Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches
Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches
https://cyberscoop.com/verizon-data-breach-investigations-report-2026/
Publish Date: 2026-05-19 17:21:00
Source Domain: cyberscoop.com
Attackers couldn’t get enough of the vulnerabilities at their disposal last year, making exploits the top initial access vector across more than 22,000 breaches Verizon analyzed in its latest Data Breach Investigations Report released Tuesday.
The massive annual study uncovered a surge of exploited vulnerabilities during a one-year period ending in October 2025. Exploited defects accounted for 31% of all known initial access vectors, jumping from 20% the previous year.
The uptick in exploited vulnerabilities is a reflection of the “sisyphean cause” of vulnerability management, researchers wrote in the report. “Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them.”
Organizations are struggling to keep up with the torrent of vulnerabilities affecting technology across their systems. This slide is especially worrisome, and declining, among defects in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog.
Only 26% of the critical vulnerabilities in CISA’s catalog were fully remediated by more than 13,000 organizations Verizon studied in 2025, marking a drop from 38% the year prior.
“There is also a worse result for the median time elapsed for a vulnerability to be fully patched by detection,” researchers wrote in the report. “Our new median time is 43 days, almost two weeks longer than last year’s 32 days.”
Verizon also noted that the median number of KEV vulnerabilities that organizations had to patch jumped from 11 in 2024 to 16 in 2025.
CISA’s KEV catalog contained more than 1,500 CVEs as of February, and 65% of those were exploited during the previous year, according to the report.
Verizon identified the five most common weaknesses of CISA KEV CVEs in its report as out-of-bounds read, heap-based buffer overflow, use after free, external control of file name or path and access of resource using incompatible…
