Verizon researchers found that exploited flaws were the root cause of breaches in 31% of cases, with credential abuse blamed for 13% of security failures. In a nod to patch management difficulties in the enterprise, only one in four (26%) critical vulnerabilities were fully remediated in 2025 with the median patch time rising to 43 days, up from 32 days the year prior, according to Verizon’s DBIR.
Root cause analysis
Verizon’s study is based on an analysis of 31,000 security incidents — of which 22,000 were confirmed data breaches — involving victims spanning 145 countries.
Incident response experts quizzed by CSO confirmed the rise in vulnerability exploitation as a means for breaking into enterprises is real.
“Attackers follow the path of least effort at scale, and right now that path runs through unpatched perimeter and edge devices, where a working exploit needs no prior access, no phished user, and no breach data to buy,” notes Daniel Bechenea, security manager at offensive security and vulnerability assessment platform Pentest-Tools.com.
