Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector
Security WeekArchived May 20, 2026✓ Full text saved
Verizon’s 2026 DBIR finds vulnerability exploitation has overtaken credential abuse as the leading breach vector, as AI accelerates attacks, patching delays worsen, and ransomware and third-party compromises continue to surge. The post Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
Vulnerability exploitation was the most common access vector for data breaches in 2025, the latest installment of Verizon’s annual Data Breach Investigations Report (DBIR) shows.
The number of analyzed security incidents has increased to 31,000. Of these, more than 22,000 were confirmed breaches, nearly double compared to last year’s 12,195 confirmed breaches.
Approximately 31% of the breaches were the result of unpatched vulnerabilities being exploited. Credential abuse, which was the top entry point in last year’s DBIR, accounted for 13% of the breaches.
According to Verizon’s researchers, threat actors are leveraging AI to accelerate vulnerability exploitation, and the window for defense has decreased from months to hours.
“The rapid weaponization of known vulnerabilities by AI can create a capacity crisis for security teams, underscoring the urgent need to prioritize fundamental security and risk management practices,” Verizon says.
The Verizon 2026 DBIR (PDF) also shows that organizations continue to struggle with vulnerability remediation. The median time for full patching increased to 43 days in 2025, up from 32 days in the previous year.
According to the report, organizations patched only 26% of the security defects in CISA’s Known Exploited Vulnerabilities (KEV) catalog last year, a drop from 38% in 2024.
The number of critical flaws (defined in the report as bugs included in the KEV list) that organizations had to patch was 50% higher in the median case compared to the previous year’s dataset.
“The findings in Verizon’s 2026 DBIR are striking because it reinforces something we have been saying for years: exploitation is now the leading breach vector, and organizations are still simply not fixing flaws fast enough,” said Veracode co-founder and chief security evangelist Chris Wysopal.
Per Verizon’s new report, ransomware was involved in 48% of the confirmed breaches in 2025, up from 44% in the previous year, while ransom payments decreased, with the median amount paid dropping below $140,000. Only 31% of ransomware victims paid, the report shows.
An increased reliance on third-party software and services has expanded organizations’ attack surface and led to a 60% increase in breaches with third-party involvement last year, reaching 48% of the total.
“Looking at remediation over time in third-party cloud exposure, only 23% of third-party organizations fully remediated missing or improperly secured multifactor authentication (MFA) on their cloud accounts, with 50% of all findings being resolved within a month,” the DBIR reads.
Verizon’s report also shows that threat actors are increasingly relying on gen-AI for targeting, initial access, and malware and tool development.
“The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50. Most AI-assisted development of malware and tooling was associated with well-known and defined attack techniques, with a median of 55 existing known malware examples performing the same functions,” the report reads.
Per the Verizon 2026 DBIR, 62% of breaches involved a human element, social engineering accounted for 16% of breaches, and the median rate of success was 40% higher in mobile-centric phishing attacks than via email.
Shadow AI, or the unauthorized use of gen-AI services, the report also shows, continues to plague enterprises, as 67% of users are accessing AI services from corporate devices using non-corporate accounts. Overall, 45% of employees are regular AI users, up from 15% last year.
“While the datapoints are clear, the takeaway for the industry is resounding. Security teams can’t rely solely on downstream remediation. As attackers increasingly target common coding weaknesses, organizations need to prioritize finding and fixing vulnerabilities during development—not months, or even a year, down the line when the burden of time, cost, and risk is multiplied. This is even more important as GenAI continues to change the code vulnerability calculus,” Wysopal said.
Related: Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks
Related: Unpatched ChromaDB Vulnerability Can Lead to Server Takeover
Related: Cyber Resilience Is the New Business Continuity Plan
Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
‘Claw Chain’ OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery
Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVE
First Shai-Hulud Worm Clones Emerge
Exploitation of Critical NGINX Vulnerability Begins
PoC Code Published for Critical NGINX Vulnerability
OpenAI Hit by TanStack Supply Chain Attack
TeamPCP Ups the Game, Releases Shai-Hulud Worm’s Source Code
Chrome 148 Update Patches Critical Vulnerabilities
Latest News
Drupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation
Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’
Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks
Unpatched ChromaDB Vulnerability Can Lead to Server Takeover
B1ack’s Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards
Cyber Resilience is the New Business Continuity Plan
201 Arrested in Crackdown on Cybercrime in Middle East, North Africa
PoC Released for DirtyDecrypt Linux Kernel Vulnerability
Trending
Webinar: Third-Party Risk In Practice
June 4, 2026
Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.
Register
Virtual Event: Threat Detection And Incident Response Summit
May 20, 2026
Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.
Register
People on the Move
Tim Byrd has been appointed Chief Information Security Officer at First Citizens Bank.
IRONSCALES has named Steve McKenzie as Chief Operating Officer.
Silvio Pappalardo has joined AuthMind as Chief Revenue Officer.
More People On The Move
Expert Insights
Cyber Resilience Is The New Business Continuity Plan
The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin)
Enhancing Data Center Security Without Sacrificing Performance
For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael)
Is The SOC Obsolete, And We Just Haven’t Admitted It Yet?
Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au)
The Mythos Moment: Enterprises Must Fight Agents With Agents
Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor)
Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents
From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George)
Flipboard
Reddit
Whatsapp
Email