Cyber Security Cloud, Inc., Inc. (Headquarters: Shinagawa-ku, Tokyo; Representative Director, President and CEO: Toshihiro Koike; hereinafter referred to as "Cyber Security Cloud"), a global security manufacturer, is pleased to announce its "Web Application Cyber Attack Detection Report (hereinafter referred to as "this Report")," covering the period from April 1 to June 30, 2025. This Report aggregates, analyzes, and calculates cyber attack logs observed by Cyber Security Cloud-based WAF "Shadankun," which visualizes and blocks cyber attacks on web applications, and public cloud WAF automated operation service "WafCharm."

■ Overview: Over 500 million attack logs in three months

Between April 1 and June 30, 2025, the total number of cyber attacks against web applications detected by our company reached 526.54 million (approximately 67 attacks per second), an increase of 78% compared to the same period last year.
Furthermore, the number of attacks per host (※1) has approximately doubled compared to the previous year.
(※1) Estimated using the total number of hosts protected by "Shadankun" (Web type: number of FQDNs, Server type: number of IPs) and the total number of hosts protected by "WafCharm" (WebACLs) as the denominator.

■ Attack type ratio

Looking at the trends in the main attack types during this survey period, the total number of attacks increased, but there was no significant change in the type composition.
This report shows that so-called "traditional web application attacks," such as SQL injection (SQLi) and cross-site scripting (XSS), continued to be observed frequently. While these attack methods are classic, they are becoming increasingly automated and large-scale, with the number of detected attacks reaching an all-time high. Web applications with insufficient input validation, as well as configuration issues such as misconfigurations and inadequate access control, pose a risk of security holes and could serve as a foothold for attacks.

Furthermore, numerous attacks targeting known vulnerabilities in open source software (OSS) and CMS such as WordPress and PHPUnit were also confirmed. These software are widely used by companies, local governments, and individuals, and web assets with "misconfigurations or vulnerabilities" left unattended are considered ideal targets for attackers.

■ A new standard in the API era: Server Side Request Forgery cases tripled to approximately 2.93 million.

■ Country of origin of the attack

Looking at the origins of detected attacks by country compared to the same period in 2024, the top three countries in terms of number of attacks were the United States, Japan, France, and Germany.
There has been little change in the top countries, but Seychelles, which was ranked 45th in April-June 2024, has risen significantly to 5th place in this survey.

■ The most targeted day was May 25th (10.29 million cases) / In the latter half of May, there were "10 million cases" every day

Attack traffic accelerated dramatically in the second half of May 2025. It peaked on May 25th at 10.29 million attacks, the highest number for the month, and continued to reach 10.18 million attacks on the 27th, reaching "10 million attacks" in quick succession. The average number of attacks for the entire second half of May was approximately 8.1 million, significantly higher than the first half, making it the most targeted period of 2025.
These sudden increases are likely a sign of automated scanning attacks using botnets or distributed denial of service (DoS/DDoS) attacks. Simultaneous access attempts are observed in a short period of time against targets that meet certain conditions, and it is suspected that these attempts are aimed at increasing infrastructure load or gathering information.

■ Reasons for the increase in attacks from April to June
The period from April to June is a structurally high-risk quarter, with multiple operational changes, change events, and information exposures occurring simultaneously. Based on our observations and analysis, we believe the following factors are acting in combination:

The impact of long holidays and consecutive holidays (weak monitoring × increased attacks)
April and May are marked by long holidays in many regions, which means operational monitoring and initial response efforts tend to be relatively weak. Our observations have repeatedly confirmed that the transition from reconnaissance (web scans/blacklisted UAs) to the execution stage (SQLi/SSRF, etc.) becomes more active, with peaks occurring in late May and early June.

Concentration of "IPOs and structure changes" from the beginning of the year to the second quarter
With the new fiscal year and new budgets coming into effect, the release of new sites and new features, as well as infrastructure changes, are concentrated between April and June. Initial setup errors and known CVEs are likely to be missed, and our company's detection shows patterns that coincide with the timing of releases and adjustments, with Spring/SQLi being more likely at the end of the month and Traversal being more likely at the beginning of the month.

Timing bias in vulnerability disclosure and PoC exposure
Spring and early summer are a time when events and research presentations overlap, making it a season when scan waves are likely to occur immediately after vulnerability disclosure. The spike in execution-related activity in early June is a typical example, but while the "same-day correlation" with individual CVEs (such as KEV) is not strong, it is possible that the search is spreading across multiple platforms due to "increased exposure × generalized scanning."

CMS/plugin/framework update timing
Due to ecosystem updates such as WordPress, PHPUnit, Spring, and Tomcat, scans targeting these areas tend to be concentrated between April and June. In actual data, detections related to PHPUnit, WordPress, SSRF, and ServerSideCode have also been established at the top of the list.
Taking all of the above into consideration, April to June is a quarter where high-intensity spikes are likely to occur in a short period of time due to a combination of "less focused monitoring due to consecutive holidays," "a concentration of change events," and "increased exposure of vulnerability information." Countermeasures include hardening before and after consecutive holidays, strengthening change gating at the end of the month, and thorough additional monitoring immediately after release, and it is important to evaluate not only the number of cases but also the attack rate.

■Comment from Yoji Watanabe Representative Director, CTO Cyber Security Cloud, Inc.
We believe these results provide a numerical visualization of the structural risks specific to the second quarter. The spike in the second half of May is likely due to a combination of a weakened monitoring system during the holidays, a concentration of changes at the end of the month, and vulnerability information exposure, along with the widespread use of automated searches and scans.
The sudden increase in SSRF also highlights the risk that APIs and cloud integrations can become gateways to internal assets. At the same time, traditional attacks such as SQLi and XSS continue to be observed at high levels.
Taking these factors into consideration, we believe it is effective to combine measures suited to operational realities, such as applying SSRF detection with a WAF, managing outbound communications and protecting the IMDS, conducting additional monitoring immediately after publication, and strengthening change governance at the end of the month.In addition, the impact of spikes can be expected to be reduced by evaluating based on attack rates rather than just the number of cases, and by transitioning from temporary measures using virtual patches in the event of zero-day exposure to permanent measures.
We will continue to provide insights based on real data and update product features to support safe and secure web operations.

About Cyber Security Cloud, Inc.
Company name: Cyber Security Cloud, Inc.
Address: 13F JR Tokyu Meguro Building, 3-1-1 Kami-Osaki, Shinagawa-ku, Tokyo 141-0021
Representative: Representative Director, President and CEO Toshihiro Koike
Established: August 2010
URL: https://www.cscloud.co.jp
With the mission of "creating a cyberspace that people all over the world can use safely and securely," we are a Japanese security manufacturer that provides vulnerability information collection and management tools and fully managed security services for cloud environments, centered on web application security services that make full use of the world's leading cyber threat intelligence. As one of the global companies in cybersecurity, we will contribute to solving social issues related to cybersecurity and provide added value to society.