For years, stolen passwords were the skeleton key that opened most corporate networks. Phishing emails harvested credentials, attackers logged in, and defenders scrambled to reset accounts. That era is not over, but it is no longer the main event. According to Verizon’s 2025 Data Breach Investigations Report, published in April 2025, exploitation of software vulnerabilities as an initial access vector jumped 34% year over year, making unpatched flaws the fastest-growing way attackers breach organizations. The finding aligns with a broader shift visible across U.S. government vulnerability programs, private threat intelligence, and incident response data: hackers are increasingly skipping the login page and walking straight through holes in the software itself.
The implications stretch well beyond statistics. Federal agencies are restructuring how they track and prioritize vulnerabilities, security teams are rethinking patch cycles, and the infrastructure that defenders depend on for vulnerability data is straining under the load. Here is what the evidence shows, where the gaps remain, and what organizations should do about it.
The federal data behind the shift
Two U.S. government programs anchor the public record on which software flaws attackers are actually using. The Cybersecurity and Infrastructure Security Agency maintains the Known Exploited Vulnerabilities (KEV) Catalog, a running list of software bugs confirmed to have been weaponized in real-world intrusions. Every entry represents an observed attack, not a theoretical risk. Under Binding Operational Directive 22-01, federal civilian agencies must remediate KEV-listed flaws within strict deadlines, and private-sector security teams increasingly treat the catalog as their own priority list.
The KEV Catalog has grown steadily since its 2021 launch. By mid-2025, it listed over 1,100 vulnerabilities, with new entries arriving weekly. Many of the additions in late 2024 and early 2025 targeted edge devices and network appliances from vendors like Ivanti, Fortinet, Palo Alto Networks, and Citrix, reflecting a pattern that Mandiant’s M-Trends 2025 report also flagged: attackers are concentrating on internet-facing infrastructure where a single unpatched device can open a path deep into a network.
The second program is the National Vulnerability Database (NVD), operated by the National Institute of Standards and Technology. NIST has publicly acknowledged that the volume of new Common Vulnerabilities and Exposures (CVE) submissions has outstripped its capacity to enrich records with severity scores, remediation guidance, and technical references. In response, the agency restructured its workflow to prioritize enrichment of CVEs that appear in CISA’s KEV Catalog, directing limited analyst resources toward the flaws attackers are actively exploiting before turning to the broader backlog.
That triage decision is itself a signal. When the government’s own vulnerability database cannot keep pace with incoming disclosures and chooses to focus first on exploited flaws, it tells defenders something concrete: the window between disclosure and exploitation has compressed to the point where the speed of analysis directly affects whether organizations can protect themselves in time.
What the private-sector data adds
Verizon’s 2025 DBIR analyzed more than 22,000 security incidents and 12,195 confirmed breaches. The report found that exploitation of vulnerabilities accounted for 20% of initial access vectors, a significant increase from prior years and enough to rival credential-based attacks in overall share. Edge devices and VPN appliances featured prominently among the exploited targets, consistent with the pattern CISA’s KEV additions have tracked.
Mandiant’s M-Trends 2025 report, drawing on the firm’s incident response engagements, reinforced the trend. Exploits were the most frequently identified initial access vector in Mandiant’s casework for the second consecutive year, ahead of stolen credentials and phishing. The report noted that attackers are moving faster after disclosure: in multiple cases, exploitation began within days of a patch becoming available, and in some instances before a patch existed at all.
These private-sector findings carry their own caveats. Verizon’s dataset skews toward the industries and geographies of its contributing partners. Mandiant’s data reflects the subset of organizations that hire an incident response firm, which tends to overrepresent larger enterprises and more severe breaches. Still, when two of the most widely cited breach-analysis reports independently point in the same direction as federal tracking priorities, the convergence is hard to dismiss.
Where the picture is still incomplete
No single public dataset directly compares vulnerability exploitation frequency against credential-based attacks on a unified, cross-industry scale. The KEV Catalog confirms which flaws are exploited but does not rank them against other attack categories. Verizon and Mandiant use different methodologies and define “initial access” in ways that can overlap. A stolen credential used to reach a vulnerable application, for example, could land in either column depending on how the analyst classifies it.
Some organizations still see password compromise as their most common incident type, particularly in sectors with legacy authentication systems and limited multi-factor adoption. The trend favoring exploitation of software flaws appears strongest in environments with large internet-facing attack surfaces: cloud providers, managed hosting companies, and enterprises running unpatched edge devices.
NIST’s operational strain introduces another layer of uncertainty. The agency has acknowledged that the CVE surge has left many non-KEV records with incomplete enrichment. Organizations relying solely on the NVD for severity scores may find gaps in coverage for flaws that have not yet appeared on CISA’s exploited list. Whether those gaps lead to delayed patching of eventually exploited vulnerabilities is an open question. The near-lapse of MITRE’s CVE Program contract in April 2025, which briefly threatened the entire system for assigning vulnerability identifiers, underscored how fragile the infrastructure behind vulnerability tracking remains.
Why the gap between disclosure and exploitation keeps shrinking
Several forces are compressing the timeline. Proof-of-concept exploit code now appears on public repositories within hours of some disclosures, giving attackers a head start on organizations that patch on weekly or monthly cycles. Automated scanning tools let threat actors sweep the internet for vulnerable devices at scale, turning a single disclosed flaw into thousands of potential targets almost overnight. And the growing reliance on internet-facing appliances, from VPN concentrators to secure email gateways, means that many of the most consequential vulnerabilities sit on devices directly reachable from the open internet, with no need for an attacker to first compromise a user’s credentials.
At the same time, defenders face a volume problem that mirrors NIST’s. The total number of CVEs published annually has climbed year after year, topping 28,000 in 2023 and continuing to rise. No security team can patch everything immediately. The result is a forced prioritization exercise, and the quality of that prioritization increasingly determines whether an organization gets breached through a known, fixable flaw.
How security teams should respond
The most direct step is to integrate CISA’s KEV feed into patch-management workflows as a first-class data source. Every new KEV entry should trigger a check against the organization’s asset inventory, a confirmation of exposure, and a remediation task with a deadline that matches or beats the federal timelines set by BOD 22-01. Treating KEV entries as action items rather than informational alerts changes the speed of response.
For flaws outside the KEV list, teams should supplement NVD data with vendor advisories and third-party threat intelligence feeds that may flag exploitation activity before a formal KEV listing appears. Many vendors now publish their own assessments of exploitation likelihood alongside patches, and managed security providers often track scanning activity and exploit-kit adoption for newly disclosed bugs. Layering these signals on top of baseline severity scores helps avoid a binary model where KEV-listed flaws get all the attention and everything else is treated as low priority.
Prioritization should weigh three factors together: whether a flaw is in the KEV Catalog, how exposed the affected system is to the internet or untrusted users, and how easily an attacker could chain the vulnerability with other weaknesses. A KEV-listed bug on a public-facing VPN gateway demands faster action than a similar flaw buried inside a segmented lab network.
Organizations should also invest in their own vulnerability intelligence capacity, whether through commercial threat intelligence services, industry information-sharing groups like ISACs, or internal research teams that track how new CVEs intersect with their specific technology stacks. The NVD’s enrichment backlog means that waiting for federal analysts to fully score every new CVE is no longer a safe default.
Credential theft has not disappeared
None of this means organizations should ease up on password security. Credential theft and software exploitation often reinforce each other: unpatched systems can be used to harvest passwords, and stolen credentials can help attackers reach vulnerable services that would otherwise be out of reach. Multi-factor authentication, passkey adoption, and credential monitoring remain essential layers of defense.
But the lesson from CISA, NIST, Verizon, and Mandiant is consistent: unpatched software now offers attackers a faster, more scalable path into many networks than stolen passwords do. The organizations that align their patching priorities with the signals coming from federal vulnerability programs and private threat intelligence will be the ones best positioned to close that path before someone walks through it.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
