Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 25, 2026 · 7 min read

Verizon Just Said 31% of Breaches Started With an Exploited Bug Last Year—Up From 20%—And the Companies It Studied Are Patching Only 26% of the Critical Ones, in a Median of 43 Days

The 2026 Data Breach Investigations Report covers 22,000 incidents and concludes that the gap between disclosure and exploitation has crossed into negative territory. The number Verizon describes as the most worrying is not the ransomware figure, the phishing figure, or the breach total. It is the simple ratio of CISA Known Exploited Vulnerabilities that organizations actually closed inside the year they had to do it.

An overhead view of a workstation showing the cover page of a printed cybersecurity report next to an open laptop with a graph trending upward, representing the rising share of breaches caused by exploited vulnerabilities

Key Takeaways

  • Verizon analyzed more than 22,000 confirmed breach incidents for the 2026 Data Breach Investigations Report and found that 31% started with an exploited vulnerability, up from 20% in the prior edition.
  • Of the critical vulnerabilities in CISA's Known Exploited Vulnerabilities catalog, organizations in the study fully remediated only 26%, down from 38% the year before, and the median time to fully patch a critical bug rose from 32 days to 43.
  • Ransomware or extortion was present in 48% of breaches, up from 44%, and 69% of victims declined to pay—dragging the median ransom payment down to $140,000 from $150,000 a year earlier.
  • The CISA KEV catalog contained more than 1,500 CVEs by February 2026, with 65% of them documented as exploited in the previous twelve months, and the median enterprise had 16 KEV bugs sitting on its perimeter at any time, versus 11 in 2024.
  • Five weakness classes account for the bulk of exploited bugs: out of bounds read, heap based buffer overflow, use after free, external control of file name or path, and incompatible type resource access.

What Did Verizon Actually Measure?

The 2026 Data Breach Investigations Report draws on 22,000 confirmed breach incidents collected from 94 partner organizations across 130 countries, the largest pool the annual study has ever worked with. Verizon does not just count breaches. For each incident, the analysts classify the initial access vector, the chain of techniques used, the data taken, the actor type, and the financial outcome where it can be measured.

The shift the 2026 edition flags as most important is the move of exploited vulnerabilities into a tie with stolen credentials as the leading way attackers reach victim networks. In the 2024 report, credentials were the top vector at 38% and vulnerability exploitation came second at 20%. In 2026, exploitation reached 31% and credentials slipped to 32%, putting the two within a margin of error of each other.

That sounds like a single data point. It is in fact a description of how the threat economy has changed: scanning the internet for an unpatched bug is now nearly as profitable as buying a stolen username and password, and a great deal less work to scale.

Why Is the KEV Remediation Rate Falling?

The Known Exploited Vulnerabilities catalog is CISA's curated list of bugs that defenders have confirmed are being used against live targets. Federal civilian agencies have a binding obligation to patch them inside specific deadlines, and many private companies have copied that policy because it is the closest thing to a triaged to do list the security community has.

The catalog grew from roughly 1,100 entries at the start of 2024 to more than 1,500 by February 2026. Verizon's contributors report that 65% of those CVEs were documented as exploited in the previous year, meaning the catalog is doing its job: it is identifying live, active threats, not theoretical ones.

Despite that, the organizations in Verizon's study closed only 26% of the critical KEV vulnerabilities affecting their environments inside the year, down from 38% in the prior report. The median time to patch a critical bug climbed from 32 days to 43. The number of KEV CVEs the median company had on its network at any moment rose from 11 to 16.

Verizon's own analysts describe the picture as "a Sisyphean cause"—too many vulnerabilities, not enough time, and a patching pipeline that loses ground every quarter. The combination has a knock on effect on every other risk in the report. If 16 actively exploited bugs sit on the perimeter at any time, an attacker scanning that perimeter does not need anything novel. They need the next free hour.

How Did Ransomware Move?

Ransomware or related extortion appeared in 48% of breaches in the 2026 study, up from 44% in 2024. Verizon's writers note in the report that ransomware "is the yoga pants of cybersecurity—ubiquitous, stubbornly popular" and unlikely to be displaced by any single takedown.

Two countervailing trends sit behind the headline number. The number of victims who paid fell. Verizon says 69% of victim organizations refused the demand outright, up from 64%. The median payment for those who did pay dropped to $140,000 from $150,000 the year before, which is the second consecutive annual decline. Insurers are negotiating harder, backup hygiene is incrementally better, and law enforcement has had a few good takedowns of payment laundering pipelines.

At the same time, the count of attacks went up. The economics still work for the operators because affiliate networks have lower cost structures, leak site only extortion has been growing, and there is no shortage of unpatched exposure to break in through. The Verizon authors specifically link the rising attack count to the falling KEV remediation rate. Both lines point the same direction.

Which Bug Classes Account for the Worst Damage?

Five Common Weakness Enumeration categories show up disproportionately often inside the exploited bugs Verizon mapped: out of bounds read, heap based buffer overflow, use after free, external control of file name or path, and incompatible type resource access. These are the same classes that have led memory safety bug tracking lists for at least a decade.

The persistence of the same categories is not a story about novelty. It is a story about how slowly legacy C and C++ code bases turn over and how often modern systems still rely on libraries written in those languages. Rust, Swift, and managed runtimes prevent most of the listed classes by construction. Almost none of the affected systems are written in them.

The same five categories were responsible for the May 2026 Linux kernel issue catalogued as CVE-2026-46333 and for a recent NGINX bug picked up by an AI fuzzer that had hidden in the same code path for 18 years. The DBIR is not a forecast. It is a backwards looking confirmation that the bug classes the industry has been promising to retire have not retired.

What About Phishing and Credentials?

Credentials remained the second leading access vector at 32%, narrowly above the 31% exploited vulnerability number and below the 38% they held in 2024. The narrowing reflects two things at once: large credential leaks have lost some of their utility as multi factor authentication spreads, and phishing has shifted toward MFA bypass techniques, OAuth consent abuse, and adversary in the middle proxies rather than plain password capture.

Verizon documents 88% of breaches as financially motivated, with espionage accounting for most of the remainder. That mix is stable. What is unstable is the equipment the financially motivated actors reach for. Mass credential stuffing is becoming a less reliable revenue line than spraying exploits at the KEV list.

A standalone phishing study like the Microsoft Q1 2026 numbers showing 8.3 billion phishing emails blocked in 90 days shows the volume of attempts has gone up. The DBIR shows the success rate of plain credential capture has gone modestly down. Both can be true.

What Defenders Should Take From the 2026 Report

The reading the report does itself is that vulnerability management is the bottleneck, not security awareness, not endpoint detection, not even credential hygiene. If the median enterprise carries 16 actively exploited CVEs on its perimeter and patches them in 43 days, every other defensive line is downstream of those failures.

Practical implications for a security team reading the DBIR:

  • Track patch time on KEV catalogued bugs as a distinct metric from generic CVE patch time. The catalog is the part of the population with confirmed active exploitation.
  • Treat the gap between disclosure and weaponization as the planning window. Google Threat Intelligence Group has documented the median dropping below zero for high impact bugs.
  • Assume credential and exploit paths are now near equal. Programs that historically prioritized only one of the two should be rebalanced.
  • Watch the five weakness classes the report calls out. They are not new categories. They are the ones still moving the needle on real incidents.

The Verizon authors close with a sentence worth quoting: "We are losing ground we cannot afford to give back, and the catalog of bugs being weaponized against us is bigger every year." The 2027 edition is going to depend on how many of those bugs the defenders close in the next twelve months.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.