Australian organisations are investing heavily in cyber security, yet most breaches still exploit simple, preventable weaknesses. The 2025 Nexon Cyber Security Report, based on penetration testing of 126 organisations across 30+ industries, reveals seven recurring vulnerabilities that attackers exploit, and explains how to fix them.
From poor password hygiene to misconfigured cloud systems, every single organisation we tested had at least one vulnerability that could have been prevented with stronger foundations.
Simple mistakes leave the door ajar
Most cyber breaches don’t come from advanced hacking techniques or nation-state actors. Nexon’s penetration testing this year showed that attackers succeed by exploiting basic, preventable gaps that appear across every layer of the environment.
The pattern was consistent: weak credential hygiene, missing multi-factor authentication (MFA), insecure web applications, human error, perimeter gaps, flat internal networks and cloud misconfigurations.
Below are the seven common threats we found. For the complete findings, including detailed statistics, staged implementation roadmaps and specific remediation guidance for addressing each vulnerability, download the complimentary 2025 Cyber Security Report.
1. Weak passwords remain the easiest way in
Predictable and reused credentials facilitated unauthorised access more often than any advanced hacking technique in our 126 penetration tests. We found ‘Password123’ and other predictable patterns, seasonal combinations like ‘Winter2025!’, passwords based on company names and default or hardcoded service account credentials are still in widespread use.
- 59% of passwords were only 8–10 characters long
- 1 in 4 organisations reused passwords across accounts
- 10% still enforced weak or outdated password policies
2. Multi-factor authentication gaps expose accounts
Even with strong passwords in place, attackers often found authentication endpoints lacking enforced MFA or with bypassable challenge flows. We found that nearly 1 in 10 web apps lacked MFA enforcement, that cloud admin accounts were exempt from MFA and that privileged accounts – including executives and automated service accounts – were commonly exempt from MFA.
- MFA was missing or misconfigured in 9% of web applications, 5% of perimeter services and 3% of cloud admin accounts
3. Web application housekeeping flaws create real risks
Every day mistakes, not complex attacks, are the biggest cause of web and API weaknesses. Attackers often piece together minor issues, such as misconfigured parameters or outdated dependencies, to find ways to break in.
- 63% of web applications had at least one security misconfiguration
- 64% of APIs lacked critical controls
4. People remain the most exploitable entry point
Phishing and social engineering were the most reliable methods for cyber attackers to obtain initial access in simulations. Once attackers got in through people, insufficient internal access controls and network segmentation made escalation easy. Many of these attacks went undetected until our team reported them.
- 83% of phishing attempts in simulated attacks gained credentials
- 72% of engagements escalated to the domain admin within days
- 60% of simulated attacks went undetected by monitoring teams
5. External perimeters still have openings
Fewer direct perimeter break-ins occurred this year than in previous years, but simple methods, such as weak passwords and missing two-factor logins, still let attackers in. In many cases, just one overlooked system was enough to give attackers access.
- 5% of external-facing services had no two-factor login
- 8% of organisations had weak or outdated encryption
6. Flat internal networks give attackers the keys
Once attackers got inside, they often found wide-open networks. Weak protocols, exposed data sharing and poor system separation made it easy to move around and gain complete control.
- 72% of engagements reached domain admin control – giving attackers the keys to everything
7. Cloud misconfigurations create big risks from small gaps
Most cloud breaches stemmed from insecure default configurations, not advanced attacks. Excessive permissions, poor login controls and dangerous defaults left sensitive data and accounts exposed in many environments.
- 6% of cloud setups left unsafe default settings in place
- 4% used outdated or weak login methods
A structured approach to addressing these gaps
Addressing these foundational gaps removes the majority of exploitable weaknesses. There’s no point investing in advanced security tools if attackers can still walk in through weak passwords or missing MFA.
Nexon’s three-stage cyber security framework provides a structured approach: Get Protected by putting the right foundations in place, Stay Protected through continuous monitoring and incident response, and Don’t Get Caught Out by proactively testing and strengthening defences against evolving threats.
Leveraging Microsoft technologies, Nexon delivers a strategic, end-to-end approach to cybersecurity, combining certified expertise, proven processes, and advanced solutions to strengthen digital resilience.
The complimentary 2025 Nexon Cyber Security Report provides detailed remediation roadmaps, implementation guides and specific actions to address each threat. Download your copy to see where your organisation may be exposed and how to close these gaps.
For more information about penetration testing, security assessments and addressing these common vulnerabilities, contact us at nexon.com.au/nexon-cyber.
Reference: 1. Nexon: 2025 Nexon Cyber Security Report
Read More from This Article: Seven inevitable cyber threats every Australian organisation must be ready to contain
Source: News