Attackers Hit Vulnerabilities Hard Last Year, Making Exploits the Top Entry Point for Breaches

The 2026 Verizon DBIR paints a stark picture of how vulnerability exploitation has eclipsed traditional phishing and credential‑stuffing tactics. With 31% of breach entry points now traced to unpatched flaws, attackers are capitalising on the sheer volume of software defects that organisations struggle to remediate. This shift reflects a systemic "sisyphian" challenge: security teams are inundated with new CVEs, yet limited resources and complex environments delay patch deployment, creating a fertile ground for exploit‑based intrusions.

Compounding the problem, the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog reveals that only a quarter of critical flaws were fully patched in 2025, down from 38% the year before. The median time to remediate a vulnerability stretched to 43 days, an eleven‑day increase, while the average number of KEV issues per organisation rose from 11 to 16. These metrics signal that many enterprises are falling behind best‑practice patch windows, exposing themselves to high‑impact attacks that leverage well‑known weaknesses such as out‑of‑bounds reads and heap‑based buffer overflows.

Ransomware, while still the most disruptive breach type, shows a nuanced trend. Its share of incidents climbed to 48%, yet victims are paying less, with median payouts slipping from $150,000 to roughly $140,000. This suggests that defensive measures, insurance pressures, and perhaps attacker fatigue are tempering the financial upside of ransomware campaigns. Nonetheless, the continued prevalence of ransomware—described by researchers as the "yoga pants of cybersecurity"—means that organisations must balance vulnerability remediation with robust incident response and recovery planning to mitigate both entry‑point risks and the downstream impact of extortion attempts.