AIToday

Vulnerability Exploitation Now Accounts for 31% of Breaches, Remediation Lags

Top Companies AI — US (2/2)2h ago
Vulnerability Exploitation Now Accounts for 31% of Breaches, Remediation Lags

Key takeaway

Vulnerability exploitation has become the primary way attackers breach organizations, accounting for 31% of all breaches, while remediation times are lengthening and the volume of unpatched vulnerabilities is growing. At the same time, attackers are increasingly exploiting trusted relationships within software supply chains and cloud integrations rather than attacking infrastructure directly — a shift that expands the attack surface for any organization relying on interconnected development tools and third-party services.

Summaries like this, in your inbox every morning.

Sign up free →

3 Key Points

  • What happened

    Security research firm Wiz contributed analysis to the Verizon Data Breach Investigations Report (DBIR) showing that vulnerability exploitation has become the leading initial access vector, accounting for 31% of breaches. The report also found that only 26% of Known Exploited Vulnerabilities (KEVs) were fully remediated, while 16% remained entirely unremediated, and median remediation time increased from 32 days to 43 days.

  • Why it matters

    Organizations faced roughly 50% more KEVs requiring remediation than the year before (median rising from 11 to 16), outpacing their ability to respond. Third-party involvement in breaches rose from 30% to 48% year over year, reflecting attackers' shift toward abusing trusted relationships in software supply chains and integrations rather than targeting infrastructure directly. For businesses relying on cloud services and interconnected development tools, this means the enterprise boundary now includes identities, integrations, and automation systems — not just physical infrastructure.

  • What to watch

    In Wiz's Cloud Threats Retrospective, 40% of documented cloud intrusions began with weaponized vulnerabilities. The report also found that 57% of organizations had deployed AI agents and MCP servers appeared in 80% of cloud environments, introducing new identities, APIs, and service accounts that create additional attack surfaces requiring the same governance and visibility controls already applied to cloud infrastructure.

Context & Analysis

The Verizon DBIR data reveals a fundamental shift in how modern breaches unfold: attackers are winning not through novel techniques, but by exploiting the operational gap between growing attack surfaces and organizations' remediation capacity. Vulnerability exploitation has overtaken human-focused attacks as the primary entry point, yet organizations are remediating known exploited vulnerabilities more slowly (43 days median, up from 32) while facing 50% more of them. This slowdown occurs precisely as cloud sprawl, interconnected development pipelines, and AI adoption introduce more identities, APIs, and automation layers into enterprise environments.

The second major finding — that third-party involvement in breaches has jumped from 30% to 48% — reflects a deeper architectural reality: the traditional enterprise boundary no longer exists. Modern organizations are stitched together through software supply chains, CI/CD systems, GitHub integrations, SaaS platforms, and AI agent orchestration. A single compromised component upstream (a software package, a build system, an OAuth token) can cascade across thousands of dependent organizations. Wiz's own incident investigations in 2025 and 2026 documented this repeatedly through campaigns like Shai Hulud and s1ngularity, where trust relationships became the primary attack vector.

AI adoption, according to the DBIR and Wiz research, is accelerating existing risks rather than creating fundamentally new ones. The finding that 57% of organizations have deployed AI agents and 80% have MCP servers in their cloud environments signals that AI is expanding the surface area faster than governance can keep pace. These systems introduce excessive permissions, exposed services, and credential sprawl — familiar security problems in a new context. For defenders, the implication is clear: the priorities remain unchanged (reduce exposure, harden identities, secure supply chains) but must now extend to AI infrastructure with the same rigor applied to cloud systems.

FAQ

What percentage of breaches now begin with vulnerability exploitation?
Vulnerability exploitation accounts for 31% of breaches, making it the leading initial access vector. In cloud environments specifically, 40% of documented intrusions began with weaponized vulnerabilities.
How many Known Exploited Vulnerabilities remain unpatched?
Only 26% of KEVs were fully remediated, while 16% remained entirely unremediated. Organizations faced roughly 50% more KEVs requiring remediation than the year before, with the median number rising from 11 to 16.
How has third-party involvement in breaches changed?
Third-party involvement in breaches rose from 30% to 48% year over year. Attackers increasingly abuse trusted relationships such as compromised software packages, OAuth token abuse, GitHub personal access token theft, CI/CD compromise, and SaaS integrations.

Discussion

No comments yet. Be the first to share your thoughts!

Log in to join the discussion

Related Articles

Stay ahead with AI news

Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.

Get Started Free

Free · takes 30 seconds · unsubscribe anytime

1 minute a day. The AI essentials.

200+ sources · Email / LINE / Slack

Get it free →