Cybercriminals are targeting MSPs with new and increasingly complex phishing attacks. That’s just one headline from the latest Acronis Cyberthreats Report which analyses the global threat landscape for MSPs and their clients.
Compiled by the Acronis Threat Research Unit (TRU) and based on data from over one million endpoints worldwide, the report tracks malware, ransomware, web and email attacks, and key vulnerabilities. Data is from the first half of 2025.
We’ve pulled out a few of the highlights, or download the full report here.
Leading access vectors (MSPs, Telcos and ISPs)
Attack vectors are evolving in response to improved defences, but humans often remain the weakest link, with AI enabling more sophisticated forms of deception.
Phishing: 52%
MSPs are frequent targets of phishing emails posing as clients or partners. In fact, phishing accounted for 52% of all attacks, up from 30% last year. These scams steal credentials or deliver malware via fake MFA prompts or malicious attachments. In one case, attackers used a phishing email to capture an admin’s RMM credentials, unlocking access to multiple client environments.
Unpatched vulnerabilities: 27%
Known flaws in MSP tools, such as RMM platforms or VPNs, remain a prime entry point and have increased slightly from 23%. Attackers have exploited Atlassian Jira vulnerabilities, including remote code execution and authentication bypass, to gain initial access. Once inside, they deployed infostealers to harvest credentials and tokens for deeper lateral movement.
Valid account abuse / credential theft: 15%
Stolen admin credentials, tokens, and reused passwords give attackers near-invisible access. By logging in directly, they bypass MFA and enter Cloud dashboards or RMM systems undetected. One hijacked Microsoft 365 session token enabled attackers to silently control multiple client tenants. This vector has experienced a small increase over the last 12 months.
Remote Desktop Protocol (RDP): 3%
Exposed or misconfigured RDP services provide another route in—but one that has dropped dramatically from 24% to 3%. Attackers brute-force credentials or exploit trusted MSP IPs to gain access. In one breach, an attacker entered a vulnerable MSP backup server via RDP, then pivoted into both internal and client systems.
Trusted relationship exploitation 2%
Compromising an MSP opens doors to client systems through VPNs or remote tools. Attackers may impersonate the MSP, pushing malicious updates or fraudulent support instructions. In one attack, ransomware was distributed as a routine update through the MSP’s RMM console. This attack vector has dropped from 6% to 2% in the last year, showing the effectiveness of proactive defense.
Software vulnerabilities
The report also highlights three vulnerabilities in third-party software products that have been exploited in MSP-related attacks.
Cleo file transfer tool (CVE-2024-50623 & CVE-2024-55956)
Though first disclosed in 2024, these flaws are still being exploited in 2025. The vulnerabilities in Cleo’s file transfer tool let attackers bypass authentication or gain unauthorized access. The Cl0p ransomware group has leveraged them to breach multiple organizations, including financial institutions. For MSPs relying on such tools, the risk extends deep into the supply chain.
Cisco vulnerabilities (e.g.: CVE-2023-20198 & CVE-2023-20273)
Unpatched Cisco IOS XE devices continue to expose telecom networks to attack. Salt Typhoon, a China-linked APT group, and others have exploited these 2023 vulnerabilities, which impact core networking infrastructure. Attackers can intercept call and text metadata — and potentially use compromised devices as a launchpad into wider systems.
SimpleHelp RMM (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728)
On June 4, 2025, CISA, the FBI, and other federal agencies issued a #StopRansomware advisory on active exploitation of SimpleHelp RMM flaws. Ransomware groups, including Play-linked initial access brokers, exploited CVE-2024-57727 to gain remote access and execute malicious commands. Compromised servers were then used to deploy ransomware and exfiltrate data using backdoors such as Sliver, affecting multiple U.S. organizations.
Most used MITRE techniques
The report addresses the adversary tactics and techniques named in the MITRE ATT&CK framework, with practical advice on mitigating and defending against named techniques, including Process Injection and PowerShell.
AI is driving increasingly sophisticated attacks
“While the endgame for cybercriminals is still ransomware, how they get there is changing,” said Gerald Beuchelt, CISO at Acronis.
“Even the least sophisticated attackers today have access to advanced AI capabilities, generating social engineering attacks and automating their activities with minimal effort.
“The result is that MSPs, manufacturers, ISPs, and others are constantly exposed to sophisticated attacks, including increasingly advanced deepfakes, and all it takes is one mistake to put the organizations’ entire future at risk.”
Download the report
Read the full report now for in-depth data and analysis—or check out the highlights video below.
And don’t forget to join Acronis at MSP GLOBAL where their experts will be sharing more insights and practical advice, including DEEPFAKE LIVE with Gerald Beuchelt, Acronis CISO, and Oleg Ishanov, Director, Threat Research.
October 22-23, 2025 – 
PortAventura Theme Park (Barcelona), Spain