The 2025 Nexon Cyber Security Report exposes simple weaknesses behind most breaches, based on 126 penetration tests across Australian industries.
November 23rd 2025 – New research from Nexon Asia Pacific reveals that every Australian organisation tested this year had at least one cyber security vulnerability that could have been prevented with stronger foundations.
The 2025 Nexon Cyber Security Report: 7 preventable cyber attack threats facing Australian organisations draws on 126 penetration testing engagements conducted across more than 30 industries between July 2024 and June 2025 to show what is really happening inside local organisations.
The report is designed to help business and security leaders understand the Australian cyber security risks, what the data reveals about common failings and how to prioritise the right actions.
The research demonstrates that most breaches are not caused by sophisticated adversaries using advanced tactics. Instead, cyber attackers continue to exploit basic, preventable control deficiencies such as weak credential hygiene, absent multi-factor authentication (MFA) enforcement, outdated legacy infrastructure, privilege mismanagement and human-factor exploitation.
“Every organisation we pen tested this year had vulnerabilities that could have been prevented by getting the basics right,” says Garth Sperring, General Manager – Network & Cyber at Nexon Asia Pacific.
“Attackers don’t need sophisticated tactics when weak passwords and missing multi-factor authentication still work. In our testing, 83% of phishing simulations succeeded in capturing credentials, 72% of engagements reached domain admin control and 60% of attacks went completely undetected until we reported them.”
Seven threats that keep appearing
The report identifies seven key vulnerabilities attackers continue to exploit:
- Weak passwords – 59% were only 8-10 characters long
- MFA gaps – missing or misconfigured in 9% of web applications
- Web application flaws – 63% had at least one security misconfiguration
- Social engineering – 83% of phishing attempts gained credentials
- Perimeter gaps – 5% of services had no two-factor login
- Flat networks – 72% reached domain admin control
- Cloud misconfigurations – 6% left unsafe default settings in place
The full report provides detailed findings on each vulnerability, along with practical remediation steps organisations can take immediately.
Even well-resourced organisations continue to leave basic weaknesses unaddressed. Contributing factors include vendor sprawl, a lack of integration across tools and a cyber-skills capacity deficit across the sector, leaving many security teams under-resourced.
Each of the seven insights includes practical remediation guidance mapped to Nexon Cyber’s three-stage cyber security framework: Get Protected (build foundational defences), Stay Protected (maintain continuous monitoring and response) and Don’t Get Caught Out (strengthen security proactively through testing and training).
“These weaknesses can all be addressed with a structured approach,” says Sperring. “Get the basics right first. Most organisations can close these gaps quickly with the right approach.”
Nexon’s Get Protected services are built on Microsoft security technologies, helping address the vendor sprawl and integration gaps that leave many organisations exposed. As an advanced Microsoft specialist provider in Threat Protection and Cloud Security, Nexon has the credentials to deliver protection across the full security stack.
Download the report
The 2025 Nexon Cyber Security Report is available here
Organisations can also request a security posture assessment to identify current maturity levels and key vulnerabilities.
For more information, visit nexon.com.au/nexon-cyber
