Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector

Summary

Verizon's 2026 Data Breach Investigations Report reveals vulnerability exploitation has become the leading breach vector at 31% of incidents, displacing credential abuse. Threat actors are using AI to rapidly weaponize known vulnerabilities, compressing the defense window from months to hours, while organizations struggle with patching—only 26% of CISA KEV catalog vulnerabilities were patched in 2025. Ransomware affected 48% of breaches, and third-party compromises surged 60%, with 67% of employees accessing unauthorized AI services from corporate devices.

Full text

Vulnerability exploitation was the most common access vector for data breaches in 2025, the latest installment of Verizon’s annual Data Breach Investigations Report (DBIR) shows. The number of analyzed security incidents has increased to 31,000. Of these, more than 22,000 were confirmed breaches, nearly double compared to last year’s 12,195 confirmed breaches. Approximately 31% of the breaches were the result of unpatched vulnerabilities being exploited. Credential abuse, which was the top entry point in last year’s DBIR, accounted for 13% of the breaches. According to Verizon’s researchers, threat actors are leveraging AI to accelerate vulnerability exploitation, and the window for defense has decreased from months to hours. “The rapid weaponization of known vulnerabilities by AI can create a capacity crisis for security teams, underscoring the urgent need to prioritize fundamental security and risk management practices,” Verizon says. The Verizon 2026 DBIR (PDF) also shows that organizations continue to struggle with vulnerability remediation. The median time for full patching increased to 43 days in 2025, up from 32 days in the previous year.Advertisement. Scroll to continue reading. According to the report, organizations patched only 26% of the security defects in CISA’s Known Exploited Vulnerabilities (KEV) catalog last year, a drop from 38% in 2024. The number of critical flaws (defined in the report as bugs included in the KEV list) that organizations had to patch was 50% higher in the median case compared to the previous year’s dataset. “The findings in Verizon’s 2026 DBIR are striking because it reinforces something we have been saying for years: exploitation is now the leading breach vector, and organizations are still simply not fixing flaws fast enough,” said Veracode co-founder and chief security evangelist Chris Wysopal. Per Verizon’s new report, ransomware was involved in 48% of the confirmed breaches in 2025, up from 44% in the previous year, while ransom payments decreased, with the median amount paid dropping below $140,000. Only 31% of ransomware victims paid, the report shows. An increased reliance on third-party software and services has expanded organizations’ attack surface and led to a 60% increase in breaches with third-party involvement last year, reaching 48% of the total. “Looking at remediation over time in third-party cloud exposure, only 23% of third-party organizations fully remediated missing or improperly secured multifactor authentication (MFA) on their cloud accounts, with 50% of all findings being resolved within a month,” the DBIR reads. Verizon’s report also shows that threat actors are increasingly relying on gen-AI for targeting, initial access, and malware and tool development. “The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50. Most AI-assisted development of malware and tooling was associated with well-known and defined attack techniques, with a median of 55 existing known malware examples performing the same functions,” the report reads. Per the Verizon 2026 DBIR, 62% of breaches involved a human element, social engineering accounted for 16% of breaches, and the median rate of success was 40% higher in mobile-centric phishing attacks than via email. Shadow AI, or the unauthorized use of gen-AI services, the report also shows, continues to plague enterprises, as 67% of users are accessing AI services from corporate devices using non-corporate accounts. Overall, 45% of employees are regular AI users, up from 15% last year. “While the datapoints are clear, the takeaway for the industry is resounding. Security teams can’t rely solely on downstream remediation. As attackers increasingly target common coding weaknesses, organizations need to prioritize finding and fixing vulnerabilities during development—not months, or even a year, down the line when the burden of time, cost, and risk is multiplied. This is even more important as GenAI continues to change the code vulnerability calculus,” Wysopal said. Related: Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks Related: Unpatched ChromaDB Vulnerability Can Lead to Server Takeover Related: Cyber Resilience Is the New Business Continuity Plan Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Gitea Vulnerability Exposed 30,000 Deployments to AttacksGoogle Unveils AI Threat Defense Platform to Fight AI-Powered CyberattacksRevEng.AI Raises $15 Million to Hunt for Flaws and Backdoors in Software BinariesGlassWorm Botnet DisruptedFBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal DataCISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-DayIranian APT Targets Aviation, Software Companies With Updated Tools185,000 Likely Impacted by 7-Eleven Data Breach Latest News Gogs Zero-Day Exposes Servers to Remote Code ExecutionCalifornia Sues 23andMe, Alleging It Failed to Protect User Data in 2023 BreachChrome 148 Update Patches 151 VulnerabilitiesRussia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge CyberattacksGeordie Raises $30 Million for AI Security and Governance PlatformCarnival Data Breach Exposed 6 Million PeopleNew BTMOB Android Malware Enables Full Device TakeoverCritical FortiClient EMS Vulnerability Exploited in Fresh Attacks Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveJoe Chen has become Chief Technology Officer at Trellix.Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.SecureAuth has named Mark van Oppen as Chief Revenue Officer.More People On The MoveExpert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Entities