A significant shift in the threat landscape has been brought to light in the newly released 2025 Verizon Data Breach Investigations Report (DBIR), which for the first time incorporates vulnerability data and analysis from Tenable Research. The report reveals a concerning surge in vulnerability exploitation as the initial access vector for cyber breaches, now accounting for 20% of incidents – a substantial 34% increase year over year. This puts vulnerability exploitation on par with credential abuse, historically the leading cause of breaches.

To provide a deeper understanding of this escalating risk, Tenable Research contributed enriched data on the most commonly exploited vulnerabilities to the Verizon DBIR. This collaboration also led to a complementary deep-dive analysis published by Tenable, titled “Tenable Research in Verizon DBIR: Additional Research Analysis.”

According to the report, Tenable Research meticulously analyzed “over 160 million data points across our telemetry data” to assess the speed at which organizations are patching the “17 high-risk CVEs” highlighted by Verizon, with a specific focus on segmentation by industry.

The findings paint a stark picture of the challenges organizations face in addressing critical security flaws. “The average remediation time worldwide for these 17 CVEs is 213 days,” the research revealed. In the Asia-Pacific (APAC) region, the average remediation rate for these same 17 edge device vulnerabilities stood at 199 days.

The report specifically highlighted the protracted remediation timelines for critical vulnerabilities affecting widely used technologies. For Citrix vulnerabilities CVE-2023-6548 and CVE-2023-6549, the data showed that “even the fastest three industries took over 160 days to patch; the slowest industry averaged 288 days.” Similarly, Ivanti vulnerabilities CVE-2023-46805 and CVE-2024-21887 demonstrated alarmingly slow remediation rates, with some industries averaging “up to 294 days” despite evidence of active remote code execution (RCE) exploitation.

However, the research also offered a glimmer of hope, identifying instances where industries demonstrated the capacity for rapid response. “Fortinet CVE-2024-47575 (FortiJump) had the lowest average remediation rates of the 17 CVEs, with 2 on the low end and 7 on the high,” the report stated. Specifically, “on average, organisations across industries resolved this critical bug in 2-7 days.” Another example of swift action was seen with SonicWall vulnerability CVE-2024-40766, which has been exploited by ransomware groups for initial access. While remediation rates varied across sectors, “engineering resolved in just 6 days, while consulting lagged at 52 days.” Notably, in APAC, both “CVE-2024-47575 (CVSS 9.8) and SonicWall CVE-2024-40766 (9.8) were remediated on average in 28 days or less.”

Scott Caveza, senior staff research engineer at Tenable, emphasized the critical nature of prioritizing vulnerability remediation, particularly for edge devices, in the Tenable Research blog and Verizon DBIR. He stated, “The number of new vulnerabilities disclosed continues to increase sharply, giving cyber defenders a never-ending ‘to-do list.” Generally, the most critical vulnerabilities should be at the “top of the list, especially for edge devices that serve as a metaphorical door into your environment.”

Caveza further elaborated on the importance of context in vulnerability management, noting, “However, the context around vulnerabilities – where a given vulnerability exists in your environment, what data or systems are potentially at risk, ease of exploitation, the existence of a proof-of-concept, and so much more – drives informed prioritisation and remediation. The biggest, baddest vulnerability could be a non-issue in some circumstances, depending on context.”

However, regarding the specific edge device vulnerabilities highlighted in the DBIR, Caveza stressed the limited tolerance for delayed patching. “For the Verizon DBIR, though, we evaluated the 17 edge device vulnerabilities featured in the report, each of which impacts valuable targets for attackers and is often the entry point for a breach. There are very limited circumstances, if any, where leaving an edge device vulnerable to a critical vulnerability makes sense given the nature of the device. While 54% of organisations have achieved full remediation of these 17 CVEs, our data revealed the average time to patch was a staggering 209 days. This gap is highly concerning, considering that attackers’ average time-to-exploitation is five days.”

Concluding his analysis, Caveza underscored the urgency of the findings: “Our research underscores that considerable work remains. The data compiled by Verizon, in collaboration with Tenable, highlights the urgency to remediate known vulnerabilities and offers valuable insights to help organisations protect their networks, devices, and people.”