BHIS Pentest Data: Same Top Flaws Plague Orgs in 2025

Executive Summary

Black Hills Information Security (BHIS) released its "Why You Got Hacked – 2025 Super Edition" analysis, covering penetration test data collected through September 2025. The findings are starkly consistent with BHIS's prior analyses from 2022 and 2023: the same handful of security failures — weak passwords, unpatched Remote Desktop Protocol (RDP), misconfigured multi-factor authentication (MFA), excessive administrative privileges, and missing endpoint detection — continue to dominate the vulnerability landscape. No new attack vectors or zero-days were required; attackers and pentesters alike are exploiting the same systemic weaknesses year after year.

Technical Analysis

BHIS aggregated findings from internal and external penetration tests conducted over 15 months ending in September 2025. The top five findings by frequency were:

1. Weak or default credentials — including reused passwords across services and accounts with no password complexity requirements.
2. Unpatched RDP exposed to the internet — systems accessible on TCP/3389 without Network Level Authentication (NLA) enabled.
3. Misconfigured MFA — including MFA not enforced for all users, bypassable via legacy protocols (e.g., IMAP, POP3), or configured with push notification fatigue in mind.
4. Excessive local administrative privileges — users running with admin rights on workstations, enabling lateral movement and privilege escalation.
5. Missing endpoint detection and response (EDR) — systems lacking EDR agents or with agents not actively monitoring.

BHIS noted that these findings closely mirror their 2022 and 2023 reports, suggesting that organizational security posture has not materially improved despite increased industry awareness and tooling. The report attributes this stagnation to "security debt" — accumulated misconfigurations and unpatched systems that organizations fail to remediate due to operational pressure or resource constraints.

Mitigations & Recommendations

Defenders should prioritize the five categories above as a baseline security checklist. BHIS recommends:

• Enforce password complexity and implement passwordless authentication (e.g., FIDO2/WebAuthn) where feasible.
• Disable RDP on internet-facing systems or require VPN + NLA for remote access.
• Audit MFA configurations to ensure all authentication methods are covered and legacy protocols are disabled.
• Implement least-privilege models for user accounts and remove local admin rights from standard users.
• Deploy and maintain EDR on all endpoints, with active monitoring and alerting for common attack patterns.

No specific CVEs or patches are referenced because the vulnerabilities are configuration- and behavior-based, not software flaws.