Cascading failures pose a significant security threat to networked systems, with recent global incidents underscoring their destructive potential. The security threat of cascading failures has always existed, but the evolution of cyber–physical systems (CPSs) has introduced novel dimensions to cascading failures, intensifying their threats owing to the intricate fusion of cyber and physical domains. Addressing these threats requires a nuanced understanding achieved through failure modeling and vulnerability analysis. By analyzing the historical failures in different CPSs, the cascading failure in CPSs is comprehensively defined as a complicated propagation process in coupled cyber and physical systems, initialized by natural accidents or human interference, which exhibits a progressive evolution within the networked structure and ultimately results in unexpected large-scale systemic failures. Subsequently, this study advances the development of instructions for modeling cascading failures and conducting vulnerability analyses within CPSs. The examination also delves into the core challenges inherent in these methodologies. Moreover, a comprehensive survey and classification of extant research methodologies and solutions are undertaken, accompanied by a concise evaluation of their advancements and limitations. To validate the performance of these methodologies, numerical experiments are conducted to ascertain their distinct features. In conclusion, this article advocates for future research initiatives, particularly emphasizing the exploration of uncertainty analysis, defense strategies, and verification platforms. By addressing these areas, the resilience of CPSs against cascading failures can be significantly enhanced.