Skip to main content
Emerging ThreatsData Breaches

Exploits Emerge as Top Breach Entry Point

Disorganized cables and patch cords in a network operations room with rows of computer servers and monitoring screens.

"Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them," researchers wrote in Verizon's latest Data Breach Investigations Report. The blunt summary captures a widening gap between the pace at which security defects are found and the capacity of organizations to close them — a gap attackers exploited en masse during the one-year period ending in October 2025.

Exploits surpassed other entry points

Verizon analyzed more than 22,000 breaches and found exploited vulnerabilities were the leading initial access vector, accounting for 31% of all known initial access vectors — up from 20% the year before. That surge made defects the top entry point into compromised networks, and the report frames the shift as a direct consequence of overwhelmed vulnerability management programs.

CISA's KEV catalog: large, active, and incompletely remediated

Verizon tracked the relationship between organizations and the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog and flagged worsening outcomes. Among more than 13,000 organizations studied in 2025, only 26% of the catalog’s critical vulnerabilities were fully remediated, a drop from 38% the prior year.

The report also notes the KEV catalog itself had grown: CISA’s KEV contained more than 1,500 CVEs as of February, and Verizon found 65% of those were exploited during the previous year. The median number of KEV vulnerabilities an organization had to patch rose from 11 in 2024 to 16 in 2025.

Faster exploitation, slower patching

Not only were organizations confronted with more KEV items, they were taking longer to reach full remediation. Verizon’s new median time to fully patch by detection is 43 days, almost two weeks longer than last year’s 32 days. The report frames these figures as emblematic of a "sisyphean cause" for defenders: too many vulnerabilities and not enough time to patch them all.

Technical weaknesses attackers favor

Verizon identified the five most common weaknesses among CISA KEV CVEs: out-of-bounds read, heap-based buffer overflow, use after free, external control of file name or path, and access of resource using incompatible type. These are the defect classes most frequently observed in exploited KEV entries over the period analyzed.

Ransomware, motivations, and reporting challenges

Attacker motives remained heavily financial: Verizon found financially motivated cybercriminals accounted for 88% of all breaches, with espionage-driven attacks by state-affiliated groups making up the remainder. Ransomware was a major driver of impact — it accounted for 48% of all breaches last year, up from 44% in 2024 — and the report says ransomware "continues to be among the most disruptive and impactful types of breaches we see."

At the same time, some metrics moved in a positive direction. Seventy-nine percent? No — the report records that 69% of ransomware victims reported they did not pay a ransom, and the median ransom payment declined from $150,000 in 2024 to almost $140,000 last year.

Verizon also warned that tracking ransomware activity is becoming harder for researchers and authorities. "There is a growing disconnect between what is being reported and the reality of what has occurred, in no small part due to threat actors reusing old breaches, reposting breaches from other criminal partners and making up breaches out of whole cloth to help increase their notoriety in the criminal world," the report states. Researchers added a wry summation of ransomware’s persistence: "Ransomware is still the yoga pants of cybersecurity — ubiquitous, stubbornly popular and appearing in unexpected places near you."

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: The increase to a median 43 days to patch and a higher median KEV load (16 items) means triage and prioritization will be central. Teams will need to watch classes of weakness Verizon flagged — out-of-bounds read, heap overflows, use-after-free, external control of filenames/paths, and resource type mismatches — because those are the most commonly exploited in KEV entries.
  • Policymakers and regulators: The drop from 38% to 26% in full remediation of critical KEV items among 13,000 organizations highlights gaps in uptake and implementation that may attract regulatory scrutiny or prompt calls for stronger incentives and enforcement around patching known exploited vulnerabilities.
  • Affected enterprises and procurement leaders: The KEV catalog's growth to more than 1,500 CVEs and the fact that 65% were exploited suggest buyers and asset owners should factor rapid remediation capacity into procurement, and expect a heavier remediation burden — Verizon’s median increased from 11 to 16 KEV items year over year.

The picture Verizon paints is stark: attackers focused on flaws, defenders faced ballooning workloads, and ransomware remained a dominant, if partially opaque, threat. With exploited defects now the top initial access vector and the median patch time lengthening, the next practical question left by the numbers is operational: how will organizations accelerate effective remediation at scale while the KEV catalog and exploit activity continue to grow?

Read the original story on CyberScoop