Vulnerability exploitation was the most common access vector for data breaches in 2025, the latest installment of Verizon’s annual Data Breach Investigations Report (DBIR) shows.
The number of analyzed security incidents has increased to 31,000. Of these, more than 22,000 were confirmed breaches, nearly double compared to last year’s 12,195 confirmed breaches.
Approximately 31% of the breaches were the result of unpatched vulnerabilities being exploited. Credential abuse, which was the top entry point in last year’s DBIR, accounted for 13% of the breaches.
According to Verizon’s researchers, threat actors are leveraging AI to accelerate vulnerability exploitation, and the window for defense has decreased from months to hours.
“The rapid weaponization of known vulnerabilities by AI can create a capacity crisis for security teams, underscoring the urgent need to prioritize fundamental security and risk management practices,” Verizon says.
The Verizon 2026 DBIR (PDF) also shows that organizations continue to struggle with vulnerability remediation. The median time for full patching increased to 43 days in 2025, up from 32 days in the previous year.
According to the report, organizations patched only 26% of the security defects in CISA’s Known Exploited Vulnerabilities (KEV) catalog last year, a drop from 38% in 2024.
The number of critical flaws (defined in the report as bugs included in the KEV list) that organizations had to patch was 50% higher in the median case compared to the previous year’s dataset.
“The findings in Verizon’s 2026 DBIR are striking because it reinforces something we have been saying for years: exploitation is now the leading breach vector, and organizations are still simply not fixing flaws fast enough,” said Veracode co-founder and chief security evangelist Chris Wysopal.
Per Verizon’s new report, ransomware was involved in 48% of the confirmed breaches in 2025, up from 44% in the previous year, while ransom payments decreased, with the median amount paid dropping below $140,000. Only 31% of ransomware victims paid, the report shows.
An increased reliance on third-party software and services has expanded organizations’ attack surface and led to a 60% increase in breaches with third-party involvement last year, reaching 48% of the total.
“Looking at remediation over time in third-party cloud exposure, only 23% of third-party organizations fully remediated missing or improperly secured multifactor authentication (MFA) on their cloud accounts, with 50% of all findings being resolved within a month,” the DBIR reads.
Verizon’s report also shows that threat actors are increasingly relying on gen-AI for targeting, initial access, and malware and tool development.
“The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50. Most AI-assisted development of malware and tooling was associated with well-known and defined attack techniques, with a median of 55 existing known malware examples performing the same functions,” the report reads.
Per the Verizon 2026 DBIR, 62% of breaches involved a human element, social engineering accounted for 16% of breaches, and the median rate of success was 40% higher in mobile-centric phishing attacks than via email.
Shadow AI, or the unauthorized use of gen-AI services, the report also shows, continues to plague enterprises, as 67% of users are accessing AI services from corporate devices using non-corporate accounts. Overall, 45% of employees are regular AI users, up from 15% last year.
“While the datapoints are clear, the takeaway for the industry is resounding. Security teams can’t rely solely on downstream remediation. As attackers increasingly target common coding weaknesses, organizations need to prioritize finding and fixing vulnerabilities during development—not months, or even a year, down the line when the burden of time, cost, and risk is multiplied. This is even more important as GenAI continues to change the code vulnerability calculus,” Wysopal said.
Related: Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks
Related: Unpatched ChromaDB Vulnerability Can Lead to Server Takeover
Related: Cyber Resilience Is the New Business Continuity Plan
Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability
