The 31% Problem: Why Software Flaws Just Overtook Stolen Passwords
What you need to know:
For the first time in nearly two decades, attackers are getting in through unpatched software more often than through stolen passwords. AI has compressed the gap between a flaw being disclosed and weaponised from months to minutes. Most organisations are fixing only about a quarter of the flaws that attackers are actively using. The advantage has moved, and the patch queue is now the battleground.
Something shifted in 2025 that took nineteen years to surface. Across the year’s major breach datasets, the most common way into an organisation stopped being the stolen password and became the unpatched flaw. The 2026 Data Breach Investigations Report put a number on it: vulnerability exploitation accounted for 31% of breaches, the first time it has topped credential theft in the report’s history. Stolen credentials fell to 13%. For nineteen years the advice was to protect the password. The evidence now says protect the code.
The problem, named
This is a change in where attackers find their footing, and it did not happen because passwords got safer. It happened because exploiting software got faster and cheaper. Vulnerability exploitation climbed to 31% of breaches from 20% a year earlier, while credential abuse dropped to 13%. Attackers are not inventing more flaws. They are reaching the ones that already exist before defenders can close them.
“For nineteen years the advice was to protect the password. The evidence now says protect the code.”
How the gap opened
When a vulnerability is disclosed, a clock starts. The only question is who gets there first, and the independent incident data makes the answer uncomfortable. Palo Alto Networks’ Unit 42, drawing on more than 750 response cases in its 2026 Global Incident Response Report, found that attackers begin scanning for a newly disclosed flaw within 15 minutes of the CVE being published. By the time a security team has finished reading the advisory, the scanning has often already begun.
It accelerates once they are inside. Unit 42 measured the quickest quartile of intrusions reaching data exfiltration in 72 minutes in 2025, down from 285 minutes the year before. The compression from vulnerability discovery to exploitation, the team notes, has moved from months to minutes.
“Attackers begin scanning for a new flaw within 15 minutes of its disclosure. The fastest intrusions now reach data theft in just over an hour.”
— Unit 42, 2026 Global Incident Response Report
There is a detail worth sitting with. In April we wrote about Claude Mythos, the AI system that autonomously discovered thousands of vulnerabilities and generated working exploits without a human guiding it. The breach data behind these 2025 figures predates that wave of frontier models. The window had already collapsed using the previous generation of AI. The capability we described in April is the accelerant, not the cause.
Now run that against the defender’s side of the ledger. Remediation got slower, not faster. The 2026 DBIR measured the year’s flaws against CISA’s Known Exploited Vulnerabilities catalogue, the list of bugs confirmed to be under active attack, and found that only 26% were fully fixed in 2025, down from 38% the year before. The median time to fully patch a vulnerability stretched to 43 days, up from 32. And the median organisation had 16 of these critical flaws to clear, against 11 a year earlier.
More flaws to fix. Slower to fix them. Fewer getting fully closed.
What it costs the business
For a board, the translation is direct. The most common door into your organisation is one you already know about and have not yet closed. A new detection tool does not close that gap. The flaws are already known. What is missing is the capacity to fix them fast enough, which makes this a budget and operating-model question that sits above the CISO.
The downstream cost is well documented. IBM’s 2025 Cost of a Data Breach Report put the global average breach at $4.44 million, with the United States at a record $10.22 million. Breaches that ran through a third party were among the costliest and slowest to resolve, averaging $4.91 million. Unpatched software is one of the cleanest routes into both your own environment and your suppliers’, and supply-chain compromise now features in roughly half of all breaches.
Ransomware sits on top of the same foundation. The 2026 DBIR found it involved in 48% of breaches in 2025, up from 44%, and an unpatched internet-facing system is one of the simplest footholds for it. There is one encouraging signal: 69% of ransomware victims declined to pay, and the median ransom fell below $140,000. Refusal is becoming the norm. The cost of downtime, restoration and disclosure still lands on the business whether or not a ransom changes hands.
“The global average breach now costs $4.44 million. In the United States, it is a record $10.22 million.”
— IBM, 2025 Cost of a Data Breach Report
What to do this quarter
The response is operational, and it can start now.
1. Patch against the KEV list, not the severity score. Fixing every high-severity flaw is impossible. Fixing the ones attackers are demonstrably using is not. Start with CISA’s Known Exploited Vulnerabilities catalogue and work down.
2. Inventory what is internet-facing first. The edge is where breaches begin. Identify every asset exposed to the public internet and treat those patches as non-negotiable.
3. Make time-to-remediate a board metric. Report the share of KEV flaws closed within 7, 28 and 43 days. A number the board sees every quarter is a number that gets resourced.
4. Put patch timelines in vendor contracts. If a third party’s software runs in your environment, their remediation speed is your exposure. Make it contractual, not aspirational.
5. Build for the patch surge. AI is surfacing flaws faster than ever, which means more patches arriving faster. Stand up the capacity to triage and deploy at volume before the volume arrives.
The close
Go back to the shift that took nineteen years to arrive. The breach story used to be about the stolen key. Now it is about the unlocked door someone walked past. The 31% figure is really a measure of distance: the gap between how fast an attacker can reach a known weakness and how fast your organisation can close it. AI widened that gap, and narrowing it is an operating-model decision rather than a tooling one. The question in front of the board is whether the organisation can fix what it already knows is broken, faster than someone else can find it.
Frequently Asked Questions
Which sources is this analysis based on?
It draws on three independent 2025 to 2026 datasets: the 2026 Data Breach Investigations Report, Palo Alto Networks Unit 42’s 2026 Global Incident Response Report, and IBM’s 2025 Cost of a Data Breach Report, alongside CISA’s Known Exploited Vulnerabilities catalogue.
Why did vulnerability exploitation overtake stolen credentials?
Exploiting unpatched software became faster and more reliable for attackers, helped by AI compressing the time between disclosure and a working exploit. At the same time, organisations remediated known flaws more slowly, widening the gap between exposure and fix.
How fast are attackers exploiting new vulnerabilities?
Unit 42 found that scanning for a newly disclosed flaw begins within 15 minutes of the CVE being published, with the fastest intrusions reaching data exfiltration in just over an hour.
What is the CISA KEV catalogue?
The Known Exploited Vulnerabilities catalogue is a list maintained by the US Cybersecurity and Infrastructure Security Agency of vulnerabilities confirmed to be exploited in the wild. It is widely used to prioritise patching, because every entry is a flaw attackers are provably using.
What should organisations prioritise in response?
Patch vulnerabilities in the CISA KEV catalogue first, secure internet-facing assets, track remediation speed as a board-level metric, and hold third-party vendors to contractual patch timelines.
Sources
2026 Data Breach Investigations Report (DBIR), Verizon Business. https://www.verizon.com/business/resources/reports/dbir/
2026 Global Incident Response Report, Palo Alto Networks Unit 42. https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report
Cost of a Data Breach Report 2025, IBM. https://www.ibm.com/reports/data-breach
Known Exploited Vulnerabilities Catalog, Cybersecurity and Infrastructure Security Agency (CISA). https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Disclaimer
This article is provided for general informational purposes only and does not constitute professional security, legal, or financial advice. Statistics cited are drawn from the named source documents and reflect the figures reported at the time of publication. Organisations should assess their own risk environment and consult qualified professionals before making security decisions.
