Vulnerability Exploitation Overtakes Credentials as Leading Breach Vector, Verizon DBIR Shows

Verizon’s Data Breach Investigations Report, now in its 19th edition, aggregates real‑world incidents from Verizon, responders, law enforcement and industry partners. The latest edition tracks initial access vectors across thousands of breaches.

- Exploited vulnerabilities accounted for 31% of breaches in the past year, up from 20% the previous year. - Credential abuse fell to 13% of breaches, down from 22%. - Only 26% of critical vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog were fully remediated in 2025, down from 38% the year before. - Organizations faced 50% more critical KEV flaws to patch in 2025 compared with the prior year.

The shift indicates attackers are increasingly leveraging known flaws rather than relying on stolen passwords. As Jon Baker of AttackIQ notes, security teams must distinguish which vulnerabilities actually enable lateral movement, ransomware or data theft. The growing patch load outpaces remediation capacity, widening the exposure gap.

Defenders should prioritize KEV‑listed CVEs using automated discovery and validation. Apply patches within vendor‑recommended windows, referencing CISA’s Binding Operational Directive 22-01 for federal systems. Deploy detection rules for MITRE ATT&CK technique T1190 (Exploit Public‑Facing Application) and monitor for abnormal outbound traffic post‑exploitation. Implement agent‑based patch management with verified rollback and maintain an audit trail from identification to confirmation. Regularly test patch effectiveness in a staging environment before production rollout.