Vulnerability Exploitation Emerges as Top Initial Access Vector

Vulnerability exploitation is emerging as a primary initial access vector, with two recent reports presenting differing yet telling narratives about its growing importance.

According to the latest edition of M-Trends, the annual threat report from Google Cloud’s Mandiant, vulnerability exploits remained a dominant force in 2024.

While the exploitation of vulnerabilities has receded slightly from its 2023 peak, when it represented 38% of all reported cyber-attacks, it still accounted for 33% of all hacks in 2024 – far ahead of any other initial access method.

In contrast, Verizon’s 2025 Data Breach Investigations Report showed that vulnerability exploitation has surged to second place, behind credential abuse, in 2024, driven by a 34% rise that followed a remarkable 180% increase the previous year.

This initial access method now represents 20% of the overall data breaches observed by Verizon.

According to Verizon’s report, two recent trends have contributed to the rise in vulnerability exploitation:

• Increased targeting of edge devices and virtual private network (VPN) solutions, particularly with zero-day exploits
• A surge in third-party breaches

The exploitation of edge devices and VPNs jumped from 3% to 22%, with attackers often exploiting vulnerabilities before they can be patched.

According to Scott Caveza, a Senior Staff Research Engineer at Tenable, the average time to patch edge device vulnerabilities is 209 days, while attackers can exploit them in just five days.

Additionally, the percentage of breaches involving third-party compromises doubled to 30%, with 81% of these breaches involving system intrusion.

Going through some of the highlights of the latest report, Alistair Neil, Managing Director for Advanced Solutions International at Verizon Business, noted that the rise in vulnerability exploits was consistent with the observed increase in vulnerability reporting.

“If you look at the US National Institute of Standards and Technology (NIST), it registered 28,000 common vulnerabilities and exposures (CVEs) in 2023 and 40,000 in 2024 – so there is a correlation,” Neil said.

Additionally, a recent report by Jerry Gamblin, Principal Engineer at Cisco, estimated a 48% year-over-year growth in CVE publications in March 2025.

Experts emphasize the need for informed prioritization and remediation of vulnerabilities, as well as better security controls for third-party vendors.

This emergence of vulnerability exploits comes as the vulnerability management community faces many difficulties, including a surge in vulnerability reporting outpacing NIST’s National Vulnerability Database's (NVD) processing capacity and a recent funding crisis for the Common Vulnerabilities and Exposures (CVE) Program that was narrowly averted by a last-minute contract extension.

The NVD is struggling to keep up with the increasing number of CVEs being reported, leading to a growing backlog.

Meanwhile, the CVE Program, which is critical for vulnerability management, faced a funding crisis when its contract with MITRE was set to expire, but was saved by an 11-month extension.

The community is also exploring alternative solutions, such as the CVE Foundation and the European Vulnerability Database, to improve the sustainability and diversity of vulnerability data sources.

Mandiant also noted a fall in phishing – from 17% in 2023 to 14% in 2024. The security giant said was mainly due to the growing ability of threat actors to obtain credentials in a variety of ways, such as purchasing leaked or stolen credentials on underground forums, mining large data leaks for credentials and infecting users with keyloggers and infostealers, malware that collects sensitive user data such as credentials and browser data.

This decline was accompanied by a rise in credential theft, from 10% in 2023 to 16% in 2024. In Verizon’s DBIR, credential abuse came as the top initial access vector, representing 22% of all reported breaches in 2024. Phishing came third, representing 16% of all breaches.

The Mandiant report emphasized a resurgence in the use of infostealers, with the most notable example being the Snowflake customer compromise in April 2024, where credentials were obtained from infostealer malware campaigns.

Finally, another notable initial access trend was insider threats, making up 5% of vectors.

The Mandiant researchers highlighted a surge in fake North Korean IT worker campaigns as a major contributor to this trend.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?