← All Briefings
Briefings


Ransomware breach data for 2025 puts identity attacks ahead of exploited vulnerabilities as the leading root cause for the first time, and 97 percent of the credential-based intrusions in that dataset had multifactor authentication deployed on the compromised account. The MFA was present. It did not hold. Dark Reading's write-up frames this as a maturity story, attackers pivoting to the softer target once patching improved. The artifact tells a narrower one: a control counted as "deployed" in a compliance audit and a control that stops an intrusion are not the same measurement, and every framework that checks the first box is currently blind to the second.

Separately, Fortinet's FortiSandbox flaw, CVE-2026-25089, joins CISA's Known Exploited Vulnerabilities catalog this week, which is the traditional kind of gap, patch available, exploitation confirmed, remediation deadline attached. The MFA statistic is the harder problem because there is no patch for it. An organization can pass every login-security audit written to date, HKMA's included, while its help desk still approves a device code or its SMS OTP still gets relayed in real time, and the 97 percent figure will not move until the next revision of TRM guidance asks not whether MFA exists but whether it survived contact with a live social-engineering attempt.

Weak. The piece treats deployed-but-bypassed MFA and the FortiSandbox KEV listing as two items on the same footing, but they are not parallel problems, one is a measurement failure with no patch and the other is a patch-and-deadline case already solved by process. Give the MFA finding the full piece and drop Fortinet to a brief or cut it.-- WR
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.