44% surge in app exploits as AI accelerates cyberattacks

IBM’s latest threat report shows an increase in attackers exploiting applications, often due to missing authentication controls and faster AI-driven tactics.

What happened

There has been a 44% increase in cyber attacks targeting public-facing applications, according to the 2026 IBM X-Force Threat Intelligence Index. Reporting by Infosecurity Magazine states that vulnerability exploitation accounted for 40% of incidents observed by IBM X-Force in 2025, making it the leading initial access vector. The report also found that active ransomware and extortion groups grew 49% year over year, while publicly disclosed victim counts rose by approximately 12%. IBM attributed much of the spike to missing authentication controls and the growing use of artificial intelligence to speed up vulnerability scanning and reconnaissance, shortening the gap between public disclosure and active exploitation.

Going deeper

IBM reported that most vulnerabilities tracked in 2025 did not require authentication to exploit, meaning attackers could access exposed systems without valid login credentials. The analysis also found a near quadrupling of large supply chain and third-party compromises since 2020, with attackers targeting software build environments, SaaS applications, and CI/CD automation pipelines, which are tools used to develop and deploy software updates. The report noted growing overlap between nation-state tactics and financially motivated cybercrime, as techniques are shared on underground forums and reused by smaller groups. Infostealer malware was linked to the exposure of more than 300,000 ChatGPT credentials in 2025, while manufacturing remained the most targeted sector for the fifth consecutive year at 27.7% of incidents, and North America accounted for 29% of observed cases, its highest share in six years.

What was said

In the 2026 IBM X-Force Threat Intelligence Index report, Mark Hughes, global managing partner for cybersecurity services at IBM, said, “Attackers aren't reinventing playbooks; they're speeding them up with AI. The core issue is the same: businesses are overwhelmed by software vulnerabilities. The difference now is speed.” The remarks were published alongside the report’s release on February 25, 2026, reinforcing IBM’s view that attackers are using AI tools to accelerate familiar techniques rather than introduce entirely new ones.

The big picture

In a separate interview with BankInfoSecurity, Jim Van Dyke of TransUnion said artificial intelligence is reshaping how healthcare breaches unfold, as well as increasing their volume. He explained that AI enables attackers to automate reconnaissance, identify weak links across interconnected healthcare organizations, and target high-value data such as personal identifiers used for fraud and medical identity misuse. As large health systems strengthen security, AI-driven actors are shifting toward smaller providers and vendors with limited resources, using automation to uncover gaps that once required manual effort. Van Dyke added that AI is making fraud more precise rather than simply larger in scale, with attackers prioritizing data that enables account access and financial exploitation.

FAQs

Why are public-facing applications increasingly targeted?

Public-facing applications often expose services directly to the internet, and when authentication or patch management is weak, attackers can exploit vulnerabilities without needing valid credentials.

How does AI accelerate cyberattacks?

AI tools can automate reconnaissance, analyze vulnerability data, generate exploit code patterns, and optimize phishing or social engineering scripts, reducing the time required to move from discovery to exploitation.

Why are supply chain compromises growing?

Modern enterprises rely heavily on third-party software, SaaS integrations, and automated build pipelines, creating additional entry points that attackers can exploit through trusted relationships.

What is infostealer malware?

Infostealers are malicious programs designed to extract stored credentials, browser data, and session tokens from infected systems, often selling the harvested data on underground forums.

What should organizations prioritize in response?

Organizations should reduce exposure of internet-facing systems, enforce strong authentication controls, maintain rapid patch management processes, and monitor for abnormal application behavior to limit exploitation opportunities.