- YouTube celebrates 20 years with new features, cool tricks, and some truly mind-blowing stats
- Here's how you can try Audible for $1 per month
- How to set up remote desktop access on your Linux computers
- Google Fi adds eSIM support for tablets and laptops - no phone or hotspot needed
- I'm bad at charging my smartwatch, so I found one that lasts for several weeks
Verizon’s DBIR Reveals 34% Jump in Vulnerability Exploitation
The use of vulnerability exploitation as an initial access vector leading to cyber incidents grew threefold over the past two years, according to Verizon’s annual Data Breach Investigations Report (DBIR).
After a staggering 180% rise in successful vulnerability exploits in Verizon’s 2024 DRIB report findings, the latest report, published on April 23, 2025, showed another 34% rise.
This initial access method now represents 20% of the overall data breaches observed by Verizon, just two percentage points below the top vector, credential abuse. Phishing came third, now representing 16% of data breaches.
Record Number of Data Breaches in Verizon’s DBIR History
In its 18th DBIR, Verizon analyzed 22,052 cyber incidents, among which it observed 12,195 data breaches, between Nov 1, 2023, and Oct 31, 2024. The company describes a data breach as a cyber incident that led to the confirmed compromise of data, across 139 countries.
“The number of confirmed data breaches we’ve found this year is bigger than in any of our previous reports,” said Alistair Neil, the Managing Director for Advanced Solutions International at Verizon Business, during a launch event for the report in London.
Over half of these breaches (53%) took the form of system intrusion – a significant increase from the 36% in the 2022/23 reporting period – while 17% involved social engineering and 12% originated from basic web application attacks. Finally, 6% were due to privilege misuse.
Vulnerability Exploits Now a Top Concern
Going through some of the highlights of the latest report, Neil noted that the rise in vulnerability exploits was consistent with the observed increase in vulnerability reporting.
“If you look at the US National Institute of Standards and Technology (NIST), it registered 28,000 common vulnerabilities and exposures (CVEs) in 2023 and 40,000 in 2024 – so there is a correlation,” he said.
Two trends massively contributed to the rise in vulnerability exploitation, according to Neil. First, the increased targeting of edge devices and virtual private networks (VPNs), notably by zero-day vulnerability exploits, and second, the explosion of breaches involving third-party compromises.
Zero-Day Exploits Target Edge Devices and VPN Services
The exploitation of edge devices and VPNs surged nearly eightfold, from 3% to 22%, highlighting a growing threat. While organizations made significant efforts to patch vulnerabilities, Verizon’s analysis revealed that only 54% were fully remediated within a median time frame of 32 days. Neil added that this leaves enough of a gap for attackers to exploit.
Scott Caveza, a Senior Staff Research Engineer at Tenable, contributed vulnerability data to the report and worked with Verizon to provide contextual data on the most prolific vulnerabilities of the last year.
Based on his experience, the remediation gap could be much bigger.
“We evaluated the 17 edge device vulnerabilities featured in the report, each of which impacts valuable targets for attackers and is often the entry point for a breach,” he said. “While 54% of organizations have achieved full remediation of these 17 CVEs, our data revealed the average time to patch was a staggering 209 days. This gap is highly concerning, considering that attackers’ average time-to-exploitation is five days.”
Caveza believes the vulnerability conundrum means cyber defenders have “a never-ending ‘to-do list’.”
“Generally, the most critical vulnerabilities should be at the top of the list, especially for edge devices that serve as a metaphorical door into your environment,” he explained.
“However, the context around vulnerabilities – where a given vulnerability exists in your environment, what data or systems are potentially at risk, ease of exploitation, the existence of a proof-of-concept and so much more – drives informed prioritization and remediation. The biggest, baddest vulnerability could be a non-issue in some circumstances, depending on context,” he added.
Explosion of Third-Party Breaches
Additionally, Verizon’s 2025 DBIR showed that the percentage of breaches involving third parties doubled, increasing from 15% in last year’s findings to 30% in the 2025 report.
These third-party attacks were particularly used by attackers looking to conduct system intrusion, with 81% of third-party breaches involving the compromise of the victim’s systems.
“Some notable incidents this year involving credential reuse in a third-party environment—in which our research found the median time to remediate leaked secrets discovered in a GitHub repository was 94 days,” Neil highlighted.
“This pattern means that determining how effective third-party, fourth-party and even fifth-party security controls are has become a major concern for our customers,” he added.
