Why vulnerability exploitation has overtaken stolen credentials

Verizon’s 2026 Data Breach Investigations Report (DBIR), its largest data set ever, with over 22,000 breaches across 19 years, shows that “the exploitation of vulnerabilities is the most prominent initial access vector in our dataset this year, reaching the height of 31%, up from 20% last year, which represents a 55% increase in this vector.” Today, it is more likely that attackers will get into systems via unpatched software holes or misconfigurations than by stealing passwords.

The data from the DBIR show that identity-based access (phishing and credential abuse) still accounts for about a third of breaches and is an area where hackers are increasingly targeting systems themselves.

The attraction of software vulnerabilities

Several factors have made software vulnerabilities an easy target for attackers. Attackers are using generative AI to scan for and weaponize vulnerabilities at unprecedented speed. The risk is no longer theoretical. In the study LLM Agents Can Autonomously Exploit One-Day Vulnerabilities, researchers found that when GPT-4 was given a CVE description, it could exploit 87% of the tested one-day vulnerabilities, compared with 0% for the other tested models and open-source vulnerability scanners. The authors concluded, “LLM agents can autonomously exploit one-day vulnerabilities in real-world systems.”

Verizon’s data show organizations face “50% more critical vulnerabilities to patch in this year’s reporting dataset compared to the previous year” and that remediation time is increasing (median 43 days now, up from 32 days). Organizations are looking to defend themselves against new CVEs that appear faster than patches are applied. The cybercriminal ecosystem has matured, and exploit kits, zero-day marketplaces, and AI tools make it easy for less-skilled attackers to leverage complex bugs.

Systems creating the biggest exposure

Verizon’s summary says hackers are moving from fooling humans to taking advantage of systems. The report also notes that credential abuse decreased from 22% in the 2025 DBIR to 13% in the 2026 DBIR, while system intrusion accounted for 61% of breach patterns, and social engineering, 17%.

The lesson applies to health care organizations. Any unpatched, misconfigured, or poorly monitored internet-facing asset can serve as the front door. VPN gateways, remote-access tools, web applications, cloud services, APIs, databases, and externally facing management interfaces all require tighter inventories and faster remediation. The DBIR specifically states high-severity zero-days in Ivanti Connect Secure, including CVE-2025-0282, which threat actors weaponized to deploy the SPAWN malware ecosystem.

Patching and asset inventory

Verizon’s 2026 DBIR shows why patching failures now create a direct ransomware risk. The report found 48% of all breaches now involve ransomware, even as payouts shrink and more victims refuse to pay. Slow remediation does not create an abstract technical problem. It leaves exposed systems available for ransomware groups, extortion crews, and opportunistic attackers looking for fast access into clinical, billing, and administrative environments. Verizon also recommends keeping software updated to fix security gaps, reinforcing the simple point: patching is no longer routine maintenance.

Many healthcare assets cannot defend against cyberthreats because old or test systems, medical devices, and vendor-managed platforms often go overlooked in inventory. A 2025 USENIX Security study on connected medical device patching explains, “Connected medical devices are often reported to lack basic security and to run on unpatched and outdated software.” Software updates often require lengthy testing and change freezes (especially in sensitive clinical settings), so patches are delayed.

Does this mean stolen credentials are less dangerous?

In healthcare specifically, credentials still create outsized damage once attackers get inside trusted systems. Paubox found that phishing-driven mailbox takeovers accounted for about 17% of email breaches in 2025, yet they exposed more than 630,000 individuals, making them the most damaging email attack type by impact.

Paubox’s 2026 Healthcare Email Security Report also found 53% of healthcare email breaches occurred on Microsoft 365, up from 43% in 2024. The problem is not simply the first login. Once attackers have valid credentials, they can enter familiar platforms as legitimate users, search inboxes for PHI, create forwarding rules, target colleagues or vendors, and stay hidden long enough to turn account access into a reportable breach.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is an initial access vector?

An initial access vector is the first method attackers use to enter an environment.

Why do known vulnerabilities remain dangerous after patches are released?

If an organization waits weeks to patch, criminals can scan for affected systems and target exposed assets before remediation happens.

Are zero-days the main problem?

No. Zero-days get attention because they are new and difficult to defend against, but many breaches involve known vulnerabilities with available fixes.