Vulnerability exploitation has surpassed stolen credentials as the leading cause of data breaches for the first time in the 19-year history of Verizon’s Data Breach Investigations Report. According to the 2026 DBIR released Tuesday, 31% of breaches now begin with attackers exploiting unpatched software vulnerabilities overtaking credential theft which dropped to 13% of initial access vectors.
The shift reflects a fundamental change in the threat landscape. Attackers are moving faster than organizations can patch with AI tools accelerating the time between vulnerability disclosure and exploitation from months to hours. Meanwhile, organizations are falling further behind, they patched only 26% of critical vulnerabilities in CISA’s Known Exploited Vulnerabilities catalogue in 2025 down from 38% the previous year.
The Numbers Are Worse Than They Appear
Verizon analyzed more than 22,000 confirmed breaches from incidents that occurred between November 2024 and October 2025. The median time to patch critical vulnerabilities increased to 43 days, up from 32 days the previous year. That 11-day increase matters because attackers are weaponizing vulnerabilities faster than ever.
The volume of vulnerabilities organizations must handle has reached crisis levels. Verizon recorded 527.3 million vulnerability instances in 2025, compared to 68.7 million in 2022, an eight-fold increase in just three years. The number of critical vulnerabilities requiring attention was 50% higher than the previous year.
“The picture it paints is that of a treadmill picking up speed,” the report authors wrote. This is not hyperbole, nearly half of the vulnerabilities in CISA’s KEV catalogue showed persistent exploitation throughout 2025 with attack attempts detectable on 96% of monitored days.
AI Is Making Attackers Faster, Not Smarter
Verizon partnered with Anthropic to analyze how 793 threat actors used AI tools between March 2025 and February 2026. The findings complicate the narrative around AI as a revolutionary threat multiplier. In the median case, attackers sought AI assistance across 15 different MITRE ATT&CK techniques with 99% rated as medium or low risk based on technical sophistication.
AI is primarily automating known techniques rather than enabling novel attacks. Phishing accounted for 44% of AI-assisted initial access attempts followed by vulnerability exploitation at 32% and credential abuse at 21%. The technology is raising the baseline capability of less experienced attackers rather than creating new attack vectors.
The real concern is speed. AI tools can identify and weaponize vulnerabilities within hours of disclosure, shrinking the defensive window to almost nothing. Organizations that previously had weeks or months to deploy patches now have days at most.
Mobile Phishing Success Rate 40% Higher Than Email
While vulnerability exploitation dominates initial access, human factors remain significant. The DBIR found that 62% of breaches involved a human element with social engineering accounting for 16% of breaches. Mobile-centric phishing attacks showed a 40% higher success rate than traditional email phishing.
“People tend to be more trusting of these devices,” said Chris Novak, Verizon Business’s vice president of global cybersecurity solutions. “And as a result, they’re more likely to click on links and follow through with the phishing logic.” Email security gateways cannot see SMS or voice calls creating blind spots that attackers are exploiting.
Shadow AI use has become a data leakage vector. AI tools now represent the third most common cause of non-malicious insider data loss, accounting for 12% of incidents, a fourfold increase from the previous year. Two-thirds of employees access AI services from corporate devices using personal accounts, creating exposure that most security stacks cannot monitor.
Patch Based on Active Exploitation, Not CVSS Score
The DBIR’s guidance on patch prioritization is straightforward. Focus on active exploitation rather than theoretical impact scores. Vulnerabilities recently exploited in the wild carry the highest probability of continued exploitation. That probability drops significantly after 30 days, again at 90 days and levels off after nine months.
Even well-resourced organizations can patch only 30% to 40% of critical vulnerabilities in the first week, according to the report. The advice is to prioritize based on recency of exploitation rather than CVSS scores alone because “the longer it’s been since a vulnerability has been exploited, the less likely it is to be exploited again soon.”
Third-party involvement in breaches jumped 60% year-over-year and now accounts for 48% of all breaches. Only 23% of third-party cloud platforms fully remediated missing or misconfigured multifactor authentication highlighting how vendor security gaps become customer problems.
References
- Verizon 2026 Data Breach Investigations Report
- Verizon DBIR 2026 Analysis
- Vulnerability Glut Analysis
- DBIR Key Findings
- Patching Coverage Falls
This post is also available in:
Svenska
Related News
Two 7-Zip Flaws Are Being Exploited. Both Were Patched Months Ago
Two vulnerabilities in 7-Zip are being exploited in the wild, and both were fixed before the attacks started. CVE-2025-0411 was patched in November 2024. CVE-2025-11001…
May 26, 2026 
Microsoft 365 Copilot Zero-Click Flaw Let Attackers Steal Data Via Email
Microsoft 365 Copilot contained a critical zero-click vulnerability that allowed attackers to exfiltrate sensitive company data simply by sending a malicious email. The flaw, discovered…
May 13, 2026 cPanel Zero-Day Exploited for Months Before Patch 44,000 Servers Hit
A critical authentication bypass vulnerability in cPanel has been under active exploitation since February, two months before the vendor issued a patch. CVE-2026-41940 carries a…
May 5, 2026