34% Increase in Exploitation of Vulnerabilities
According to Verizon’s annual Data Breach Investigations Report (DBIR), exploitation of vulnerabilities as an initial access vector in cyber incidents has tripled over the past two years.
Following a dramatic 180% increase reported in Verizon’s 2024 DBIR, the newly released report on April 23, 2025, highlights an additional 34% growth in this method of initial access.
This access vector now accounts for 20% of all data breaches observed by Verizon—just two percentage points behind the leading vector, credential abuse. Phishing ranks third, accounting for 16% of data breaches.
Record Number of Data Breaches in DBIR History
In the 18th edition of the DBIR, Verizon analyzed 22,052 cybersecurity incidents, of which 12,195 were confirmed data breaches occurring between November 1, 2023, and October 31, 2024, across 139 countries.
Alistair Neil, Managing Director of International Advanced Solutions at Verizon Business, stated at the report's launch event in London:
"The number of confirmed data breaches this year is higher than in any of our previous reports."
More than half of these breaches (53%) involved system intrusions—a significant increase from 36% in the 2022/23 reporting period. Additionally, 17% involved social engineering, and 12% stemmed from basic web application attacks. Lastly, 6% were due to abuse of privileged access.
Exploitation of Vulnerabilities Now a Major Concern
Neil emphasized that the surge in vulnerability exploitation aligns with the increase in reported vulnerabilities:
"If you look at the data from the U.S. National Institute of Standards and Technology (NIST), there were 28,000 Common Vulnerabilities and Exposures (CVEs) reported in 2023, and 40,000 in 2024. So, there is a clear correlation."
According to Neil, two key trends have driven the rise in vulnerability exploitation:
The increasing targeting of edge devices and virtual private networks (VPNs), particularly via zero-day vulnerabilities.
A sharp rise in data breaches resulting from third-party compromises.
Zero-Day Vulnerability Exploitation
Exploitation of edge devices and VPNs has surged nearly eightfold—from 3% to 22%—indicating a growing threat. While organizations have made significant efforts to patch vulnerabilities, Verizon’s analysis shows that, on average, only 54% of them are fully remediated within 32 days. Neil noted that this delay provides ample opportunity for attackers.
Scott Caveza, Principal Research Engineer at Tenable, which provided the vulnerability data for the report, said:
"We reviewed 17 edge device vulnerabilities cited in the report. Each represents a high-value target for attackers and often serves as the entry point for data breaches. While 54% of organizations have fully remediated these 17 CVEs, the average time to patch was 209 days. Meanwhile, attackers exploit vulnerabilities on average just five days after discovery."
Caveza emphasized that the vulnerability problem leaves cybersecurity defenders with an "endless to-do list."
"In general, critical vulnerabilities must be prioritized—especially in edge devices that act as gateways into your environment. But the context of a vulnerability—such as its location within the environment, exposed data or systems, exploitability, and proof-of-concept availability—determines how it should be prioritized and remediated. Sometimes, a highly dangerous vulnerability may pose little actual risk depending on the circumstances."
Sharp Rise in Third-Party Data Breaches
Furthermore, the 2025 DBIR revealed that the share of breaches linked to third parties has doubled—from 15% in last year’s findings to 30%.
These attacks were primarily conducted by adversaries seeking system intrusion, with 81% of third-party breaches involving compromise of the victim's systems.
Neil noted:
"Some of the most significant incidents this year involved the reuse of credentials in third-party environments. Our research found that the average time to remediate leaked sensitive data in a GitHub repository was 94 days. This trend has elevated the evaluation of security controls across third, fourth, and even fifth-party vendors into a major concern for our customers."
Source: MedadPress
www.medadpress.ir