Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credentials as #1 Breach Vector — And Only 26% of CISA KEV Flaws Were Patched
Sources: Verizon 2026 Data Breach Investigations Report · Help Net Security · Dark Reading · SecurityWeek · The Hacker News · CISA · Mandiant M-Trends 2026 | Report period: November 2024 – October 2025 | Dataset: 22,052 incidents · 12,195 confirmed breaches | Published: May 2026
The most important cybersecurity report of the year just landed — and the news is not good
Every year, Verizon’s Data Breach Investigations Report lands as the closest thing the security industry has to ground truth. It is not vendor marketing, not threat intelligence product promotion, not speculation. It is a structured analysis of tens of thousands of real incidents — what actually happened, who did it, how they got in, and what they took. The 2026 edition analyzed 22,052 security incidents, of which 12,195 were confirmed data breaches. That is the largest dataset in the report’s history.
The headline finding from this year’s report is one that every enterprise security leader and government CISO needs to absorb immediately: vulnerability exploitation has overtaken stolen credentials as the most common way attackers get inside organizations. For years, the answer to “how do most breaches start?” was phishing and credential theft. That answer has changed. Attackers are now getting in faster, more reliably, and at greater scale by exploiting unpatched systems than by tricking employees. The implications for how organizations prioritize their security investment — and their patching cadence — are significant.
| Metric | 2026 Finding | Change vs Prior Year |
|---|---|---|
| Total incidents analyzed | 22,052 | +18% |
| Confirmed breaches | 12,195 | +22% |
| Vulnerability exploitation as initial access vector | 31% of breaches | Up from 22% — #1 for first time |
| Credential abuse as initial access vector | 13% of breaches | Down from 31% — now #3 |
| Median time to fully remediate critical CVEs | 43 days | Up from 32 days in 2025 |
| CISA KEV vulnerabilities fully remediated in 2025 | 26% | Down from 38% in 2024 |
| Ransomware present in breaches | 44% of all breaches | Up from 32% |
| Ransomware median demand (large enterprise) | $1.6M | Up 34% |
| Breaches involving a third party or supply chain | 30% | Up from 15% — doubled in one year |
| Time from CVE publication to active exploitation | Median 5 days | Down from 10 days in 2025 |
| Breaches caused by internal actors | 28% | Stable |
| Social engineering (phishing, vishing, pretexting) | 18% of breaches | Down but still significant |
Finding #1: Vulnerability exploitation is now the #1 initial access vector
This is the finding that should fundamentally shift how enterprise security programs are structured. Exploitation of vulnerabilities accounted for 31% of confirmed breaches — making it the leading initial access vector for the first time in the DBIR’s history. Credential abuse dropped to 13%. Phishing and social engineering combined account for 18%.
What drove this shift? Two converging forces. First, the sheer volume of high-severity vulnerabilities disclosed in 2025 and early 2026 — many with public proof-of-concept exploit code available within days or hours of disclosure. Second, AI-assisted vulnerability discovery is dramatically compressing the timeline from vulnerability introduction to exploitation. Mandiant’s M-Trends 2026 report documented that 28.3% of CVEs are now exploited within 24 hours of public disclosure. The DBIR found the median time from CVE publication to first confirmed exploitation has dropped to just 5 days — half of what it was the prior year.
The practical implication is uncomfortable but clear: the security model built around “patch within 30 days” is structurally broken for any vulnerability that generates active exploitation interest. By the time a 30-day patch cycle completes, the median CVE in this category has been actively exploited for 25 days. Organizations that cannot get to 72 hours for critical internet-facing vulnerabilities are operating with a systematic exposure gap.
Finding #2: Only 26% of CISA KEV vulnerabilities were fully remediated — down from 38%
This is perhaps the most alarming single data point in the entire report. CISA’s Known Exploited Vulnerabilities catalog is not a theoretical risk list. It contains only vulnerabilities with confirmed active exploitation in real-world attacks. Every entry represents a vulnerability that attackers are using right now against real organizations. And only 26% of those vulnerabilities were fully remediated during 2025 — down from 38% the year before.
The median time to fully remediate vulnerabilities also increased from 32 days to 43 days. In a year when exploitation timelines shrank to 5 days, remediation timelines grew by a third. The gap between how fast attackers move and how fast defenders patch is not closing — it is widening, rapidly, at exactly the moment it most needs to narrow.
The report’s authors were direct about what this means: organizations that focus on the newest threats and latest attack techniques while struggling with security basics are handing attackers an open door. The sophistication of an attack does not matter if the entry point is an unpatched server that has been on the KEV list for three months.
Finding #3: Supply chain and third-party breaches doubled — now 30% of all incidents
The DataWater series has covered supply chain attacks extensively — PyTorch Lightning, BufferZoneCorp, DAEMON Tools, TanStack/Nx Console/GitHub. The DBIR confirms these are not isolated incidents. They represent a structural shift in attacker strategy. 30% of all breaches in the 2026 dataset involved a third party or supply chain component — up from 15% the prior year. Supply chain compromise has doubled as a breach vector in a single reporting period.
The DBIR identifies three primary mechanisms: software supply chain attacks (poisoned packages, compromised build pipelines), managed service provider compromise (attackers breach MSPs to reach their entire client base simultaneously), and credential reuse from third-party breaches (credentials stolen from a vendor’s system used to access the primary target). All three are represented in the breaches DataWater has covered in 2026. All three are accelerating.
The implication for enterprise risk management is that your security posture is now a function not just of what you control directly, but of the security posture of every software vendor, cloud service, MSP, and open-source dependency in your supply chain. That is a far larger and harder-to-manage attack surface than most enterprise risk frameworks currently account for.
Finding #4: Ransomware is in 44% of all breaches — up from 32%
Ransomware’s share of confirmed breaches jumped from 32% to 44% — meaning nearly half of all breaches investigated by Verizon in the 2026 dataset had a ransomware component. Median ransom demands for large enterprise targets reached $1.6 million, up 34% from the prior year. The DBIR also noted a significant increase in double-extortion tactics — exfiltrating data before encrypting it, then threatening public release — and triple-extortion (adding DDoS attacks against non-paying victims), a pattern DataWater documented in the Cordial Spider and Snarky Spider coverage on May 1.
The primary ransomware entry vectors in the 2026 dataset: vulnerability exploitation (now the leading path, consistent with the overall #1 finding), compromised VPN credentials (SonicWall and similar), and phishing-delivered initial access brokers. The median dwell time from initial access to ransomware deployment was 4.3 days — meaning organizations have an average window of roughly four days between the moment an attacker enters the network and the moment encryption begins. Detection and response capabilities that cannot operate within that window are structurally insufficient against modern ransomware groups.
Finding #5: AI-assisted attacks are measurably accelerating exploitation timelines
The 2026 DBIR includes for the first time a dedicated section on AI-assisted attacks, reflecting the concern that security leaders have been raising since Google confirmed the first in-the-wild AI-generated zero-day in May 2026. The report’s findings are measured and data-driven rather than speculative: attackers are measurably moving faster, and the acceleration in exploitation timelines is consistent with the use of AI tooling for vulnerability analysis and exploit development.
The report cannot attribute specific incidents to AI-generated exploits — the forensic artifacts are not yet distinct enough to make that determination reliably. But the statistical pattern is clear: CVEs that had exploitation timelines of 15–30 days in 2024 are now seeing exploitation within 3–7 days in 2025–2026. The only plausible explanation for the acceleration across the full population of CVEs — not just a handful of high-profile ones — is that attackers have access to tooling that dramatically speeds vulnerability analysis and weaponization. AI is the most likely candidate.
The four practical priorities the DBIR points to
The DBIR is not primarily a prescriptive document — it describes what happened, not a detailed roadmap of what to do. But the findings point clearly toward four enterprise security priorities:
1. Patch internet-facing systems in hours, not days
The 43-day median remediation time is incompatible with a 5-day median exploitation timeline. For internet-facing systems — web servers, VPNs, email gateways, SharePoint, Exchange, network appliances — the target should be patch deployment within 24–72 hours of a critical CVE release, and within hours for anything that lands on the CISA KEV catalog with a short federal deadline. This requires pre-tested patching pipelines, emergency change management processes, and the organizational authority to override normal maintenance windows for critical vulnerabilities.
2. Treat CISA KEV as a mandatory patching queue, not a reference list
The fact that only 26% of CISA KEV vulnerabilities were fully remediated is a compliance failure as much as a technical one. KEV entries represent confirmed active exploitation — they are not theoretical risks. Every KEV entry on an unpatched system is an open door that real attackers are walking through right now. Organizations should build automated processes that flag KEV entries against their asset inventory and trigger immediate escalation for any match.
3. Extend vendor risk management to include security patching cadence
With 30% of breaches involving third-party or supply chain components, the standard vendor risk questionnaire — which asks whether a vendor has a security program — is insufficient. Enterprise vendor risk assessments should now include questions about patch deployment timelines for critical CVEs, software composition analysis for third-party components, build pipeline security controls, and incident notification SLAs. The supply chain is part of your attack surface whether your risk framework acknowledges it or not.
4. Build detection and response for a 4-day ransomware dwell time
A 4.3-day median dwell time before ransomware deployment means that detection capabilities that operate on weekly review cycles are not functional defenses against modern ransomware. Real-time alerting on lateral movement, credential misuse, and large-scale file access — the behavioral precursors to ransomware deployment — needs to be in place and actively monitored. MDR providers, 24/7 SOC coverage, and automated behavioral detection are not luxuries for organizations in targeted industries. They are the minimum viable defense architecture against the threat the DBIR describes.
The DataWater series in DBIR context
Reading the 2026 DBIR alongside the 15 threat briefs DataWater has published since April 30 produces a striking picture of coherence. Every major attack category the DBIR identifies is represented in our coverage: vulnerability exploitation (NGINX Rift, Dead.Letter, Copy Fail, Fragnesia, Cisco SD-WAN, GitHub RCE), supply chain attacks (PyTorch Lightning, BufferZoneCorp, DAEMON Tools, TanStack/GitHub/OpenAI), ransomware enablement (SonicWall VPN, MiniPlasma, Fragnesia as LPE-to-ransomware path), credential-targeting malware (Mini Shai-Hulud campaign), and social engineering leading to extortion (Cordial Spider, Snarky Spider). The DBIR is the macro picture. Our daily briefs are the individual frames.
The uncomfortable synthesis: 2026 is, by every measurable dimension, a harder year to defend than any prior year. More breaches. Faster exploitation. Longer remediation times. Doubled supply chain exposure. Ransomware in nearly half of all incidents. And AI-assisted offensive tooling accelerating all of it. The security leaders who treat these findings as a reason to prioritize basics — patching, KEV remediation, vendor risk, behavioral detection — will fare better than those waiting for a silver-bullet technology to emerge.
Sources and further reading
- Verizon — 2026 Data Breach Investigations Report (full report)
- Help Net Security — Lessons from the Verizon DBIR 2026 Findings
- Dark Reading — Verizon DBIR 2026: Exploitation Overtakes Credentials as Top Breach Vector
- SecurityWeek — Verizon DBIR 2026: A Patch Management Crisis in Plain Numbers
- Mandiant M-Trends 2026 — Threat Intelligence Annual Report
- CISA — Known Exploited Vulnerabilities Catalog
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #16 — May 26, 2026. Previous: TanStack → GitHub supply chain cascade (May 21) · CVE-2026-42897 Exchange OWA zero-day (May 19) · MiniPlasma Windows zero-day (May 19) · Fragnesia CVE-2026-46300 (May 18) · CVE-2026-20182 Cisco SD-WAN CVSS 10.0 (May 16).
