Verizon DBIR: Vulnerability Exploits Surpass Credentials

For the first time in nearly two decades, vulnerability exploitation has overtaken compromised credentials as the most common initial access vector in data breaches, according to Verizon’s latest Data Breach Investigations Report (DBIR). Drawing on 19 years of data from Verizon, incident response teams, law enforcement, and industry sources, the report provides a comprehensive view of the current threat landscape.

The latest edition reveals that nearly a third (31%) of data breaches over the past year began with vulnerability exploitation, a sharp increase from 20% in the previous year. This shift pushed credential abuse down to 13%, from 22% a year earlier, making it the second most common entry point.

Verizon suggests these figures may indicate that AI is already being leveraged by threat actors to identify and exploit vulnerabilities more efficiently. However, the problem extends beyond zero-day flaws. The report highlights that organizations are failing to patch known bugs quickly enough.

Only 26% of critical vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog were fully remediated by organizations in 2025, a drop from 38% the year prior. This decline may stem from an increased patch burden. Verizon notes that organizations faced 50% more critical vulnerabilities to address in this year’s dataset compared to 2025.

Jon Baker, VP of threat-informed defense at AttackIQ, argues that security teams struggle with patch prioritization. “Security teams are being asked to fix more critical issues, but they still need to know which ones actually create a path to compromise,” he says. “A vulnerability on paper is one thing, but a vulnerability that can be chained into lateral movement, ransomware deployment, or data theft is something else entirely.”

Patrick Münch, CSO at vulnerability management firm Mondoo, contends that manual remediation is failing organizations. “You don’t close the gap with another scanner,” he explains. “You close it with transparent agentic AI: humans in the loop on decisions, AI automation on remediation and mitigation execution, and a clear audit trail from identifying the issue to verifying it’s fixed.”

AI threats are also more prominently featured elsewhere in the report. The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50. Shadow AI has emerged as a growing enterprise threat, now ranking as the third most common “non-malicious insider action” detected in Verizon’s data loss prevention (DLP) dataset. This represents a fourfold percentage increase from last year. Additionally, 45% of employees now regularly use managed and unmanaged AI on their corporate devices, up from 15% a year ago.

Supply chain and social engineering trends also stand out. Mobile users faced more frequent social engineering attacks over the past year, as individuals became better at spotting phishing attempts via other channels. In phishing simulations, the median successful “click” rate for mobile vectors like voice and text is 40% higher than for email, according to Verizon. The human element was present in 62% of breaches, up slightly from 60% last year.

Supply chain-related breaches surged by 60% annually, now accounting for nearly half (48%) of all data breaches recorded in the report. Just 23% of third-party organizations fully remediated missing or improperly secured multifactor authentication (MFA) on their cloud accounts. For weak passwords and permission misconfigurations, the time to resolve 50% of all findings reached nearly eight months.

Ransomware’s share of breaches nudged up from 44% last year to 48% this year, but 69% of victims chose not to pay, squeezing threat actor margins.