5 ways endpoint security solutions could have stopped breaches in 2025
Five real 2025 incidents. Practical lessons on endpoint protection, posture management, and identity security to prevent the next breach.
This year has seen a non-stop wave of cyberattacks across industries. From ransomware shutting down business operations to massive data leaks, each incident offers a lesson in what might have prevented it. Notably, many of 2025’s worst breaches could have been stopped, or at least mitigated, by strong endpoint security practices. Unpatched software, stolen passwords, and misconfigured systems have been common points of entry. In this post, we’ll examine five high-profile breaches from 2025 and explore how endpoint security could have kept them from happening.
1. Microsoft SharePoint zero-day attacks
One big 2025 incident involved widespread exploits of on-premises Microsoft SharePoint servers. In July, cybercriminals (including groups tied to China) abused newly discovered vulnerabilities, dubbed ToolShell, to compromise hundreds of SharePoint systems.
Over 400 servers were infiltrated across more than 100 organizations, including United States (US) government agencies. The attackers leveraged these zero-day vulnerabilities to execute malicious code, essentially gaining unfettered access to the data on those servers. Microsoft rushed to release patches, but not before sensitive information was accessed and backdoors potentially planted by the hackers.
This breach shows us the importance of timely patch management. Even though the SharePoint exploits began as zero days, organizations that quickly applied Microsoft’s out-of-band patches were protected once fixes became available. An endpoint management solution with automated patch management would have promptly updated the affected SharePoint servers, closing the door on the ToolShell attacks.
Additionally, advanced endpoint detection and response (EDR) could have identified suspicious behavior on those servers, such as unusual processes or privilege escalation, and alerted security teams in real time. By combining patching with behavior-based threat detection, a unified endpoint management and security platform could have drastically limited the window of exposure.
2. Ingram Micro ransomware attack
No sector was safe in 2025, as shown by a huge ransomware attack on Ingram Micro, a Fortune 500 IT distribution giant. Over the July 4th holiday, Ingram Micro’s systems were hit by the SafePay ransomware, forcing the company to take its global ordering systems offline.
For nearly a week, customers could not place orders, disrupting supply chains until Ingram Micro restored operations on July 10. This attack had all the hallmarks of modern ransomware: malware spreading through the network, encrypting critical servers, and demanding payment.
SafePay, the group responsible, eschews the typical Ransomware as a Service model, which made it particularly challenging to defend against. The end result was a lot of business downtime and likely financial losses, not to mention reputational damage for a firm whose business relies on reliability.
Ransomware is exactly the kind of threat that endpoint security solutions are built to tackle. In Ingram Micro’s case, a multi-layered endpoint defense could have stopped SafePay at several points.
First, anti-malware and threat intelligence feeds on endpoints would recognize known malicious files or suspicious behaviors (like a process encrypting files) and block them before encryption spread. Second, EDR tools could have detected the ransomware’s lateral movement early on.
By containing the infection at patient zero, the attack would never have cascaded into a full-blown outage. Finally, regular data backups combined with an endpoint management plan can ensure a business can recover quickly even if some systems are hit.
3. Qantas contact center data breach
In June 2025, Australian airline Qantas suffered one of the country’s biggest data breaches in years. Attackers broke into a third-party customer service platform used by Qantas’ contact center, accessing a database with about 6 million customer records that included information like names, email addresses, phone numbers, birth dates, and frequent-flyer numbers.
The breach did not affect flight safety or operations, but it dealt a major blow to customer trust. Investigations suggest the culprits used social engineering tactics linked to the Scattered Spider hacker group, impersonating IT staff to steal employee login credentials.
This shows us the need for strict access controls and identity verification on every endpoint and application. Had Qantas’ third party platform been protected by multi-factor authentication (MFA), a stolen password alone would not have been enough to gain entry.
Endpoint security solutions enable companies to enforce MFA for both in-house and third party systems, ensuring that even if credentials are phished, an additional method of verification (like a mobile authenticator or hardware token) is required to log in.
Endpoint platforms can also deploy user behavior analytics to spot anomalies; for example, an employee account downloading millions of records or logging in from an unusual location would trigger alarms. In Qantas’ case, a combination of MFA and monitoring could have stopped the attacker at the gate.
4. Barts Health NHS Trust: Cl0p ransomware attack
In August 2025, Barts Health NHS Trust suffered a cyberattack linked to the Cl0p ransomware group. Barts says attackers exploited a vulnerability in Oracle E-Business Suite (EBS) to access and copy files from a database used for invoicing and billing. The trust later confirmed the stolen information included names, addresses, and invoice details, affecting some patients and staff.
The incident did not take down Barts’ electronic patient record or core clinical systems, but the data theft still created meaningful risk since invoice and contact details can be used for targeted scams and phishing. After Cl0p posted data online, Barts reported working with NHS England, the NCSC, and the Metropolitan Police, and also pursued legal action to limit further dissemination.
This is exactly the kind of breach endpoint security programs are meant to reduce, especially for internet-facing enterprise apps. Once Oracle issued fixes for actively exploited EBS vulnerabilities, automated patch management and vulnerability scanning would have reduced the exposure window dramatically.
On top of that, endpoint management on the affected servers could have flagged post-exploitation activity (like new web shells or processes, suspicious admin actions, or unusual data access or export) early enough to contain the incident before large-scale data was copied out.
5. Allianz Life Insurance cloud CRM breach
Even highly regulated industries weren’t spared in 2025. In late July, Allianz Life Insurance Company of North America disclosed a breach that exposed the personal data of roughly 1.1 million customers (potentially up to 1.5 million, according to later analysis).
This breach was problematic because of the sensitive nature of the data: Names, addresses, birth dates, phone numbers, and even Social Security numbers were stolen from Allianz’s cloud-based customer relationship management (CRM) system.
Allianz revealed that a threat actor accessed a third-party CRM platform using social engineering on July 16, 2025. The attackers phished or tricked an Allianz employee (or an authorized partner) into revealing login credentials to the Salesforce-powered CRM, then used that access to steal the data.
A well-known hacking crew called ShinyHunters ultimately took credit, leaking entire Salesforce database tables online. The fallout for Allianz Life was severe; the company had to notify nearly all its US customers and offer identity monitoring protection, not to mention deal with regulatory scrutiny.
The Allianz breach shows why credential theft and cloud app security are now top of mind for endpoint protection. The simplest yet most effective defense here would have been MFA on the CRM account. With MFA in place, even if an employee was duped into giving up their username and password, the attacker would be stopped cold by the second verification step.
Take your next steps with ManageEngine Endpoint Central
Each of these breaches show a different failure point: an unpatched server, an unsuspecting user, a misconfigured database, or a lack of access control. They also prove that endpoint security solutions are no longer optional; they’re the linchpin for preventing breaches.
Organizations need a way to harden their endpoints and networks on all fronts: deploying patches quickly, detecting and defusing threats like ransomware, enforcing least-privilege access with MFA, and protecting sensitive data wherever it resides.
The good news is that you don’t have to stitch together a dozen tools to achieve this. ManageEngine offers an integrated platform, Endpoint Central, that brings together endpoint management and security in one unified solution.
Figure 1: Endpoint Central’s vulnerability detection and remediation capability.
From automated patch management and vulnerability scanning to advanced threat detection and device control, ManageEngine Endpoint Central is designed to address exactly the issues shown above.
It enables IT teams to respond faster than attackers and to put walls around the weakest links before they can be exploited. Don’t wait until your organization is the next headline. Strengthen your defenses now by exploring what ManageEngine’s endpoint security suite can do for you.