lived access keys, unrestricted inbound traffic, public storage permissions, root accounts without MFA and public-facing databases.
Its cloud-intrusion guidance treats identity anomalies combined with discovery APIs as evidence of active intrusion rather than posture weakness alone.
Velocity as a business metric
For CISOs and CIOs, the report turns speed into the central operational metric. Fortinet’s conclusion calls for measuring defensive velocity through time to detect, time to contain and time to revoke compromised credentials.
This puts patch latency, credential revocation and cloud misconfiguration cleanup in the same business-risk queue.
Fortinet also uses the report to support its own integrated SecOps architecture, so the telemetry base matters. Still, the overlap with CISA’s KEV guidance and Verizon’s breach data gives the report a broader enterprise signal: exploited vulnerabilities and valid credentials are the exposure paths most directly compressing enterprise response windows.