Vulnerability exploitation has surged past compromised credentials, marking a significant shift in the landscape of data breaches for the first time in nearly two decades, as highlighted in the latest report by Verizon.
Verizon’s Data Breach Investigations Report (DBIR), a comprehensive resource offering insight into the evolving threat landscape, relies on a diverse range of data. This includes information from Verizon’s incident response teams, law enforcement, and industry sources concerning real breaches and incidents over the years. This latest edition of the DBIR indicates a troubling trend: nearly one-third (31%) of data breaches in the past year began with the exploitation of vulnerabilities. This figure represents a considerable increase from the previous year, when such incidents accounted for only 20%.
With vulnerability exploitation emerging as the leading initial access vector, the report also notes a decline in incidents involving credential abuse, which fell from 22% to 13%. The reduction in credential-related breaches might suggest that organizations are implementing better measures to safeguard passwords and authentication processes, yet the stark rise in vulnerability exploitation remains a pressing concern.
Verizon speculates that these statistics may indicate the increasing sophistication of threat actors, possibly leveraging Artificial Intelligence (AI) to discover and exploit vulnerabilities more effectively than ever before. The report emphasizes that the problem extends beyond just zero-day vulnerabilities; many firms are significantly lagging in patch remediation. Alarmingly, only 26% of the critical vulnerabilities listed in the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog were remediated by organizations in 2025, decreasing from 38% the previous year.
This decline can be attributed, in part, to the increasing patch workload. The number of critical vulnerabilities that organizations faced this year was 50% higher compared to the preceding year, which has made it increasingly challenging for security teams to allocate resources efficiently. Jon Baker, Vice President of Threat-Informed Defense at AttackIQ, pointed out the dilemma organizations face: security teams are tasked with addressing a growing number of critical issues but often lack the tools to prioritize which vulnerabilities pose the greatest risk. “A vulnerability on paper is one thing,” Baker notes, “but a vulnerability that can lead to lateral movement, ransomware deployment, or data theft is something else entirely.”
Patrick Münch, Chief Security Officer at vulnerability management services firm Mondoo, highlighted the pitfalls of manual remediation processes that companies frequently rely on. He emphasized the necessity of adopting advanced AI solutions that synergize human efforts with automated processes, stating, “You don’t close the gap with another scanner. You close it with transparent agentic AI, involving humans in decision-making, automated execution for remediation and mitigation, and maintaining a clear audit trail from issue identification to resolution.”
The role of AI as a burgeoning threat is further articulated throughout the DBIR. The report indicates that the median threat actor leveraged AI assistance for 15 distinct documented techniques, with some individuals using AI for as many as 40 or 50 tactics. Moreover, the phenomenon of “Shadow AI” is becoming an increasing concern for enterprises, with it now recognized as the third most common type of non-malicious insider activity noted in Verizon’s data loss prevention (DLP) dataset—a striking fourfold increase from the previous year. Approximately 45% of employees now regularly utilize both managed and unmanaged AI tools on corporate devices, up from a mere 15% last year.
In addition to AI-driven threats, the report underscores a troubling rise in social engineering attacks targeting mobile users. Over the past year, individuals have become more adept at recognizing phishing attempts via various vectors, yet mobile channels like voice and text have shown a 40% higher success rate for “click” rates in phishing simulations compared to email. The “human element” in breaches remained significant, comprising 62% of all incidents, showing a slight increase from 60% the year before.
Another critical highlight of the DBIR is the surge in supply chain-related breaches, which have risen by an astounding 60% annually and now account for nearly half (48%) of all recorded data breaches. The report reveals that just 23% of third-party organizations have fully addressed the issues related to missing or improperly secured multifactor authentication (MFA) on their cloud accounts. Furthermore, the time required to resolve issues related to weak passwords and permission misconfigurations reached nearly eight months for 50% of all findings.
While ransomware incidents nudged up from 44% last year to 48% this cycle, a notable 69% of victims chose not to pay the ransom, effectively tightening the financial margins for threat actors.
In conclusion, Verizon’s latest DBIR paints a concerning picture of today’s digital landscape, characterized by evolving threats, increased vulnerability exploitation, and challenges in effective remediation. As organizations grapple with these hurdles, the call for integrating advanced technologies, prioritizing patches intelligently, and leveraging AI for proactive defenses becomes even more critical.