Executive Summary

The 2025 Data Breach Investigations Report reveals critical trends that security teams and leaders must address to protect their organizations against evolving cyber threats. Once again, Qualys contributed to this report to help unpack critical patterns and equip organizations with the knowledge to bolster security and stay ahead of future threats.

Key findings show that the exploitation of vulnerabilities as the initial access vector for breaches has seen another year of growth-reaching 20%. Edge device vulnerabilities grew nearly eight-fold, while ransomware presence increased by 37%. Third-party involvement in breaches doubled to 30%, and espionage-motivated breaches rose significantly to 17%. Additionally, 46% of compromised systems with corporate credentials were non-managed devices, highlighting BYOD risks and the importance of robust asset management. This blog explores the implications of these findings.

Vulnerability Management: The Growing Challenge

Exploiting vulnerabilities as an initial access vector has grown significantly, reaching 20% of breaches analyzed in the 2025 DBIR across 12,195 confirmed data breaches. This represents a 34% increase from the previous year and approaches the frequency of credential abuse (22%).

This trend demands immediate attention from security teams, particularly as Edge devices and VPNs now represent 22% of vulnerability exploitation targets, an almost eight-fold increase from just 3% in 2024.

Organizations must leverage a risk-based approach and prioritize vulnerability scanning and patching for internet-facing systems. The data clearly shows that attackers follow the path of least resistance, targeting vulnerable edge devices that provide direct access to internal networks.

Patch Management: A Race Against Time

According to the report, the median time for organizations to fully remediate edge device vulnerabilities was 32 days, while the median time for these vulnerabilities to be mass exploited was zero days-meaning the analyzed vulnerabilities were added to the CISA KEV catalog on or before their CVE publication. This timing gap represents a critical window of exposure that organizations must work to close.

Security teams should:

• Implement asset management for internal and external assets to gather a complete inventory of their hosts, including EOLs
• Deploy broad vulnerability detection capabilities
• Leverage risk-based prioritization for findings
• Implement automated patch management workflows
• Prioritize edge device vulnerabilities
• Consider compensating controls and alternative mitigation strategies when immediate patching isn't possible

Ransomware: Evolving Tactics and Economics

Ransomware presence in analyzed breaches grew by 37%, appearing in 44% of all breaches reviewed (up from 32%). However, the median ransom payment decreased to $115,000 from $150,000 the previous year, with 64% of victims refusing to pay (up from 50% two years ago).

Small organizations are disproportionately affected by ransomware. While larger organizations experience ransomware in 39% of breaches, SMBs face ransomware in a staggering 88% of breach incidents.

Organizations should implement a comprehensive vulnerability management approach that:

• Integrates threat intelligence feeds to identify emerging ransomware variants and tactics
• Deploys advanced detection mechanisms that specifically flag the association of a vulnerability with known ransomware groups
• Utilizes risk-based prioritization to remediate vulnerabilities that ransomware operators actively exploit
• Deploys next-generation endpoint detection and response (EDR) solutions capable of detecting ransomware-specific behaviors
• Develops incident response playbooks that address data exfiltration and extortion scenarios common in modern ransomware attacks

Cloud and Application Security: The Third-Party Challenge

Third-party involvement in breaches doubled from 15% to 30%, with credential reuse in third-party environments becoming increasingly common. Research found the median time to remediate leaked secrets discovered in GitHub repositories was 94 days.

Espionage-motivated breaches grew significantly to 17%, with these attackers leveraging vulnerability exploitation as an initial access vector 70% of the time. Interestingly, approximately 28% of incidents involving state-sponsored actors had a financial motive.

Cloud and application security programs must evolve to:

• Implement automated secret scanning, 24-hour credential rotation processes, and multi-factor authentication to secure credentials in third-party environments
• Establish comprehensive third-party security assessments and reduce critical vulnerability remediation timeframes
• Implement continuous monitoring of third-party security postures
• Utilize solutions for unified risk visibility across cloud infrastructure and implement continuous scanning with prioritized remediation based on business criticality

Compliance and Risk Management

Analysis of infostealer malware credential logs revealed that 30% of compromised systems can be identified as enterprise-licensed devices. However, 46% of compromised systems with corporate logins were non-managed devices hosting both personal and business credentials.

By correlating info stealer logs with ransomware victim data, the DBIR report found that 54% of ransomware victims had their domains appear in credential dumps, and 40% had corporate email addresses in compromised credentials.

Data Protection and Emerging Threats

GenAI presents increasing risks, with 15% of employees routinely accessing GenAI systems on corporate devices. Among these, 72% used non-corporate emails, and 17% used corporate emails without integrated authentication systems. In addition, analysis indicates that "synthetically generated text in malicious emails has doubled over the past two years," showing how threat actors are adopting AI technologies.

Conclusion

The 2025 DBIR findings emphasize the need for a holistic security approach that prioritizes vulnerability management while addressing third-party risks and evolving ransomware tactics. Security teams can build more resilient programs that protect their organizations against the most prevalent attack vectors by focusing on these key areas.

Follow our blog to get the latest from the Qualys Threat Research Unit (TRU).

Related