Vulnerability exploitation has overtaken compromised credentials for the first time in nearly two decades as the most common initial access vector for data breaches, according to Verizon.
The tech giant’s Data Breach investigations Report (DBIR) has been providing threat landscape insight to industry professionals for 19 years, based as it is on a variety of Verizon, incident response, law enforcement and industry data on real breaches and incidents.
The latest edition revealed that nearly a third (31%) of data breaches over the past year started with vulnerability exploitation. This is up from 20% in last year’s report.
That made it the top initial access vector, with credential abuse down from 22% to 13%.
Read more on the DBIR: Verizon DBIR: Small Businesses Bearing the Brunt of Ransomware Attacks
Verizon suggested the figures could indicate that AI is already being used by threat actors to find and exploit more vulnerabilities.
However, it’s not just zero-days that are at issue. The report revealed that firms aren’t patching known bugs quickly enough.
Only 26% of critical vulnerabilities listed in the Cybersecurity Infrastructure and Security Agency Known Exploited Vulnerabilities (CISA KEV) catalog were fully remediated by organizations in 2025, a drop from 38% the previous year.
That could be due to the increased patch load. Organizations had 50% more critical vulnerabilities to patch in this year’s reporting dataset versus 2025, Verizon said.
Jon Baker, VP of threat-informed defense at AttackIQ, said organizations are struggling to prioritize patches.
“Security teams are being asked to fix more critical issues, but they still need to know which ones actually create a path to compromise,” he argued. “A vulnerability on paper is one thing, but a vulnerability that can be chained into lateral movement, ransomware deployment, or data theft is something else entirely.”
Patrick Münch, CSO at vulnerability management services firm Mondoo, said manual remediation is letting firms down. “You don’t close the gap with another scanner,” he added. “You close it with transparent agentic AI: humans in the loop on decisions, AI automation on remediation and mitigation execution, and a clear audit trail from identifying the issue to verifying it’s fixed.”
AI Threats to the Fore of the Verizon DBIR
AI is more obviously growing as a threat in other parts of the report.
“The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50,” it noted.
Shadow AI is also a growing enterprise threat: it’s now the third most common “non-malicious insider action” detected in Verizon’s data loss prevention (DLP) dataset, a fourfold percentage increase from last year.
Some 45% of employees are now regular users of managed and unmanaged AI on their corporate devices, up from 15% last year.
Supply Chains and Social Engineering
Elsewhere in the report, mobile users were targeted more frequently by social engineering attacks over the past year, as individuals got better at spotting phishing attempts via other channels.
In phishing simulations, the median rate of successful “click” rates in mobile vectors like voice and text is 40% higher than via email, Verizon claimed. The “human element” was present in 62% of breaches, up slightly from 60% last year.
Supply chain-related breaches also surged, by 60% annually, to account for nearly half (48%) of all data breaches recorded in the report.
Just 23% of third-party organizations fully remediated missing or improperly secured multifactor authentication (MFA) on their cloud accounts. For weak passwords and permission misconfigurations, time to resolve 50% of all findings reached almost eight months.
As a share of breaches, ransomware nudged up from 44% last year to 48% this, but 69% of victims elected not to pay, squeezing threat actor margins.
