Patching practices are coming under intense pressure of late, as time-to-exploit windows accelerate — a new reality likely to worsen as AI assistance in attack chains rises.Now cyber defenders have another cause for flaw alarm: Vulnerability exploitation has significantly pulled away from stolen credentials as the most common entry point in security breaches, according to the latest edition of Verizon’s annual Data Breach Investigations Report (DBIR).Verizon researchers found that exploited flaws were the root cause of breaches in 31% of cases, with credential abuse blamed for 13% of security failures. In a nod to patch management difficulties in the enterprise, only one in four (26%) critical vulnerabilities were fully remediated in 2025 with the median patch time rising to 43 days, up from 32 days the year prior, according to Verizon’s DBIR.Root cause analysisVerizon’s study is based on an analysis of 31,000 security incidents — of which 22,000 were confirmed data breaches — involving victims spanning 145 countries.Incident response experts quizzed by CSO confirmed the rise in vulnerability exploitation as a means for breaking into enterprises is real.“Attackers follow the path of least effort at scale, and right now that path runs through unpatched perimeter and edge devices, where a working exploit needs no prior access, no phished user, and no breach data to buy,” notes Daniel Bechenea, security manager at offensive security and vulnerability assessment platform Pentest-Tools.com.Bechenea argues that exploitation has overtaken credential abuse because the patching of known exploits is failing to keep up with the rise of critical vulnerabilities.Chris Wysopal, co-founder and chief security evangelist at Veracode, agrees.“Organizations are still simply not fixing flaws fast enough,” he says.According to Verizon’s analysis, only about 26% of CISA Known Exploited Vulnerabilities (KEVs) were fully remediated in 2025, down from 38% the prior year. Meanwhile, the volume of critical-severity vulnerabilities organizations had to patch grew by 50% year-on-year.James John, an incident response manager at Bridewell, offered a contrasting perspective on the relative importance of vulnerability exploitation and credential abuse over the full lifecycle of security breaches.“We’re still seeing identity is the primary chokepoint,” says John, whose cybersecurity services and incident response firm contributed data to the Verizon report. “Exploitation may now win the race to the front door, but stolen credentials are still the thread running through most intrusions we respond to; they’re just used later in the attack, to move laterally and reach the data that matters.”The Verizon report also attributed 16% of initial breach access to phishing, par with the year prior, and 6% to pretexting, which the researchers noted has become more common in ransomware and extortion attacks.That latter point somewhat muddies the report’s credentials conclusion, John notes.“Some of the apparent decline [in credential abuse] is also measurement rather than reality, as credential theft and pretexting blur together,” he tells CSO.As companies rely more heavily on external vendors, threat actors are targeting the extended supply chain as well, with breaches involving a third party now accounting for 48% of all security incidents covered by Verizon’s DBIR.Verizon’s DBIR — now in its 19th year — combines real-world incident and breach casework from law enforcement, forensic firms, and cyber industry sharing groups such as national CERTs, along with data from Verizon’s work with its own clients. Findings from what’s regarded as the industry’s benchmark study on data breaches are supported by recent broadly comparable studies.Google Cloud Security’s latest Cloud Threat Horizons Report, for example, also found that attackers are pivoting toward exploiting unpatched third-party software vulnerabilities rather than relying primarily on stolen or weak credentials.Software vulnerabilities became the biggest single initial access vector (44.5% of incidents), overtaking credential abuse, according to the Google Cloud study.AI already adding to the threat landscapeAlthough the latest DBIR report uses 2025 data — predating the latest frontier AI security model advancements such as Anthropic’s Mythos — greater reliance by cybercriminals on AI still emerges from detailed post-mortems on security breaches.“AI is being leveraged by threat actors to accelerate the time to exploit known vulnerabilities, shrinking the window for defence from months to mere hours,” Verizon warned.Last week the Google Threat Intelligence Group (GTIG) released evidence of a zero-day exploit developed by a cybercriminal group with the help of AI.Breach remediation strategies need to changeMuhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at managed security services vendor Huntress, says CISOs need to rapidly improve their vulnerability management and identity security in light of the Verizon DBIR findings.“Vulnerability exploitation, credential theft, multi-channel social engineering, and supply chain compromise are all being deployed at scale simultaneously,” Patel says. “The organizations best positioned are those that have built defense in depth across all of these vectors.”Patel adds: “More organizations need to shift their vulnerability management program to a risk-based, continuous [approach], tied to real-time exploitation intelligence — not scheduled patch cycles that leave exploitation windows wide open for days and weeks.”Raghu Nandakumara, VP of industry strategy at microsegmentation and breach containment vendor Illumio, argues that even though more vulnerabilities are being fixed as enterprise patching practices improve, the backlog of flaws requiring remediation is still growing faster than security teams can keep up.“The spike [in vulnerability instances] has been driven by a convergence of forces, including more AI-assisted discovery, greater reliance on third-party and open-source code, a growing number of connected systems, and a disclosure ecosystem that’s now far more active and incentivized than it was even a few years ago,” Nandakumara says.Ransomware payments declining but threat remains potentRansomware was a feature in nearly half of all breaches (48%) covered by the DBIR, up from 44% the year prior, even though ransom payments have declined (69% of victims did not pay).Aparna Rayasam, CEO of network security firm Atsign, says that this shift in payment rates is spurring ransomware to evolve toward a different business model.“Because victims aren’t paying for decryption keys anymore, attackers have shifted heavily toward data exfiltration and extortion,” he says. “Attackers are compensating for smaller individual payouts by executing a higher volume of cheaper, automated attacks.”Rayasam adds: “Use of AI makes this model even more lucrative for the ransomware attackers.”Bridewell’s John offered a contrasting perspective, arguing that although ransomware attackers are no less successful in attacking enterprises, they are finding it more difficult to extract payment from victims.“The drop [in ransomware payments] reflects genuine progress and not attackers losing their edge,” John tells CSO. “More organizations have tested backups and rehearsed recovery, so they can credibly refuse to pay, and the DBIR notes refusals are rising even in cases involving encryption, not just data theft.”This reduction in payment rates means that attackers are becoming more aggressive in their attempts to disrupt a business in order to pile greater pressure on them to pay.For example, UK high street retailer Marks & Spencer suffered weeks of outages and millions in losses as the result of a ransomware attack.“The leverage is shifting from ‘we have your data’ to ‘we can keep you offline,’ which matters far more when downtime affects essential services,” John concludes.