The BSI Situation Report 2025: Exploits and Data Leaks as Emerging Threat Trends

The BSI Report on the State of IT Security in Germany 2025 from the Federal Office for Information Security reveals an alarming phenomenon: the massive increase in exploitation attacks, coupled with systematic data leaks, is increasingly replacing traditional ransomware scenarios and driving ransom payments to record levels. The report covers incidents between 1 July 2024 and 30 June 2025 and shows not only a quantitative rise in threats but also a qualitative shift in how cybercriminals structure and monetise their attacks.

Vulnerabilities as Root Cause

During the reporting period, an average of 119 new vulnerabilities per day were identified, a 24 percent increase on the previous year. Alongside classic software flaws, these increasingly include conceptual weaknesses and IoT devices that are already compromised at delivery. The number of exploitation attacks rose by 38 percent, a faster increase than the discovery of new vulnerabilities itself.

From Ransomware to a Hybrid Model

The classic ransomware approach is increasingly being supplemented by data leaks, dramatically multiplying the leverage available to attackers. This hybrid strategy uses dual pressure: system access is blocked while simultaneously threatening to publish sensitive data. Average ransom payments reached a new high. During the reporting period, 950 ransomware reports were registered; in 72 percent of these cases, data leaks occurred or were threatened.

SMEs as Preferred Targets

Around 80 percent of all reported attacks targeted small and medium-sized enterprises (SMEs). These typically lack extensive cybersecurity teams and have limited IT budgets. Particularly noteworthy is the perception gap: 91 percent of SMEs rate their IT security as "good" or "very good", yet on average they meet only 56 percent of the core baseline requirements of the BSI CyberRisikoCheck. This discrepancy means SME leaders are operating with a false sense of security.

Critical Infrastructure: Detection Gaps

While 80 percent of critical infrastructure operators have implemented information security management systems, 48 percent have no system for attack detection. This means almost half of the organisations that are critical to the country's infrastructure do not even have basic detection capabilities. The situation is particularly problematic for operational technology systems in energy supply, which often run on proprietary protocols developed over decades and are not designed for modern security measures.

Shift to Web-Based Attacks

The BSI report documents a noticeable shift: while email-based attacks have declined, exploitation attacks via web attack surfaces are steadily gaining ground. Analysis of publicly reachable .de domains reveals significant security deficits: 61 percent rely exclusively on the outdated IPv4 protocol, and on 47 percent of reachable IP addresses, sensitive information is publicly visible. Another trend is the growing use of social media and messaging services for attack operations.

Professionalisation of Threat Actors

International law enforcement led to operational successes, including the dismantling of major ransomware groups such as LockBit and ALPHV. But this did not leave a calmer environment; instead, the BSI observes the rapid reformation of new groups based on modular attack tools. Ransomware-as-a-Service platforms have massively lowered the barrier to entry for cybercrime. The primary actors can be broadly divided into three categories: Russian actors with destructive goals, highly professionalised cybercrime structures, and automated botnet infrastructure.

Data Leaks and Access Brokers

The BSI report documents 461 identified data leaks during the reporting period. The types of exposed data are primarily dates of birth, email addresses, and login credentials. Particularly relevant is the development of access broker services trading stolen credentials on the dark web. The number of people allegedly harmed by data leaks has reached a new all-time high. For businesses, this means growing legal and financial risks that can only be managed with robust documentation and well-practised procedures.

Attack Surface Management as a Central Lever

The central conclusion of the BSI report is clear: protecting attack surfaces is the decisive lever for improving cybersecurity. Proactive attack surface management means organisations must maintain continuous visibility into all their systems, network connections, and potential entry points. This includes not only traditional IT systems but also IoT, OT, and cloud environments. Concrete measures include structured inventory of all systems, continuous vulnerability management with risk-based prioritisation, consistent patch management, network segmentation, and zero-trust architectures.

Government Countermeasures

The federal government has established the "Cyberdome" concept, a partially automated system for detecting, analysing, and fending off attacks. The BSI's budget is set to grow by 65 percent. On the legislative side, the NIS2 Directive and the IT Security Act 2.0 are relevant, significantly raising the requirements for operators of critical infrastructure.

Organisational and Psychological Factors

The BSI explicitly identifies the existence of a "digital carelessness" that opens a "fatal gap between the escalating threat situation and the necessary personal readiness to defend". The use of two-factor authentication fell from 42 percent in 2023 to 34 percent in 2025. At the corporate level, 39 percent have no structured emergency management plan for data theft or sabotage. Only 24 percent of companies offer IT security training to all employees.

Recommendations

The BSI report paints a picture of a cybersecurity landscape at a critical inflection point. The classic paradigms, namely reactive security, isolated systems, and perimeter protection, have become untenable in the face of current realities. The central findings are: attack surface management is not optional but a core task of any modern IT security strategy. Modern attacks combine ransomware, data leaks, and exploitation attacks into hybrid scenarios. Technical investments must be complemented by organisational structures, training, and contingency planning. Regulatory compliance is not sufficient; BSI Grundschutz requirements or NIS2 compliance are minimum standards.

For governments, the message is clear: cybersecurity is a national infrastructure task of the highest priority. Increasing the BSI's funding and establishing the Cyberdome system are the right steps, but must be complemented by continuous investment, international cooperation, and clear regulatory requirements. The divide between large, well-resourced organisations and small SMEs must be addressed through targeted government support.

Sources & References

• https://der-betrieb.de/meldungen/bsi-lagebericht-2025-hacker-finden-weiter-leichtes-spiel/
• https://grasp-grc.com/content-hub/bsi-lagebericht-2025/
• https://www.orbit.de/bsi-bericht-2025-it-sicherheit/
• https://www.gruene-bundestag.de/presse/pm-november-2025/jeanne-dillschneider-und-konstantin-von-notz-bsi-bericht-ueberfaellige-schritte-zur-erhoehung-der-it-sicherheit-deutschland-endlich-angehen/
• https://www.bitkom.org/Presse/Presseinformation/Bitkom-zum-BSI-Lagebericht
• https://www.bmi.bund.de/SharedDocs/kurzmeldungen/DE/2025/11/bsi-lagebericht-km.html
• https://www.security-insider.de/bsi-lagebericht-itsicherheit-2025-deutschland-a-d2a510480d46ec84f9be259c38435110/

Summarised with the help of AI.