Australian organisations are investing heavily in cyber security, yet most breaches still exploit simple, preventable weaknesses. Nexon’s 2025 Cyber Security Report – based on penetration testing of 126 organisations across 30+ industries – reveals seven recurring vulnerabilities that attackers exploit, and explains how to fix them.
From poor password hygiene to misconfigured cloud systems, every single organisation we tested had at least one vulnerability that could have been prevented with stronger foundations.
Simple mistakes leave the door ajar
Most cyber breaches don’t come from advanced hacking techniques or nation-state actors. Nexon’s penetration testing this year showed that attackers succeed by exploiting basic, preventable gaps that appear across every layer of the environment.
The pattern was consistent: weak credential hygiene, missing multi-factor authentication (MFA), insecure web applications, human error, perimeter gaps, flat internal networks and cloud misconfigurations.
Below are the seven common threats we found. For the complete findings, including detailed statistics, staged implementation roadmaps and specific remediation guidance for addressing each vulnerability, download the complimentary 2025 Cyber Security Report.
Weak passwords remain the easiest way in
Predictable and reused credentials facilitated unauthorised access more often than any advanced hacking technique in our 126 penetration tests. We found ‘Password123’ and other predictable patterns, seasonal combinations like ‘Winter2025!’, passwords based on company names and default or hardcoded service account credentials are still in widespread use.
59%
of passwords were only 8–10 characters long
1 in 4
organisations reused passwords across accounts
10%
still enforced weak or outdated password policies
Multi-factor authentication gaps expose accounts
Even with strong passwords in place, attackers often found authentication endpoints lacking enforced MFA or with bypassable challenge flows. We found that nearly 1 in 10 web apps lacked MFA enforcement, that cloud admin accounts were exempt from MFA and that privileged accounts – including executives and automated service accounts – were commonly exempt from MFA.
MFA was missing or misconfigured in
9%
of web applications
5%
of perimeter services
3%
of cloud admin accounts
Web application housekeeping flaws create real risks
Everyday mistakes, not complex attacks, are the biggest cause of web and API weaknesses. Attackers often piece together minor issues, such as misconfigured parameters or outdated dependencies, to find ways to break in.
63%
of web applications had at least one security misconfiguration
64%
of APIs lacked critical controls
People remain the most exploitable entry point
Phishing and social engineering were the most reliable methods for cyber attackers to obtain initial access in simulations. Once attackers got in through people, insufficient internal access controls and network segmentation made escalation easy. Many of these attacks went undetected until our team reported them.
83%
of phishing attempts in simulated attacks gained credentials
72%
of engagements escalated to domain admin within days
60%
of simulated attacks went undetected by monitoring teams
External perimeters still have openings
Fewer direct perimeter break-ins occurred this year than in previous years, but simple methods like weak passwords and missing two-factor logins still let attackers in. In many cases, just one overlooked system was enough to give attackers access.
5%
of external-facing services had no two-factor login
8%
of organisations had weak or outdated encryption
Flat internal networks give attackers the keys
Once attackers got inside, they often found networks that were wide open. Weak protocols, exposed data sharing and poor system separation made it easy to move around and gain complete control.
72%
of engagements reached domain admin control – giving attackers the keys to everything
Cloud misconfigurations create big risks from small gaps
Most cloud breaches stemmed from insecure default configurations, not advanced attacks. Excessive permissions, poor login controls and dangerous defaults left sensitive data and accounts exposed in many environments.
6%
of cloud setups left unsafe default settings in place
4%
used outdated or weak login methods
A structured approach to addressing these gaps
Addressing these foundational gaps removes the majority of exploitable weaknesses. There’s no point investing in advanced security tools if attackers can still walk in through weak passwords or missing MFA.
Nexon’s three-stage cyber security framework provides a structured approach: Get Protected by putting the right foundations in place, Stay Protected through continuous monitoring and incident response, and Don’t Get Caught Out by proactively testing and strengthening defences against evolving threats.
These seven vulnerabilities represent the most common entry points we found across 126 Australian organisations. The complimentary 2025 Nexon Cyber Security Report provides detailed remediation roadmaps, implementation guides and specific actions to address each threat. Download your copy to see where your organisation may be exposed and how to close these gaps.
Garth Sperring is General Manager – Network & Cyber at Nexon Asia Pacific. For more information about credential monitoring, SOC services and assessing your security posture, contact us at nexon.com.au/nexon-cyber
References:
More articles to explore
