{"id":8265,"date":"2026-05-26T07:00:00","date_gmt":"2026-05-26T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8265"},"modified":"2026-05-26T07:00:00","modified_gmt":"2026-05-26T07:00:00","slug":"vulnerabilities-have-become-cyber-attackers-no-1-door-to-the-enterprise","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8265","title":{"rendered":"Vulnerabilities have become cyber attackers\u2019 No. 1 door to the enterprise"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Patching practices are coming under intense pressure of late, as time-to-exploit windows accelerate<\/a> \u2014 a new reality likely to worsen as AI assistance in attack chains rises.<\/p>\n

Now cyber defenders have another cause for flaw alarm: Vulnerability exploitation has significantly pulled away from stolen credentials as the most common entry point in security breaches, according to the latest edition of Verizon\u2019s annual Data Breach Investigations Report (DBIR)<\/a>.<\/p>\n

Verizon researchers found that exploited flaws were the root cause of breaches in 31% of cases, with credential abuse blamed for 13% of security failures. In a nod to patch management difficulties in the enterprise, only one in four (26%) critical vulnerabilities were fully remediated in 2025 with the median patch time rising to 43 days, up from 32 days the year prior, according to Verizon\u2019s DBIR.<\/p>\n

Root cause analysis<\/h2>\n

Verizon\u2019s study is based on an analysis of 31,000 security incidents \u2014 of which 22,000 were confirmed data breaches \u2014 involving victims spanning 145 countries.<\/p>\n

Incident response experts quizzed by CSO confirmed the rise in vulnerability exploitation as a means for breaking into enterprises is real.<\/p>\n

\u201cAttackers follow the path of least effort at scale, and right now that path runs through unpatched perimeter and edge devices, where a working exploit needs no prior access, no phished user, and no breach data to buy,\u201d notes Daniel Bechenea, security manager at offensive security and vulnerability assessment platform Pentest-Tools.com.<\/p>\n

Bechenea argues that exploitation has overtaken credential abuse because the patching of known exploits is failing to keep up with the rise of critical vulnerabilities.<\/p>\n

Chris Wysopal, co-founder and chief security evangelist at Veracode, agrees.<\/p>\n

\u201cOrganizations are still simply not fixing flaws fast enough,\u201d he says.<\/p>\n

According to Verizon\u2019s analysis, only about 26% of CISA Known Exploited Vulnerabilities (KEVs) were fully remediated in 2025<\/strong>, down from 38% the prior year. Meanwhile, the volume of critical-severity vulnerabilities organizations had to patch grew by 50% year-on-year.<\/strong><\/p>\n

James John, an incident response manager at Bridewell, offered a contrasting perspective on the relative importance of vulnerability exploitation and credential abuse over the full lifecycle of security breaches.<\/p>\n

\u201cWe\u2019re still seeing identity is the primary chokepoint,\u201d says John, whose cybersecurity services and incident response firm contributed data to the Verizon report. \u201cExploitation may now win the race to the front door, but stolen credentials are still the thread running through most intrusions we respond to; they\u2019re just used later in the attack, to move laterally and reach the data that matters.\u201d<\/p>\n

The Verizon report also attributed 16% of initial breach access to phishing, par with the year prior, and 6% to pretexting<\/a>, which the researchers noted has become more common in ransomware and extortion attacks.<\/p>\n

That latter point somewhat muddies the report\u2019s credentials conclusion, John notes.<\/p>\n

\u201cSome of the apparent decline [in credential abuse] is also measurement rather than reality, as credential theft and pretexting blur together,\u201d he tells CSO.<\/p>\n

As companies rely more heavily on external vendors, threat actors are targeting the extended supply chain as well, with breaches involving a third party now accounting for 48% of all security incidents covered by Verizon\u2019s DBIR.<\/p>\n

Verizon\u2019s DBIR \u2014 now in its 19th year \u2014 combines real-world incident and breach casework from law enforcement, forensic firms, and cyber industry sharing groups such as national CERTs, along with data from Verizon\u2019s work with its own clients. Findings from what\u2019s regarded as the industry\u2019s benchmark study on data breaches are supported by recent broadly comparable studies.<\/p>\n

Google Cloud Security\u2019s latest Cloud Threat Horizons Report<\/a>, for example, also found that attackers are pivoting toward exploiting unpatched third-party software vulnerabilities rather than relying primarily on stolen or weak credentials.<\/p>\n

Software vulnerabilities became the biggest single initial access vector (44.5% of incidents), overtaking credential abuse, according to the Google Cloud study.<\/p>\n

AI already adding to the threat landscape<\/h2>\n

Although the latest DBIR report uses 2025 data \u2014 predating the latest frontier AI security model advancements such as Anthropic\u2019s Mythos<\/a> \u2014 greater reliance by cybercriminals on AI still emerges from detailed post-mortems on security breaches.<\/p>\n

\u201cAI is being leveraged by threat actors to accelerate the time to exploit known vulnerabilities, shrinking the window for defence from months to mere <\/strong>hours,\u201d Verizon warned.<\/p>\n

Last week the Google Threat Intelligence Group (GTIG) released evidence of a zero-day exploit developed by a cybercriminal group with the help of AI<\/a>.<\/p>\n

Breach remediation strategies need to change<\/h2>\n

Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at managed security services vendor Huntress, says CISOs need to rapidly improve their vulnerability management and identity security in light of the Verizon DBIR findings.<\/p>\n

\u201cVulnerability exploitation, credential theft, multi-channel social engineering, and supply chain compromise are all being deployed at scale simultaneously,\u201d Patel says. \u201cThe organizations best positioned are those that have built defense in depth across all of these vectors.\u201d<\/p>\n

Patel adds: \u201cMore organizations need to shift their vulnerability management program to a risk-based, continuous [approach], tied to real-time exploitation intelligence \u2014 not scheduled patch cycles that leave exploitation windows wide open for days and weeks.\u201d<\/p>\n

Raghu Nandakumara, VP of industry strategy at microsegmentation and breach containment vendor Illumio, argues that even though more vulnerabilities are being fixed as enterprise patching practices improve, the backlog of flaws requiring remediation is still growing faster than security teams can keep up.<\/p>\n

\u201cThe spike [in vulnerability instances] has been driven by a convergence of forces, including more AI-assisted discovery, greater reliance on third-party and open-source code, a growing number of connected systems, and a disclosure ecosystem that\u2019s now far more active and incentivized than it was even a few years ago,\u201d Nandakumara says.<\/p>\n

Ransomware payments declining but threat remains potent<\/h2>\n

Ransomware<\/a> was a feature in nearly half of all breaches (48%) covered by the DBIR, up from 44% the year prior, even though ransom payments have declined (69% of victims did not pay).<\/p>\n

Aparna Rayasam, CEO of network security firm Atsign, says that this shift in payment rates is spurring ransomware to evolve toward a different business model.<\/p>\n

\u201cBecause victims aren\u2019t paying for decryption keys anymore, attackers have shifted heavily toward data exfiltration and extortion,\u201d he says. \u201cAttackers are compensating for smaller individual payouts by executing a higher volume of cheaper, automated attacks.\u201d<\/p>\n

Rayasam adds: \u201cUse of AI makes this model even more lucrative for the ransomware attackers.\u201d<\/p>\n

Bridewell\u2019s John offered a contrasting perspective, arguing that although ransomware attackers are no less successful in attacking enterprises, they are finding it more difficult to extract payment from victims.<\/p>\n

\u201cThe drop [in ransomware payments] reflects genuine progress and not attackers losing their edge,\u201d John tells CSO. \u201cMore organizations have tested backups and rehearsed recovery, so they can credibly refuse to pay, and the DBIR notes refusals are rising even in cases involving encryption, not just data theft.\u201d<\/p>\n

This reduction in payment rates means that attackers are becoming more aggressive in their attempts to disrupt a business in order to pile greater pressure on them to pay.<\/p>\n

For example, UK high street retailer Marks & Spencer<\/a> suffered weeks of outages and millions in losses as the result of a ransomware attack.<\/p>\n

\u201cThe leverage is shifting from \u2018we have your data\u2019 to \u2018we can keep you offline,\u2019 which matters far more when downtime affects essential services,\u201d John concludes.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Patching practices are coming under intense pressure of late, as time-to-exploit windows accelerate \u2014 a new reality likely to worsen as AI assistance in attack chains rises. Now cyber defenders have another cause for flaw alarm: Vulnerability exploitation has significantly pulled away from stolen credentials as the most common entry point in security breaches, according […]<\/p>\n","protected":false},"author":0,"featured_media":8266,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8265","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8265"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8265"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8265\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8266"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}