Verizon Breach Report: Vulnerability Exploitation Surges

Bugs, and many them, had been how a plurality of information breach intrusions started over the past yr, finds Verizon in its newest annual appraisal of the state of cybersecurity.

See Additionally: Know Thy Enemy: Threats to Cyber Resilience

The 2026 Knowledge Breach Investigations Report, printed Tuesday, finds that one-third of all identified breaches started with vulnerability exploitation, distantly adopted by credential abuse in 13% of assaults, and to a lesser extent, phishing and social engineering.

Half of all profitable breaches additionally now contain some kind of “ransomware motion.”

In unhealthy information for defenders, the report additionally finds that fewer vulnerabilities recognized by the U.S. Cybersecurity and Infrastructure Safety Company as underneath lively exploitation obtain patches. And even when mounted, bugs are being patched extra slowly. Organizations on the prime of their patch administration recreation solely repair 30% to 40% of actively exploited {hardware} and software program bugs throughout the first week after detection, the report states.

This yr’s annual DBIR is predicated on greater than 31,000 real-world safety incidents resulting in information breaches affecting organizations throughout 145 international locations from Nov. 1, 2024, by Oct. 31, 2025. The report is predicated on data gathered by Verizon Enterprise’s personal investigations in addition to anonymized information shared by a community of companions, together with the FBI, Britain’s Nationwide Crime Company, the EU’s CERT-EU cybersecurity service, distributors and different organizations.

The report finds organizations patched simply roughly 1 / 4 of essential vulnerabilities final yr, down from 38% the prior yr, and took longer to take action – 43 days on common, up from 32 days the earlier yr.

“Quantity definitely performs an enormous half in it,” stated Daniel Lawson, senior vice chairman of world options at Verizon Enterprise, of the lag in remediation. Safety researchers collectively discovered greater than 48,000 vulnerabilities final yr, an 18% year-over-year enhance – a quantity poised to solely develop larger this yr. The variety of essential vulnerabilities grew by half, “a large quantity for firms to cope with,” Lawson stated.

Verizon has noticed firms investing to enhance vulnerability administration, however “the sheer quantity of quantity signifies that even these improved processes are unable to maintain up with the rising variety of distinctive essential vulnerabilities,” he added.

Report authors depend as a safety incident any safety occasion that compromises the confidentiality, integrity or availability of information. Of these incidents, greater than 22,000 – additionally a record-setting quantity – had been confirmed information breaches, outlined because the incident leading to “confirmed disclosure – not simply potential publicity – of information to an unauthorized social gathering.”

As with patching an organization’s inner setting, remediating safety shortcomings in third-party cloud providers stays difficult, with researchers seeing a widespread failure to implement using multifactor authentication, complicated passwords and proper configurations.

” remediation over time in third-party cloud publicity, solely 23% of third-party organizations absolutely remediated lacking or improperly secured MFA on their cloud accounts, with 50% of all findings being resolved inside a month. For weak passwords and permission misconfigurations, the time to resolve 50% of all findings was a lot worse, reaching nearly eight months,” the report says.

Ransomware Rises

Ransomware assaults did not cease rising, with some kind of associated motion current in 48% of all breaches final yr, up from 44% the prior yr. Such actions can embody information theft from organizations or their third-party service suppliers, data-only extortion assaults and conventional crypto-locking malware (see: Ransomware Defenses Seem to Be Holding; Challenges Loom).

The report stated 69% of recognized victims did not pay a ransom, and once they did, the common ransom they paid dropped to about $140,000, in comparison with $150,000 the prior yr.

Researchers stated the rise in ransomware breaches is tied partially to half of all information breaches final yr concerned some kind of third-party service (see: Salesforce Sounds Alarm Over Contemporary Knowledge Extortion Marketing campaign).

The usage of information-stealing malware by cybercriminals, particularly for unleashing ransomware, additionally stays rife. Half of all breach victims confirmed indicators of “a credential or infostealer occasion” having occurred inside 95 days of the preliminary intrusion tied to the ransomware assault.

All of those findings carry caveats that cybersecurity professionals ought to bear in mind when making an attempt to translate the statistics into their decision-making and planning, stated cyber threat professional Tony Martin-Vegue in a report appendix.

“Consider it this fashion: after we say ransomware was current in 48% of breaches, what we’re actually saying is “amongst organizations that bought breached and detected it and reported it, or had it reported by another person, 48% of these breaches concerned ransomware,” he stated.

As well as, the report “doesn’t seize assaults that failed, exercise that was blocked or disrupted earlier than inflicting hurt, or incidents that went undetected or by no means met reporting standards,” he stated.

AI-Facilitated Hacking

A lot has already modified since final November, when the scope of the most recent DBIR information ends. Main adjustments embody a surge in information breaches tied to using instruments equivalent to Claude Code to assist robotically orchestrate each step of an assault.

“Historically, cybercriminals relied on human effort and technical ability to execute assaults. Now, Agentic AI techniques can automate each stage of cybercrime: reconnaissance, phishing, information theft and even laundering stolen and illicit belongings,” says the U.S. Secret Service in a report appendix.

Many synthetic intelligence instruments, together with however not restricted to the most recent frontier fashions equivalent to Anthropic’s Mythos, proceed to disclose new vulnerabilities in extensively used software program. Specialists stated AI fashions’ potential to chain vulnerabilities collectively to make them extra exploitable additionally continues to enhance. How efficient this is perhaps for real-world assaults, in opposition to enterprise safety environments with layered defenses, stays unclear.

“Each the DBIR staff and Verizon are keenly conscious of the rising affect and capabilities of AI-augmented vulnerability analysis and weaponization to this point in 2026 based mostly on early indicators and developments,” the report says.

One takeaway for defenders is that just about not one of the malware developed by generative AI or actions taken by AI hacking was that uncommon. When attackers used GenAI to generate malware, fewer than 2.5% of the ensuing samples “concerned less-common methods with one or fewer identified malware examples.”

As with many facets of AI, consultants typically advocate extra AI to defend in opposition to illicit use. Agentic AI can monitor in actual time, automate risk detection and response, the Secret Service stated.

Assaults are getting quicker and extra refined, that means the reply for defenders includes “refinement, not revolution,” counsels Verizon. The necessity to do the fundamentals and do them nicely nonetheless holds.

“Whereas the speed of cyber threats – pushed by AI and quicker vulnerability exploitation – is rising, the foundational rules of safety and powerful threat administration stay the simplest protection,” stated Daniel Lawson, senior vice chairman of Verizon Enterprise.

“The DBIR reinforces that these fundamentals nonetheless maintain as organizations attempt for resilience,” he stated.

With reporting by ISMG’s David Perera in Northern Virginia.