DBIR 2026: Vulnerability Exploitation Now the Top Breach Cause

For the first time in 19 years of publication, vulnerability exploitation has overtaken credential theft as the primary way attackers breach organizations. Verizon's 2026 Data Breach Investigations Report found that 31% of confirmed breaches began with exploiting a vulnerability, while credential abuse—the longtime leader—dropped to 13%.

The shift reflects a fundamental change in attack economics. Exploiting known vulnerabilities has become faster, cheaper, and more reliable than stealing and abusing credentials. And organizations aren't keeping pace.

The Numbers That Matter

The DBIR analyzed breaches across industries and geographies. Key findings:

Breach vectors:

• Vulnerability exploitation: 31% (now #1)
• Credential abuse: 13% (previously #1)
• Phishing: 16%
• Third-party compromise: 48% of all breaches

Ransomware:

• Present in 48% of confirmed breaches (up from 44%)
• Median ransom payment dropped below $140,000
• Only 31% of victims paid ransoms

Patching performance:

• Median time to full patch: 43 days (up from 32 days)
• Only 26% of CISA KEV vulnerabilities were patched
• Critical vulnerability volume 50% higher than previous year

That last statistic is particularly concerning. CISA's Known Exploited Vulnerabilities catalog exists specifically to flag flaws under active attack—and three-quarters of them remain unpatched across the organizations Verizon studied.

Why Exploits Won

Several factors explain the shift:

AI-accelerated exploitation: Threat actors now use AI to identify vulnerabilities, generate exploit code, and scale attacks. The report found actors researched or used AI assistance across a median of 15 documented attack techniques. Some leveraged 40-50 techniques with AI support.

Faster time-to-exploit: The window between vulnerability disclosure and active exploitation has collapsed. What once took months now happens in hours or days. We've seen this play out repeatedly—the Ollama memory leak vulnerability and OpenClaw chain were both weaponized within days of disclosure.

Edge device exposure: Network security appliances, VPNs, and remote access tools present attractive targets. They're internet-facing, often run with high privileges, and patching them requires maintenance windows that organizations delay. The Cisco SD-WAN authentication bypass added to CISA KEV this month exemplifies the pattern.

Credential defenses improved: MFA adoption, passwordless authentication, and better phishing detection have made credential theft harder. Attackers adapted by focusing on what hasn't improved—vulnerability remediation.

Third-Party Risk Explodes

The 48% of breaches involving third parties represents a 60% increase from the previous year. Supply chain compromises, vendor access abuse, and software dependency attacks now account for nearly half of all incidents.

This tracks with what we've covered extensively—from the Mini Shai-Hulud supply chain worm to the Nx Console VS Code extension compromise. Attackers increasingly target the connections between organizations rather than organizations directly.

The Human Element Persists

Despite automation and AI, 62% of breaches still involved human factors:

• Social engineering: 16% of breaches
• Mobile phishing: 40% more effective than email attacks
• Shadow AI: 67% of users access AI services from corporate devices using non-corporate accounts

That shadow AI statistic deserves attention. Employees feeding sensitive data into consumer AI tools create data exposure that doesn't show up in traditional security monitoring.

What the Data Demands

The DBIR findings point to specific priorities:

1. Fix what's being exploited. CISA KEV exists for a reason. The 26% patch rate for known-exploited vulnerabilities is indefensible. These aren't theoretical risks—they're active attack vectors.

2. Shrink patch windows. A 43-day median patch time can't compete with hours-to-exploitation. Organizations need processes that can deploy critical patches in days, not weeks.

3. Secure the supply chain. With 48% of breaches involving third parties, vendor security assessments and software composition analysis aren't optional. Know what dependencies your systems carry and monitor them.

4. Accept the mobile threat. Mobile phishing is 40% more effective than email. Mobile device management and phishing-resistant authentication matter more than ever.

The Trend Line

The DBIR has tracked breach patterns for nearly two decades. This year's shift to vulnerability exploitation as the dominant vector isn't temporary—it reflects structural changes in both attack and defense capabilities.

Organizations that treat patching as a maintenance task rather than a security function will continue to provide the entry points attackers prefer. The data is clear: vulnerabilities are how attackers get in now.