Verizon DBIR 2026 Shows Vulnerability Exploitation Drives One‑Third of Breaches, Patch Lag Worsens
What Happened — Verizon’s 2026 Data Breach Investigations Report (DBIR) found that ≈ 33 % of all confirmed breaches began with the exploitation of known vulnerabilities, while patch remediation rates for critical bugs fell to just ≈ 25 % and average fix time stretched to 43 days.
Why It Matters for TPRM —
- Vulnerability‑centric attacks are now the leading breach vector, raising the risk profile of any third‑party that relies on unpatched software.
- Slower patch cycles increase exposure windows for suppliers, especially MSPs and cloud providers that host legacy stacks.
- The rise in ransomware‑linked incidents (≈ 50 % of breaches) amplifies the downstream impact on downstream partners.
Who Is Affected — All sectors; the report covers 31 k incidents across 145 countries, with notable spikes in technology, finance, healthcare, and manufacturing.
Recommended Actions —
- Re‑evaluate vendor patch‑management SLAs; require evidence of remediation within 7 days for critical CVEs.
- Incorporate vulnerability‑exploitation metrics into third‑party risk scoring models.
- Conduct quarterly vulnerability‑exposure reviews for high‑risk suppliers (MSPs, cloud hosts, ERP/CRM vendors).
Technical Notes — The DBIR attributes breach origins to:
- Attack vector: exploitation of known software/hardware vulnerabilities (often CVEs listed by CISA as “actively exploited”).
- Data types exposed: PII, PHI, financial records, intellectual property.
- Trend: 48 k new vulnerabilities discovered in 2025 (+18 % YoY); critical‑severity bugs rose 50 % year‑over‑year.