\n\t\t\t\t\tGermany\u2019s Threat Landscape is growing at an unprecedented pace with attack surfaces expanding, APT actors dominating, and SMEs bearing the brunt of this offense. Here\u2019s what you need to know.\t\t\t\t<\/p>\n
The Federal Office for Information Security (BSI) released its 2025 report on the state of IT security in Germany, and the verdict is unequivocal: there is no all-clear. Despite notable law enforcement successes against major cybercrime<\/a> groups, Germany\u2019s IT security situation remains \u201ctense.\u201d The culprit? Inadequately protected attack surfaces that continue to provide easy entry points for threat actors, BSI noted.\u00a0<\/p>\n For the first time, the BSI, through its findings, said that while threats have somewhat stabilized, poorly managed attack surfaces are keeping risk levels dangerously high. Most concerning is that 80% of reported attacks now target small and medium-sized enterprises (SMEs)\u2014organizations that often lack the resources and expertise to defend themselves effectively.\u00a0<\/p>\n Statistical Snapshot<\/strong>\u00a0<\/p>\n Threats\u00a0<\/p>\n Attack Surface\u00a0<\/p>\n Attacks\u00a0<\/p>\n Impact\u00a0<\/p>\n Leaked data included:<\/strong>\u00a0<\/p>\n Resilience\u00a0<\/p>\n The BSI enhanced its monitoring and certification:<\/strong>\u00a0<\/p>\n Incident management maturity (KRITIS operators):<\/strong>\u00a0<\/p>\n Public awareness remains mixed:<\/strong>\u00a0<\/p>\n The Numbers Tell a Sobering Story<\/strong>\u00a0<\/p>\n Germany\u2019s web attack surface in Q2 2025 comprised approximately 13.2 million [.]de domains accessible from the internet. Of these, 8.1 million domains were reachable via both IPv4 and IPv6, while 5.1 million were accessible only through IPv4. This massive digital footprint represents an enormous challenge for security teams trying to maintain visibility and control.\u00a0<\/p>\n The vulnerability<\/a> landscape has intensified significantly. An average of 119 new vulnerabilities in IT systems were discovered daily during the reporting period\u2014a 24% increase compared to the previous year. This relentless pace of vulnerability disclosure, driven partly by changed reporting policies but also by the growing complexity of software systems, means that organizations face an ever-expanding list of potential weaknesses to address.\u00a0<\/p>\n Meanwhile, exploitation attempts have surged. The BSI\u2019s MADCAT honeypot measurements showed a 38% increase in exploitation attacks compared to the previous reporting period. Attackers aren\u2019t just probing systems\u2014they\u2019re actively exploiting weaknesses at an accelerating rate.\u00a0<\/p>\n The Cybercrime Landscape in Germany: Stabilization Without Relief<\/strong>\u00a0<\/p>\n The threat landscape showed some positive developments during the reporting period. International law enforcement actions against major ransomware<\/a> operations led to a degree of stabilization. LockBit and AlphV, two previously dominant ransomware groups, were substantially disrupted. This represents a significant victory for coordinated international cybercrime enforcement.\u00a0<\/p>\n However, stabilization doesn\u2019t mean elimination. Germany ranked third globally among cybercrime group targets at 64%, behind only the United States (94%) and the United Kingdom (71%). The cybercrime ecosystem has proven remarkably resilient, with new groups emerging to fill the void left by disrupted operations. RansomHub, Clop, Akira, Qilin, and Play were among the most active groups during the reporting period, continuing the trend of Ransomware-as-a-Service that makes sophisticated attacks accessible to less skilled criminals.\u00a0<\/p>\n The data leak situation has reached alarming levels. During the reporting period, 461 data leaks affected German institutions and consumers. The most commonly compromised information included birth dates (92% of leaks), physical addresses (72%), and email addresses (63%). More sensitive data, such as passwords (36%), payment information (22%), and health data (18%) were also frequently exposed.\u00a0<\/p>\n The IoT Botnet Threat<\/strong>\u00a0<\/p>\n Perhaps one of the most disturbing revelations in the BSI report concerns IoT botnets, particularly BadBox and Vo1d. BadBox became the largest active botnet in Germany, with up to 58% of infected systems in the country attributed to this single operation. What makes BadBox especially concerning is that devices were infected during the production phase\u2014before they ever reached consumers.\u00a0<\/p>\n This represents a fundamental shift in the threat model. Traditional security advice assumes that devices are secure when purchased and become compromised through user behavior or software vulnerabilities. BadBox demonstrates that supply chain compromises can deliver pre-compromised devices directly to consumers and businesses, who have no practical way to detect the infection.\u00a0<\/p>\n The BSI responded through sinkholing operations, redirecting communication attempts from infected devices to BSI-controlled servers to prevent further malicious activity. Approximately 30,000 BadBox-infected IoT systems had their communications blocked, and device owners were notified. An additional 10,000 Vo1d-infected device owners received similar notifications. While these remediation efforts represent important defensive actions, they\u2019re reactive measures addressing infections that have already occurred.\u00a0<\/p>\n The SME Vulnerability Gap<\/strong>\u00a0<\/p>\n The statistic that should alarm every business leader in Germany: approximately 80% of reported attacks targeted SMEs. This isn\u2019t a random distribution\u2014it\u2019s a deliberate strategic shift by attackers toward softer targets.\u00a0<\/p>\n The dynamics are straightforward. Large enterprises have dedicated security teams, substantial budgets, and often sophisticated detection and response capabilities. Attacking them requires significant resources and expertise, with no guarantee of success. SMEs, conversely, often operate with limited IT staff, minimal security budgets, and gaps in both technical controls and security awareness. For cybercriminals conducting cost-benefit analyses, SMEs represent the optimal target: easier to compromise, less likely to detect attacks quickly, and numerous enough to provide a steady stream of victims.\u00a0<\/p>\n The attack pattern reflects this calculation. Rather than pursuing complex, targeted attacks against well-defended enterprises, threat actors<\/a> increasingly favor volume-based approaches, hitting many SMEs with relatively simple techniques. Ransomware attacks have become particularly effective against this segment, with 72% of the 950 reported ransomware incidents involving data leaks used to pressure victims into paying.\u00a0<\/p>\n Interestingly, while ransom payment rates continued their multi-year decline\u2014dropping to just 26% in Q2 2025 compared to 85% in Q1 2019\u2014the average ransom payment reached all-time highs. This suggests that while fewer victims are paying, those who do pay are facing substantially larger demands, particularly when data leakage is involved.\u00a0<\/p>\n Attack Surface Management: The Missing Link<\/strong>\u00a0<\/p>\n The BSI\u2019s conclusion is direct and unambiguous: \u201cProtection of attack surfaces is the decisive lever for improving cybersecurity in 2026.\u201d This isn\u2019t merely one recommendation among many\u2014it\u2019s identified as the critical factor that will determine whether Germany\u2019s cybersecurity situation improves or continues to deteriorate.\u00a0<\/p>\n The data support this assessment. Of the accessible IP addresses in Q2 2025, approximately 791,722 showed exposed metadata\u2014potential indicators of security weaknesses. Known vulnerabilities in perimeter systems are patched too late or not at all far too often. Web attack surfaces, in particular, show a \u201cworrying state\u201d that requires more professional attention through effective attack surface management.\u00a0<\/p>\n The federal administration provides a microcosm of the challenge. An average of 684,000 active email addresses existed in federal networks daily, along with approximately 1,480 active social media accounts (with high numbers of unreported cases due to private employee accounts). Daily accessible IP addresses of the federal administration with suspected vulnerabilities ranged from zero to over 300 depending on severity level. Even well-resourced government agencies struggle to maintain complete visibility and control over their attack surfaces.\u00a0<\/p>\n The BSI argues that attack surface management<\/a> must become as routine as antivirus software for email. This represents a fundamental shift in thinking\u2014from treating attack surface visibility as an occasional audit activity to recognizing it as a continuous operational necessity.\u00a0<\/p>\n The Resilience Gap<\/strong>\u00a0<\/p>\n Germany has made substantial investments in cybersecurity awareness and capability building. The Alliance for Cyber Security has grown to include 8,622 companies and institutions. The BSI issued 41 cybersecurity<\/a> warnings during the reporting period and provided 3,871 reports through its Warning and Information Service. Critical infrastructure operators continue to make progress in implementing Information Security Management Systems (ISMS) and Business Continuity Management Systems (BCMS), with maturity levels steadily improving.\u00a0<\/p>\n Yet awareness hasn\u2019t translated to sufficient action, particularly among vulnerable groups. Consumer surveys revealed a troubling gap: respondents knew an average of 6.1 protection measures but actually used only 3.8. Both awareness and usage of protection measures declined in 2025. Many respondents cited finding the measures too complicated, suggesting that even when people know what to do, friction in implementation prevents effective security practices.\u00a0<\/p>\n The federal administration saw some positive trends, with daily malware<\/a> attacks via email declining slightly from 772 to 753. However, blocked access attempts to malicious websites increased by 23%, from 9,212 to 11,330 daily attempts. The threat isn\u2019t decreasing\u2014it\u2019s shifting to channels where defenses may be less mature.\u00a0<\/p>\n From Awareness to Protection<\/strong>\u00a0<\/p>\n The BSI report makes clear that incremental improvements won\u2019t suffice. Every organization\u2014regardless of size\u2014must treat attack surface analysis and management as indispensable components of effective risk management. This requires several shifts in thinking and practice:\u00a0<\/p>\n First, organizations must move from periodic security assessments to continuous monitoring. Attack surfaces change too rapidly for annual or quarterly reviews to provide meaningful protection. What was secure yesterday may be vulnerable today.\u00a0<\/p>\n Second, vulnerability management must evolve from attempting comprehensive patching to intelligent prioritization. With 119 new vulnerabilities discovered daily, teams must focus on vulnerabilities that pose actual risk to their specific environments\u2014those being actively exploited, affecting internet-facing systems, or for which exploit code exists in underground markets.\u00a0<\/p>\n Third, SMEs must receive targeted support. Expecting resource-constrained small businesses to independently develop sophisticated security programs isn\u2019t realistic. Industry associations, government agencies, and technology providers must collaborate on solutions that are accessible, affordable, and appropriately scaled for SME needs.\u00a0<\/p>\n Fourth, supply chain security must extend beyond vendor questionnaires to continuous monitoring of partner security postures. The question isn\u2019t whether a vendor had good security six months ago\u2014it\u2019s whether they\u2019re secure right now.\u00a0<\/p>\n Building Proactive Defenses in a Tense Environment<\/strong>\u00a0<\/p>\n The BSI characterizes Germany\u2019s IT security situation as \u201ctense,\u201d and the data justifies this assessment. Threats have stabilized at high levels rather than diminishing. Attack surfaces continue expanding faster than organizations can secure them. Risks remain elevated because too many vulnerabilities go unaddressed. Damage effects, measured in data leaks and financial costs, show no signs of declining.\u00a0<\/p>\n Yet the report also demonstrates that focused efforts produce measurable results. Law enforcement actions disrupted major cybercrime groups. Sinkholing operations neutralized tens of thousands of botnet infections. Critical infrastructure operators improved their security management maturity. These successes prove that the situation, while tense, isn\u2019t hopeless.\u00a0<\/p>\n What\u2019s needed is a fundamental reorientation toward proactive attack surface management. Organizations that understand what attackers see, prioritize vulnerabilities that matter, and maintain continuous visibility over their digital footprint will significantly reduce their risk exposure. Those that don\u2019t will remain attractive targets in an increasingly hostile threat landscape.\u00a0<\/p>\n The BSI\u2019s message is clear. Protect attack surfaces now, or accept increasing risk. For Germany\u2019s businesses\u2014particularly the SMEs absorbing 80% of attacks\u2014this isn\u2019t a theoretical concern. It\u2019s an operational imperative that will determine which organizations thrive and which become the next breach statistics in next year\u2019s report.\u00a0<\/p>\n Taking Action on Attack Surface Management<\/strong>\u00a0<\/p>\n The challenges identified in Germany\u2019s BSI report aren\u2019t unique to German organizations\u2014they\u2019re indicative of global trends affecting businesses worldwide. Expanding attack surfaces, persistent threats, and vulnerability management at scale are universal challenges requiring comprehensive visibility and continuous monitoring.\u00a0<\/p>\n Cyble\u2019s threat intelligence<\/a> platform addresses these core challenges through integrated attack surface management, real-time vulnerability intelligence, and dark web monitoring. Organizations gain visibility into their exposed assets, prioritize vulnerabilities based on active exploitation, and receive early warnings about threats emerging in underground forums\u2014the same capabilities the BSI report identifies as critical for improving cybersecurity<\/a> posture.\u00a0\u00a0<\/p>\n\n
\n
The BSI participated in takedown operations through sinkholing measures.\u00a0<\/li>\n<\/ul>\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n