Exploited vulnerabilities have emerged as the predominant entry point for cyberattacks, according to Verizon’s latest Data Breach Investigations Report. The annual study found that compromised software flaws were the leading vector for initial access in over 22,000 breaches analyzed within a one-year period ending in October 2025.
The report, released Tuesday, indicated a significant surge in the exploitation of software vulnerabilities, accounting for 31% of all known initial access paths. This marks a substantial increase from the 20% observed in the previous year, highlighting a growing challenge for organizations in managing and patching their systems effectively.
The Challenge of Exploited Vulnerabilities
Researchers attributed the rise in exploited vulnerabilities to the persistent difficulties in effective vulnerability management. They noted that organizations often face an overwhelming number of security flaws, making it challenging to patch all of them in a timely manner.
This struggle is particularly evident when examining defects listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. According to the report, only 26% of critical vulnerabilities from the CISA KEV catalog were fully remediated by the more than 13,000 organizations studied, a decrease from 38% in the prior year.
Escalating Patching Timelines
Adding to the concern, the median time elapsed for a vulnerability to be fully patched after detection has increased. The report identified a new median patching time of 43 days, nearly two weeks longer than the 32 days reported in the previous year.
Furthermore, the number of KEV vulnerabilities organizations had to address also saw an escalation. The median number of KEV vulnerabilities requiring patching rose from 11 in 2024 to 16 in 2025. As of February, CISA’s KEV catalog contained over 1,500 Common Vulnerabilities and Exposures (CVEs), with 65% of these having been exploited in the past year.
Common weaknesses identified in CISA KEV CVEs included out-of-bounds reads, heap-based buffer overflows, use-after-free vulnerabilities, external control of file names or paths, and access to resources using incompatible types.
Attacker Motivations and Ransomware Trends
The motivations behind cyberattacks remained largely consistent. Financially driven cybercriminals represented 88% of all breaches, while state-affiliated groups conducting espionage accounted for the remainder.
Ransomware continues to be a particularly disruptive and impactful threat. The report noted a steady increase in ransomware incidents, with 48% of all breaches attributed to this type of attack in the last year, up from 44% in 2024. Despite this, some positive trends were observed in ransomware activity.
Ransom Payments and Reporting
While ransomware incidents grew, the trend in ransom payments showed a decline. Approximately 69% of victims reported not paying ransoms, and the median payment decreased from $150,000 in 2024 to nearly $140,000 in the past year. This suggests a potential shift in victim behavior or attacker strategies.
However, tracking the precise volume of ransomware activity presents ongoing challenges. Researchers pointed to a growing discrepancy between reported breaches and actual occurrences, partly due to threat actors reusing or fabricating breach information to enhance their notoriety within the criminal underworld. This untrustworthy reporting makes definitive analysis of ransomware trends difficult.
Despite these reporting complications, the report concludes that ransomware remains a pervasive and persistently popular threat, appearing across various sectors and in unexpected contexts. The next steps for organizations involve bolstering their patch management processes and enhancing their overall cybersecurity posture to mitigate the risks posed by these evolving threats.