Vulnerability Exploitation Surpasses Credentials as Leading Breach Vector, Verizon DBIR Shows

Verizon’s Data Breach Investigations Report, now in its 19th edition, aggregates real‑world incidents from responders, law enforcement and industry partners. For nearly two decades, stolen or abused credentials held the top spot for how attackers first entered networks. The 2024‑2025 data shows that credential‑based initial access fell to 13% while vulnerability exploitation rose to 31%.

- 31% of breaches began with exploiting a software flaw, up from 20% the previous year. - Only 26% of critical vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog were fully remediated in 2025, down from 38% in 2024. - Threat actors used AI assistance in a median of 15 distinct techniques, with some leveraging as many as 40 or 50.

The data indicates attackers are finding and weaponizing unpatched flaws faster than defenders can close them. AI tools help adversaries scan for vulnerable services, chain exploits (MITRE ATT&CK T1190 – Exploit Public‑Facing Application) and move laterally (T1021 – Remote Services). Patching lag leaves organizations exposed to ransomware, data theft and supply‑chain abuse.