ctipilot.ch

Home · Live brief · Weekly 2026-W21

Verizon 2026 DBIR — vulnerability exploitation is the #1 breach vector for the first time in 19 years; patching cadence regressed

high annual-report discovered 2026-05-18 05:00 UTC

Entities: Verizon 2026 DBIR

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

The 19th Data Breach Investigations Report (published 2026-05-19, covering Nov 2024 – Oct 2025) records vulnerability exploitation as the most common initial-access vector at ~31%, overtaking credential abuse (~13%) for the first time in the report's history — Verizon attributes the shift in part to AI-assisted weaponisation compressing the disclosure-to-exploit window. The operationally relevant findings for a public-sector SOC are the defensive regressions, not the headline: the median time to fully patch slipped to ~43 days (from ~32), and organisations remediated only ~26% of CISA KEV-listed vulnerabilities (down from ~38%) against ~50% more critical bugs than the prior dataset. Third-party involvement in breaches rose to ~48% of incidents. These are the precise gaps this week's actively-exploited CVEs (Drupal, Apex One, Langflow, Defender) target; under NIS2 Art. 21(2)(e) the patching-process regression is also a supervisory-audit exposure. "Shadow AI" (unapproved AI tooling) emerged as a notable data-loss action — scope DLP and data-classification controls to LLM upload endpoints.

vulnerabilities ransomware supply-chain ai-abuse identity global