CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Shift in breach vectors: unpatched vulnerabilities surpass credential theft as leading intrusion entry point in 2025

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

In 2025, unpatched vulnerabilities became the dominant access vector for confirmed data breaches, overtaking credential abuse for the first time in Verizon’s Data Breach Investigations Report (DBIR) series. Analysis of 31,000 security incidents (22,000+ confirmed breaches) revealed 31% of breaches stemmed from exploited unpatched flaws, while credential abuse accounted for 13%. Ransomware involvement rose to 48% of confirmed breaches, with median ransom payments dropping below $140,000. Threat actors increasingly weaponized AI to accelerate vulnerability exploitation, shrinking the defensive window from months to hours. Organizations’ median patching time increased to 43 days, with only 26% of CISA KEV catalog vulnerabilities patched in 2025. Third-party breaches surged 60%, reaching 48% of total incidents, driven by expanded attack surfaces and inadequate MFA enforcement. Gen-AI integration into attack chains and enterprise Shadow AI usage further strained defenses. Mobile-centric phishing attacks achieved a 40% higher success rate than email-based phishing in simulations.

Timeline

  1. 20.05.2026 03:04 2 articles · 19h ago

    Unpatched vulnerabilities surpass credential theft as leading breach vector in 2025 per Verizon DBIR 2026

    Analysis of 31,000 incidents (22,000+ confirmed breaches) reveals unpatched vulnerabilities were the intrusion vector in 31% of breaches, exceeding credential abuse (13%). Median patching time rose to 43 days, with only 26% of CISA KEV vulnerabilities patched in 2025. Threat actors increasingly leveraged AI to weaponize vulnerabilities within hours, while ransomware involvement grew to 48% of confirmed breaches. Third-party breaches surged 60%, reaching 48% of total incidents, and gen-AI integration expanded across 15+ documented techniques in attack chains. Additionally, mobile-centric phishing attacks achieved a 40% higher success rate than email-based phishing in simulations, reflecting shifts in social engineering tactics.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

AI-assisted cyber attacks drive record increase in threat actor capabilities and incident volume in 2025

Throughout 2025, the widespread adoption of advanced AI coding assistants and agentic systems significantly lowered barriers to entry for conducting sophisticated cyberattacks. Non-technical actors leveraged AI tools to execute high-impact compromises, including the theft of 7 million user records from Kaikatsu Club in Japan, attacks on Rakuten Mobile by teenagers, and a month-long extortion campaign against 17 organizations. Time-to-exploit for publicly disclosed vulnerabilities plummeted from over 700 days in 2020 to 44 days in 2025, with 28.3% of CVEs exploited within 24 hours of disclosure. Malicious packages in public repositories surged by 727% since 2022, reaching 454,600 by 2025. The operational tempo now favors attackers, as remediation cycles (74 days average) cannot keep pace with exploit development or AI-driven attack automation.

Open in new tab

Rising threat from autonomous LLM-driven exploitation amid persistent human validation gaps

Security experts warn that large language models (LLMs) like Anthropic’s Mythos and OpenAI’s GPT-5.5 are accelerating autonomous offensive capabilities, enabling rapid discovery and exploitation of vulnerabilities at scale across platforms and infrastructure. While LLM-driven tools can autonomously generate exploits, chain attack sequences, and adapt mid-engagement, their practical effectiveness remains limited by human validation requirements. Human expertise is still essential to assess exploitability, determine real-world impact, and filter false positives, creating a widening gap between discovery and exploitable outcomes. Defenders face an escalating challenge as the time from vulnerability discovery to exploitation drops from months to hours, necessitating immediate shifts to proactive security practices such as shifting left, multilayer defenses, and rapid patching to mitigate the threat.

Open in new tab

AI-driven acceleration of exploitation timelines reduces window between vulnerability disclosure and active attacks

In 2025, threat actors leveraged AI and automation to compress the time between public vulnerability disclosure and exploitation from weeks to days or even minutes, significantly reducing the traditional "predictive window" for defenders. The median time between vulnerability publication and inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog decreased from 8.5 days to 5 days, while the mean dropped from 61 days to 28.5 days. The use of AI accelerated reconnaissance, automated decision-making, and industrialized social engineering, enabling rapid weaponization of known weaknesses such as exposed services, weak identity controls, and unpatched edge infrastructure. Confirmed exploitation of high-severity CVEs (CVSS 7–10) rose 105% year-over-year, with deserialization, authentication bypass, and memory corruption flaws most frequently exploited—often against file transfer systems, edge appliances, and collaboration platforms.

Open in new tab

AI-Automated Exploitation Accelerates Threat Actor Capabilities

AI-driven automation is significantly reducing the cost and increasing the speed of cyber exploitation. Threat actors now use AI to accelerate reconnaissance, vulnerability discovery, exploit development, and operational tempo. This shift makes large vulnerability backlogs more dangerous, as attackers can exploit them faster. Boards and CISOs must address this by focusing on operational truth and reducing vulnerability exposure at the source. Regulatory pressures, such as the EU's Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA), are increasing expectations for vulnerability handling and secure-by-design practices. Organizations must invest in reducing vulnerability backlogs to prevent operational disruption and legal liabilities.

Open in new tab

Accelerated Exploitation of New Vulnerabilities in 2025

In 2025, approximately 50 to 61 percent of newly disclosed vulnerabilities were weaponized within 48 hours, driven by automated attack systems. The time to exploit (TTE) dropped from 745 days in 2020 to 44 days in 2025, with n-day exploits representing over 80% of the CVEs listed in the VulnDB database. Attackers exploit the delay between vulnerability disclosure and patch deployment, which often follows a slower, human-driven process. The traditional patching cadence is no longer sustainable as attackers use AI and automation to rapidly weaponize vulnerabilities, while defenders struggle to keep up. The exploitation economy operates at machine speed, with threat actors leveraging automated scripts, AI, and dark web forums to quickly develop and distribute exploits. Defenders face challenges due to the need for near-perfect stability and the risk of service interruptions, which attackers do not consider. To mitigate this, organizations must transition to automated, policy-driven remediation to close the gap between vulnerability disclosure and patch deployment.

Open in new tab