Vulnerability exploitation was the commonest entry vector for data breaches in 2025, the newest installment of Verizon’s annual Data Breach Investigations Report (DBIR) exhibits.
The variety of analyzed security incidents has elevated to 31,000. Of those, greater than 22,000 have been confirmed breaches, practically double in comparison with final 12 months’s 12,195 confirmed breaches.
Roughly 31% of the breaches have been the results of unpatched vulnerabilities being exploited. Credential abuse, which was the highest entry level in final 12 months’s DBIR, accounted for 13% of the breaches.
In accordance with Verizon’s researchers, risk actors are leveraging AI to speed up vulnerability exploitation, and the window for protection has decreased from months to hours.
“The fast weaponization of recognized vulnerabilities by AI can create a capability disaster for security groups, underscoring the pressing have to prioritize basic security and danger administration practices,” Verizon says.
The Verizon 2026 DBIR (PDF) additionally exhibits that organizations proceed to wrestle with vulnerability remediation. The median time for full patching elevated to 43 days in 2025, up from 32 days within the earlier 12 months.
In accordance with the report, organizations patched solely 26% of the security defects in CISA’s Identified Exploited Vulnerabilities (KEV) catalog final 12 months, a drop from 38% in 2024.
The variety of important flaws (outlined within the report as bugs included within the KEV listing) that organizations needed to patch was 50% increased within the median case in comparison with the earlier 12 months’s dataset.
“The findings in Verizon’s 2026 DBIR are placing as a result of it reinforces one thing we’ve been saying for years: exploitation is now the main breach vector, and organizations are nonetheless merely not fixing flaws quick sufficient,” stated Veracode co-founder and chief security evangelist Chris Wysopal.
Per Verizon’s new report, ransomware was concerned in 48% of the confirmed breaches in 2025, up from 44% within the earlier 12 months, whereas ransom funds decreased, with the median quantity paid dropping under $140,000. Solely 31% of ransomware victims paid, the report exhibits.
An elevated reliance on third-party software program and companies has expanded organizations’ assault floor and led to a 60% enhance in breaches with third-party involvement final 12 months, reaching 48% of the full.
“Taking a look at remediation over time in third-party cloud publicity, solely 23% of third-party organizations totally remediated lacking or improperly secured multifactor authentication (MFA) on their cloud accounts, with 50% of all findings being resolved inside a month,” the DBIR reads.
Verizon’s report additionally exhibits that risk actors are more and more counting on gen-AI for focusing on, preliminary entry, and malware and power growth.
“The median risk actor researched or used AI help in 15 completely different documented strategies, with some actors leveraging as many as 40 or 50. Most AI-assisted growth of malware and tooling was related to well-known and outlined assault strategies, with a median of 55 current recognized malware examples performing the identical features,” the report reads.
Per the Verizon 2026 DBIR, 62% of breaches concerned a human factor, social engineering accounted for 16% of breaches, and the median price of success was 40% increased in mobile-centric phishing assaults than through electronic mail.
Shadow AI, or the unauthorized use of gen-AI companies, the report additionally exhibits, continues to plague enterprises, as 67% of customers are accessing AI companies from company gadgets utilizing non-corporate accounts. General, 45% of workers are common AI customers, up from 15% final 12 months.
“Whereas the datapoints are clear, the takeaway for the business is resounding. Safety groups can’t rely solely on downstream remediation. As attackers more and more goal frequent coding weaknesses, organizations have to prioritize discovering and fixing vulnerabilities throughout growth—not months, or even a 12 months, down the road when the burden of time, value, and danger is multiplied. That is much more necessary as GenAI continues to alter the code vulnerability calculus,” Wysopal stated.
