Skip to main content
CybersecurityVulnerability Management

Vulnerability Exploits Overtake Credentials as Top Breach Entry Point

Rows of equipment racks and patch panels in a modern network closet with a technician's workbench in the foreground.

Nearly a third (31%) of data breaches over the past year started with vulnerability exploitation, a jump from 20% in last year’s report, Verizon found — marking the first time in almost two decades that exploited vulnerabilities outpaced compromised credentials as the most common initial access vector.

Vulnerability exploitation overtakes credential abuse

Verizon’s Data Breach Investigations Report (DBIR) shows a clear shift: vulnerability exploitation rose to 31% of breaches while credential abuse fell from 22% to 13%. Verizon suggested the figures could indicate that “AI is already being used by threat actors to find and exploit more vulnerabilities.” The report’s dataset implies attackers have changed tactics — and defenders are being forced to adapt.

Patch workloads and CISA KEV remediation rates

The DBIR highlights a growing remediation gap. Only 26% of critical vulnerabilities listed in the Cybersecurity Infrastructure and Security Agency Known Exploited Vulnerabilities (CISA KEV) catalog were fully remediated by organizations in 2025, a drop from 38% the previous year. Verizon attributed part of the shortfall to volume: organizations had 50% more critical vulnerabilities to patch in this year’s reporting dataset versus 2025.

Industry practitioners told Verizon the problem is not only volume but prioritization and execution. Jon Baker, vice president of threat-informed defense at AttackIQ, said, “Security teams are being asked to fix more critical issues, but they still need to know which ones actually create a path to compromise. A vulnerability on paper is one thing, but a vulnerability that can be chained into lateral movement, ransomware deployment, or data theft is something else entirely.”

Patrick Münch, chief security officer at Mondoo, argued manual processes are part of the failure: “You don't close the gap with another scanner,” he said. “You close it with transparent agentic AI: humans in the loop on decisions, AI automation on remediation and mitigation execution, and a clear audit trail from identifying the issue to verifying it's fixed.”

AI as a force multiplier: attackers and shadow AI

Verizon’s reporting also points to AI broadly changing both offensive and benign insider behavior. “The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50,” the report said. At the same time, shadow AI is rising within enterprises: it is now the third most common “non-malicious insider action” detected in Verizon’s data loss prevention (DLP) dataset, a fourfold percentage increase from last year.

Adoption on endpoints is growing fast: 45% of employees are now regular users of managed and unmanaged AI on their corporate devices, up from 15% last year. The DBIR ties that expansion to new risk paths for both inadvertent data loss and more efficient threat reconnaissance and exploitation.

Supply chains, mobile social engineering, and the human element

Supply chain-related breaches rose sharply, increasing 60% year-over-year to account for nearly half (48%) of all data breaches in the DBIR dataset. Third-party security gaps remain acute: only 23% of third-party organizations fully remediated missing or improperly secured multifactor authentication (MFA) on their cloud accounts. For weak passwords and permission misconfigurations, time to resolve 50% of all findings reached almost eight months.

Social engineering is shifting toward mobile vectors. Verizon reported that, in phishing simulations, the median rate of successful “click” rates in mobile vectors like voice and text is 40% higher than via email. The “human element” was present in 62% of breaches, up slightly from 60% the prior year. Ransomware remained a substantial share of breaches — nudging up from 44% to 48% — even as 69% of victims elected not to pay, a dynamic Verizon said is squeezing threat actor margins.

What this means for security teams, policymakers, and procurement

  • Security teams and technologists — Will face heavier patch loads and tougher prioritization decisions. Baker’s observation that teams “need to know which ones actually create a path to compromise” underscores the growing need to link vulnerability severity to exploitability and attack chains.
  • Policymakers and regulators — Will be watching remediation metrics closely. The drop to 26% remediation of CISA KEV-listed critical vulnerabilities in 2025, from 38% the prior year, provides a quantitative yardstick for oversight and potential policy responses.
  • Procurement and third-party risk teams — Will have to contend with supply chain exposure: supply chain-related breaches now make up about 48% of breaches, while only 23% of third parties had fully remediated missing or improperly secured MFA on cloud accounts.

The DBIR’s data sketches a tension: attackers are exploiting more vulnerabilities at a time when defenders face rising patch volumes, lagging remediation rates, faster adoption of AI on devices, and persistent human and third‑party weaknesses. Whether the industry can translate that diagnosis into faster, verifiable remediation and improved third‑party hygiene will be the decisive test of how these trends affect breach volumes and impact in the months ahead.

Source: Verizon DBIR coverage at Infosecurity Magazine