Why 31% of breaches now begin with vulnerability exploitation

According to the Verizon 2026 Data Breach Investigations Report, "Exploitation of vulnerabilities is now the most common initial access vector for breaches," having "risen to 31% in this year's reporting dataset, while credential abuse, the previous leader, is down to 13%."

The report further notes that "the exploitation of vulnerabilities is the most prominent initial access vector in our dataset this year, reaching the height of 31%, up from 20% last year, which represents a 55% increase in this vector."

Cybercriminals are investing in scanning infrastructure, identifying unpatched systems, and deploying exploits. Where social engineering attacks once required targeting a specific person and hoping they made a mistake, exploitation attacks are largely automated and efficient.

"Initial access via exploitation" means attackers are finding a weakness in your internet-facing systems such as a misconfigured firewall, an unpatched VPN appliance, an outdated web application, or a known CVE and using it to gain access.

Why exploitation has increased to 31%

1. The vulnerability disclosure pipeline

The time between a vulnerability being publicly disclosed and attackers weaponizing it has decreased. Security teams, however, still operate on patch cycles measured in weeks or months. The Verizon 2026 Data Breach Investigations Report notes this problem by stating, "Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them." The numbers back this up, "Only 26% of the CISA KEV vulnerabilities had been fully remediated, a considerable drop from last year's 38%," and "the median number of KEV vulnerabilities that had to be patched by organizations has risen in 2025 to 16, where this figure was 11 in 2024. That is almost 50% more KEV vulnerabilities to patch in a year."

2. The attack surface has grown

Remote work, cloud migration, and the increase of internet-connected devices have expanded the number of systems organizations expose to the internet. Every new edge device, cloud workload, or SaaS integration is a potential entry point.

Research published in Vulnerability to Cyberattacks and Sociotechnical Solutions for Health Care Systems: Systematic Review identifies technology advancement through digitalization as one of five core vulnerability themes in health care systems, noting that organizations often focus on adopting new technology while spending less on security, creating part of the problem. Their systematic review found that "humans are the weakest link in the cyberattack chain.” After the full title of their work, the systematic review also found that approximately 60% to 70% of health care organizations had witnessed breaches of health information without ever disclosing them, a figure that suggests that the true scale compromise is underreported.

3. Exploit toolkits are commoditized

Sophisticated exploits that once required nation-state resources are now available on dark web forums. The Verizon 2026 Data Breach Investigations Report notes that "AI's primary impact is currently operational: automating and scaling techniques defenders already know how to detect," raising the baseline of what even less-sophisticated actors can achieve.

4. Credential-based defences have improved

Vulnerability exploitation has partly risen because other vectors have become more difficult, attackers take the path of least resistance, and right now, unpatched systems are often that path. That said, the Verizon 2026 Data Breach Investigations Report is clear that MFA pressure must continue, "You should stop postponing that MFA rollout in your organization because credentials are an integral part of the threat actor's toolkit." Indeed, "If you consider all instances of credential abuse at any point in the breach progression, it still sits on top at 39%."

What attackers target

Attackers prioritize:

• Edge devices and network infrastructure: VPNs, firewalls, load balancers, and remote access tools are targets because they sit directly on the perimeter and often run outdated firmware.
• Web-facing applications: Unpatched content management systems, customer portals, and APIs are constantly scanned for known weaknesses.
• Zero-days and N-days: While zero-days get the headlines, "N-day" vulnerabilities, those already publicly known but not yet patched, are responsible for the majority of exploitation-based breaches. The Verizon 2026 Data Breach Investigations Report reveals that "a staggering 89% of organizations had to patch vulnerabilities associated with Memory Safety," a class of vulnerability that has existed for a long time.
• Third-party software in the supply chain: A vulnerability in a widely-used library or vendor product can give attackers access to thousands of organizations. According to the Verizon 2026 Data Breach Investigations Report, "breaches with third-party involvement have increased by 60% from last year's dataset, reaching 48% of total breaches."

The business impact

Breaches initiated through vulnerability exploitation tend to be more damaging than those caused by phishing. This is because by the time attackers exploit a vulnerability to gain access, they often arrive with privileges, they may be dropping into a system with administrative access. The dwell time before detection is also often longer, giving attackers more opportunity to move laterally, collect data, and establish persistence.

According to the Verizon 2026 Data Breach Investigations Report, "Ransomware grew again to 48% of all breaches, up from 44% from the previous year," and "exploitation of vulnerabilities...has doubled to 32% of breaches" as an action variety, reflecting how closely ransomware and vulnerability exploitation are now linked.

For businesses, this results in higher breach costs, more extensive remediation, greater regulatory exposure, and reputational damage. It is worth noting that this damage is rarely contained to the technical layer. Research published in the International Journal of Information Management finds that when breaches occur, public discourse shifts toward the personal costs and legal accountability of organizations that failed to protect data.

What organizations can do

• Fix the most dangerous vulnerabilities first. Focus first on vulnerabilities that are already being actively exploited, systems facing the internet, or carry a high severity score. The Verizon 2026 Data Breach Investigations Report notes the limits organizations face, "There appears to be a ceiling, and the data suggests diminishing returns at current resource levels," with the median time for full resolution now at "43 days, almost two weeks longer than last year's 32 days." The guidance is that "organizations at their very best only get to fix 30%–40% of KEV instances in the first week after detection, so choosing the correct ones to patch really is the key strategy."
• Make yourself a smaller target. Every system you expose to the internet is something attackers can probe. Regularly check what you're making public-facing, and switch off or disconnect anything that doesn't need to be there.
• Use tools. The Verizon 2026 Data Breach Investigations Report notes the scale of the problem, "there were 68.7 million records in the 2022 dataset and 527.3 million in 2025, almost eight times the volume." Automated scanning, asset inventory, and patch management tools are useful tools.
• Put up temporary barriers while you wait to patch. When you can't patch immediately, don't leave a system unprotected. Firewalls, network segmentation, intrusion detection, and enhanced logging all help limit how much damage an attacker can do if they get in.
• Watch for attacks before they succeed. Knowing which vulnerabilities are actively being exploited in the wild gives your team the chance to respond before a breach actually happens. The Verizon 2026 Data Breach Investigations Report notes that "at Day 28, that 35% translates to 184 million open vulnerability instances" still unaddressed, making real-time detection an important line of defense.
• Invest in your people, not just your tools. The systematic review states that investment in people is as important as investment in technology. Attackers actively look for human weak points and organizations that treat security as a purely technical problem are prone to attacks.
• Make sure leadership understands the risk, not just IT. The Situational Awareness study notes that practitioners and the public perceive cyber threats through different lenses, with practitioners focused on causes and technical gaps while broader stakeholders focus on costs and legal accountability. Organizations that close that gap internally are far better placed to respond when an incident occurs.

FAQs

What is a CVE and why does it matter?

A CVE (Common Vulnerabilities and Exposures) is a publicly catalogued security flaw in software or hardware, once published, it becomes a roadmap attackers use to target any organization that hasn't yet patched it.

How do attackers find out which systems are unpatched?

Automated scanning tools probe internet-facing systems for known vulnerabilities, meaning attackers can identify exposed targets.

What is the difference between a zero-day and an N-day vulnerability?

A zero-day is a flaw unknown to the vendor with no available patch, while an N-day is one that has already been publicly disclosed and patched.