In the realm of cybersecurity, the use of vulnerability exploitation as a means to gain initial access and pave the way for cyber incidents has seen a significant increase over the past two years, as per Verizon’s latest Data Breach Investigations Report (DBIR). The report, which was published on April 23, 2025, revealed that there has been a threefold growth in successful vulnerability exploits since Verizon’s 2024 findings, with an additional 34% rise in the latest report.
This method of initial access now accounts for 20% of the total data breaches observed by Verizon, coming in just two percentage points below the leading vector, which is credential abuse. Phishing occupies the third spot, representing 16% of data breaches.
Verizon’s 18th DBIR delved into the analysis of 22,052 cyber incidents, out of which 12,195 were confirmed data breaches, occurring between November 1, 2023, and October 31, 2024. These incidents spanned across 139 countries and were described by the company as cyber events that resulted in the compromising of data.
Alistair Neil, the Managing Director for Advanced Solutions International at Verizon Business, highlighted that this year’s report encompassed a record number of confirmed data breaches compared to any previous reports. System intrusion emerged as the predominant form of breaches, accounting for 53% of the total, a significant leap from the 36% observed in the previous reporting period. Social engineering and basic web application attacks followed closely, with 17% and 12% respectively, while privilege misuse constituted 6% of the breaches.
Digging into the details of the report, Neil pointed out that the escalation in vulnerability exploits was in tandem with the uptick in vulnerability reporting. Drawing parallels with the statistics from the US National Institute of Standards and Technology (NIST), which tracked 28,000 common vulnerabilities and exposures (CVEs) in 2023 and 40,000 in 2024, Neil emphasized a noticeable correlation.
Two key trends were identified as major contributors to the rise in vulnerability exploitation. The first was the heightened focus on edge devices and virtual private networks (VPNs), particularly through zero-day vulnerability exploits. The second trend revolved around the surge in breaches involving compromises of third parties.
The exploitation of edge devices and VPNs saw a dramatic increase of nearly eightfold, from 3% to 22%, underscoring a growing threat landscape. Despite organizations’ diligent efforts to patch vulnerabilities, only 54% were completely remediated within a median timeframe of 32 days, leaving a window of opportunity for attackers to capitalize on.
Scott Caveza, a Senior Staff Research Engineer at Tenable who provided vulnerability data for the report, raised concerns over the remediation gap, indicating that the average time to patch for critical vulnerabilities impacting edge devices was a staggering 209 days. While attackers typically exploit vulnerabilities within five days, the prolonged patching timeline poses a significant risk.
Furthermore, the 2025 DBIR highlighted a doubling in the percentage of breaches involving third parties, climbing from 15% in the previous year to 30% in the current report. These third-party breaches were mainly utilized by attackers to execute system intrusions, with 81% of them resulting in compromise.
The prevalence of credential reuse in third-party environments was a notable issue, with the report citing instances where leaked secrets discovered in a GitHub repository took an average of 94 days to remediate. This underscores the importance of evaluating the efficacy of security controls across multiple parties in the cybersecurity landscape.
In conclusion, the latest findings from Verizon’s DBIR underscore the evolving nature of cyber threats, with vulnerability exploitation emerging as a significant concern alongside the growing complexity of third-party breaches. As organizations navigate these challenges, prioritizing prompt remediation and bolstering security measures against emerging threats remain paramount in safeguarding sensitive data and digital assets.