ReliaQuest’s latest Digital Risk Protection trends report reveals a significant rise in external cyber risks faced by organisations, as their digital footprints and corresponding attack surfaces continue to expand in the first half of 2025.
Rising exposures
The report analyses customer alerts across 38 types of external exposures comparing data from the second half of 2024 to the first half of 2025. It found a 27% increase in exposed ports, a 35% rise in exposed operational technology (OT) ports, and a doubling of exposed access keys. Alerts for exposed marked documents, including sensitive information such as customer data and network diagrams, jumped by over 10%.
Typo-squatting, the creation of counterfeit domains mimicking legitimate organisations, has remained a persistent risk, with threat actors such as “Scattered Spider” targeting technology vendors to steal credentials. According to the report, typo-squatted domains are particularly effective, often facilitating phishing campaigns across multiple client organisations.
CISOs must look beyond traditional security measures and address the external footprint – exposed credentials, open ports, and vulnerabilities. Proactively managing these exposures isn’t just important; it’s the frontline defense against external threats and a critical step in reducing the attack surface.
Consistent risk landscape
Throughout both late 2024 and the first half of 2025, the top five digital risks remained largely consistent. Exposed marked documents led with a steep increase to 37.8% of alerts, followed by impersonating domains (19.0%), impersonating subdomains (15.6%), exposed ports (7.1%), and credential exposure (4.6%).
The report attributes some of the increase in exposed documents to accidental leaks on organisational websites. Such exposures are often sold on cybercriminal forums, with claims of company breaches potentially leading to regulatory action, lawsuits, and damage to brand reputation.
Expanding attack vectors
Enterprise organisations added an average of 28 new exposed ports per organisation in just six months, rising from 103 in the last half of 2024 to 131 in the first half of 2025. Increased exposures of FTP and SSH ports have provided a broader attack surface for threat actors. ReliaQuest reports that some attacks have occurred by exploiting Remote Desktop Protocol (RDP) logins, giving access to administrative accounts. While prompt detection and containment prevented escalation in one incident, the report underscores the importance of proactive management of exposed services.
Among OT systems, the average number of exposed ports per organisation rose by 35%, with Modbus (port 502) identified as the most commonly exposed, posing risks of unauthorised commands and potential shutdowns of key devices. The exposure of Unitronics port 20256 surged by 160%. The report cites cases where attackers, such as the group “CyberAv3ngers,” targeted industrial control systems during conflicts, exploiting weak or default passwords.
Persistent vulnerabilities
The number of vulnerabilities identified on public-facing assets more than doubled, rising from three per organisation in late 2024 to seven in early 2025. Critical vulnerabilities dating as far back as 2006 and 2008 still persist on unpatched systems, with proof-of-concept code readily available online, making exploitation accessible even to attackers with limited expertise. The report also references the continued threat posed by ransomware groups who exploit such weaknesses in internet-facing devices.
Key exposures double
Incidents involving exposed access keys, including cloud and API keys, doubled from late 2024 to early 2025. Exposed credentials can enable threat actors to enter environments as legitimate users, bypassing perimeter defenses. The report highlights that most exposures result from accidental code pushes to public repositories or leaks on criminal forums.
The drop in credential access alerts is said to be linked to law enforcement actions against a major infostealer malware family, “Lumma,” coupled with the temporary shutdown of the “BreachForums” marketplace. However, new malware strains have since begun to re-emerge, forcing security teams to continually adapt their defences.
Future trends
The report anticipates that attack surfaces will keep expanding due to increased adoption of Internet of Things (IoT) devices, projected to grow from 17.7 billion in 2024 to 31.2 billion by 2030. Security weaknesses in these devices remain a target for exploitation. The accelerating adoption of artificial intelligence likewise creates fresh risks, including prompt injection attacks and exposure of sensitive credentials during development processes.
As on-premises systems become more difficult to breach with traditional methods, attackers are shifting toward the use of stolen credentials and the exploitation of internet-facing vulnerabilities, an evolution reflected in the tactics of ransomware and social engineering groups.
The report concludes by highlighting the importance for organisations to proactively identify and address external risks such as exposed credentials, open ports, and vulnerabilities as part of a broader digital risk protection strategy.
