Zombie tech vulnerabilities are quietly devastating UK organisations at scale. SonicWall research for 2025 reveals a paradox that should alarm every business leader: ransomware attack volumes dropped 87% nationally, yet the number of compromised UK organisations jumped 20% in the same period. The culprit is a fundamental shift in attacker strategy—away from indiscriminate “spray and pray” campaigns toward surgical precision targeting of organisations running outdated, unpatched infrastructure.
Key Takeaways
- A single decade-old Hikvision IP camera vulnerability drove 67 million UK attacks in 2025, representing 20% of all observed intrusions.
- UK organisations compromised by cyber attacks rose 20% in 2025 despite an 87% drop in overall ransomware volumes.
- Ransomware appears in 88% of small and medium-sized business breaches versus just 39% in larger enterprises, exposing the SMB security gap.
- Attackers are abandoning broad attacks for “Big Game Hunting,” targeting organisations with immature security postures and legacy systems.
- Vulnerabilities disclosed over a decade ago remain actively exploited alongside the Hikvision flaw, underscoring the zombie tech crisis.
How zombie tech vulnerabilities became the UK’s biggest cyber liability
The zombie tech vulnerability crisis stems from a simple, catastrophic reality: organisations are not patching. One Hikvision IP camera flaw—disclosed years ago—accounted for 67 million attempted attacks on UK networks in 2025, representing one-fifth of all intrusion activity observed by SonicWall. This is not a sophisticated zero-day exploit. This is attackers methodically scanning for systems running known, fixable vulnerabilities because they know most organisations will not have applied the patch.
Spencer Starkey, executive VP for EMEA at SonicWall, captured the severity bluntly: “Zombie Tech continues to haunt UK networks. We’re seeing millions of attacks tied to a single long-known vulnerability, alongside continued exploitation of issues first disclosed more than a decade ago”. The term “zombie tech” refers to systems that are technically still running but functionally dead—abandoned by vendors, ignored by IT teams, and left exposed to attackers who treat them as open doors.
What makes this trend particularly dangerous is that attackers are no longer wasting resources on mass campaigns. They have discovered that a handful of precisely targeted attacks against organisations with weak defences yields far better results than millions of spray-and-pray attempts. The data bears this out: despite the 87% drop in overall ransomware volumes, 20% more UK organisations were successfully compromised in 2025. Fewer attacks. More victims. This is attacker efficiency at its most alarming.
The SMB vulnerability gap: why smaller businesses are disproportionately exposed
Small and medium-sized businesses are bleeding faster than larger enterprises when it comes to ransomware breaches. In 2025, ransomware appeared in 88% of SMB breaches compared to just 39% in larger organisations. The gap is not accidental—it reflects the reality that smaller businesses typically operate with thinner security budgets, fewer dedicated IT staff, and older infrastructure that has never been properly inventoried or patched.
Larger enterprises, by contrast, tend to have centralised patch management, security operations centres, and compliance frameworks that force regular system updates. SMBs often lack these basics. A small business running a Hikvision camera system from 2015 might not even know that system exists on their network, let alone understand that it is vulnerable. Meanwhile, attackers are actively scanning for exactly these forgotten devices.
The attacker shift toward “Big Game Hunting” disproportionately harms SMBs because precision targeting requires reconnaissance—identifying which organisations have weak security. Smaller businesses, with less sophisticated monitoring and fewer security professionals, are easier to profile and compromise. Once inside, ransomware becomes the weapon of choice because SMBs often lack backup and recovery infrastructure to resist payment demands.
Why the 87% drop in ransomware volumes is misleading
On the surface, an 87% reduction in ransomware attack volumes sounds like a cybersecurity victory. It is not. Starkey explained the true situation: “On the surface, the 87% drop in overall attack volume might look like progress, but the reality is more alarming. More organisations are being successfully hit, and attackers are doing it with far greater precision”. This is the critical distinction between activity and impact. Attackers have simply stopped wasting ammunition on targets they cannot breach and concentrated firepower on those they can.
The shift reflects a maturation of the ransomware-as-a-service ecosystem. Attackers now operate like businesses themselves, calculating return on investment. Why send a million emails with malware attachments when you can identify five organisations running unpatched systems, breach them quietly, and extract millions in ransom payments? The 20% increase in compromised UK organisations tells the real story: attackers are winning more often, even though they are attacking less frequently.
Zombie tech vulnerabilities persist because patching is hard
Understanding why zombie tech vulnerabilities persist requires acknowledging an uncomfortable truth: patching is operationally difficult. Legacy systems often lack vendor support. Applying patches can require downtime that businesses cannot afford. Some organisations have lost documentation about what systems they even own. Others fear that patching an old system might break it entirely.
Yet inaction is far more costly. A single decade-old vulnerability in Hikvision cameras drove 67 million attacks across the UK in 2025. Most of those attacks likely failed because the organisations being targeted had actually applied the patch. But for the ones that had not, the attack succeeded. The mathematics are brutal: the cost of a ransomware breach—downtime, recovery, ransom, reputational damage—dwarfs the cost of a planned patch deployment.
Starkey highlighted the dual nature of the threat landscape: “Threats are becoming more sophisticated at the top end, while remaining highly exploitable at the base and organisations must address both”. The “base” refers to zombie tech vulnerabilities. These are not advanced persistent threats requiring nation-state-level adversaries. They are commodity attacks targeting systems that should never have been left unpatched in the first place.
What zombie tech vulnerabilities mean for UK organisations in 2026
The 2025 data is a warning. Organisations that have not yet conducted a comprehensive inventory of their infrastructure—identifying every device, every application, every system—are running blind. They do not know what zombie tech they own, which means they cannot patch it. Attackers, meanwhile, are scanning methodically and will find what organisations cannot see.
The shift toward precision targeting also means that industry verticals and organisation sizes matter less than they used to. A small local business with a decade-old IP camera system is just as vulnerable as a mid-market enterprise running unsupported software. The only variable that matters is whether the vulnerability has been patched.
Frequently asked questions
What is a zombie tech vulnerability?
A zombie tech vulnerability refers to a security flaw in outdated, unsupported, or abandoned systems that attackers actively exploit because organisations have failed to patch them. The Hikvision IP camera flaw driving 67 million UK attacks in 2025 is a textbook example—a known, fixable vulnerability in legacy hardware that organisations neglected to update.
Why are SMBs hit harder by ransomware than larger enterprises?
Smaller businesses lack the security infrastructure, patch management processes, and IT resources of larger organisations. Ransomware appeared in 88% of SMB breaches versus 39% in larger enterprises in 2025, reflecting this maturity gap. Attackers know SMBs are easier to breach and less equipped to recover without paying ransom.
Does the 87% drop in ransomware attacks mean cyber threats are declining?
No. The drop in attack volume masks a more alarming reality: attackers have shifted from broad campaigns to precision targeting of vulnerable organisations. The 20% increase in compromised UK organisations in 2025 shows that fewer attacks are succeeding more often. Attackers are working smarter, not harder.
The zombie tech vulnerability crisis is not a technical problem—it is an operational one. Organisations know how to patch systems. The question is whether they will act before attackers find the gaps. The 2025 data suggests most have not.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
