As Chris Hughes points out in a recent Resilient Cyber newsletter, the 2025 editions of several prominent cybersecurity reports independently highlight a steep rise in vulnerability exploitation:
- Mandiant’s M-Trends 2025 Report notes that vulnerability exploitation has been by far the most prevalent initial infection vector in the past year, accounting for 33% of intrusions where the initial approach could be identified. (Stolen credentials was a distant second at 16%, followed closely by email phishing at 14%.)
- Verizon’s 2025 Data Breach Investigations Report cites a 34% increase from 2024 in attackers exploiting vulnerabilities to gain initial access and cause data breaches.
- Datadog’s State of DevSecOps update for April 2025 emphasizes the prevalence of known exploitable vulnerabilities in web applications, as well as the fact that only about 20% of critical vulnerabilities are worth prioritizing for remediation.
In this blog post I’ll explain why vulnerability exploits are more popular than ever with hackers, and what cybersecurity teams can do about it.
Key takeaways
- Exploiting vulnerabilities is now the number one initial attack vector, being used more often than credential theft and email phishing combined.
- Many organizations have a growing backlog of unpatched high-risk vulnerabilities.
- Holistic exposure management that gives companies visibility across their full attack surface is among the most effective and ways to assess real-world risks prioritize remediation.
Why are hackers increasingly targeting vulnerabilities?
Hackers are ramping up their vulnerability exploits because they are finding increasing success with this approach. How can this be, in an era where leading cybersecurity frameworks like ISO 27001, the NIST Cybersecurity Framework (CSF), and the CIS Critical Security Controls, as well as major regulations like HIPAA and PCI DSS, all mandate vulnerability management controls as a foundational capability?
A number of factors are at work, with these being some of the most prevalent:
- The number of vulnerabilities published in NIST’s National Vulnerabilities Database (NVD) as Common Vulnerabilities and Enumerations (CVEs) is mushrooming at an average annual rate of 16%—including over 30,000 CVEs added in 2024 alone.
- A primary driver for the ongoing exponential increase in vulnerabilities is the parallel growth in connected devices and new SaaS offerings, which create a massive potential attack surface rife with new vulnerabilities.
- Hackers are shifting their efforts away from phishing and focusing more on the rapid development of exploits targeting newly published vulnerabilities, often within a few days of disclosure.
- Nation state actors are also investing more in targeting vulnerabilities. This accounts for a growing percentage of zero-day exploits, according to Google Threat Intelligence.
- Many organizations remain slow to patch known exploitable vulnerabilities, which continue to be a significant cyberattack vector even years later.
- “The human factor,” including procedural errors and insider threats, continues to leave organizations vulnerable.
Perhaps the biggest source of exposure overall is the growing backlog of unpatched vulnerabilities that many companies face. Short on resources, organizations of all sizes struggle to keep up with the unending accumulation of new vulnerabilities, leaving more and more gaps for hackers.
A parallel challenge is identifying which vulnerabilities are most important to patch. Only a small percentage of reported vulnerabilities are ever known to be exploited in the real world, so teams inevitably waste time patching holes that present little or no danger.
What is vulnerability management versus patch management versus configuration management?
Vulnerability management identifies and prioritizes remediation of cybersecurity vulnerabilities on your network. Automated vulnerability scanning makes the process more efficient, helping teams to proactively identify and fix dangerous vulnerabilities before hackers exploit them.
Patch management is the process of deploying software updates to address security vulnerabilities, fix bugs, and improve application functionality. Critical to any company’s cybersecurity posture, patching is often the only viable way to eliminate known, high-priority vulnerabilities in commercial software. But the process introduces its own risks and generally requires testing patches in a controlled environment before deploying them to production.
Configuration management seeks to maintain and optimize continuity, stability, and security across IT system configurations by tracking, documenting, and approving changes to settings, policies, files, and other configuration elements. Identifying and implementing secure configurations is also part of configuration management.
How do these three processes relate? It starts with knowing what components make up your configurations. Then you can assess whether any of those components have vulnerabilities. If so, the next step is often patching them if their severity/risk level warrants it, or if a patch from the vendor is available and should be applied per policy.
What can organizations do to manage vulnerability risks?
Hackers troll the web with automated tools 24×7 looking for “open windows,” with many prevalent exploits targeting major vulnerabilities with patches available for years. To combat such attacks, companies need to find and fix their unpatched systems, including those that “slipped through the cracks” even when patches were being applied.
Common approaches to reduce business risk from vulnerabilities can include:
- Vulnerability assessments (VAs).Automated VAs can be a great way to identify missing patches, configuration errors, and unregistered assets in a cost-effective manner. VAs can also provide key information to prioritize remediation.
- Penetration testing. Pen testing, aka ethical hacking, evaluates your security by simulating an attack from malicious outsiders (or insiders) that identifies and exploits known vulnerabilities using both manual techniques and automated tools.
- Patch management automation.While it sounds great in theory, automated patch management introduces the fear of breaking critical systems, which is why many firms never utilize it. Automatically patching servers might be too risky, but it could help protect workstations, for example.
- Asset discovery scanning.You can’t protect what you don’t know exists. Asset discovery scanning finds and catalogs all the assets connected to your network, as well as open ports, IP addresses, and other data, as a starting point to check for vulnerabilities.
- Foundational cybersecurity controls.Take advantage of controls like firewalls, an intrusion detection/prevention system (IPS), and security information and event management (SIEM) platforms to identify potential incidents and block detected threats.
- Risk assessment.A best-practice cybersecurity risk assessment can help identify assets and prioritize their protection, show you how well your controls really work, identify security and compliance gaps, and prioritize risk mitigation.
- Threat intelligence. Curated threat intelligence can help spot emerging threats applicable to your business so you can proactively address them.
What is exposure management and how does it reduce vulnerability-related risk?
Even if your organization has a range of solutions like those above to combat vulnerability risks, the bewildering span and complexity of a typical modern attack surface still makes it extremely difficult to defend. Hackers can breach your systems through undiscovered or untreated vulnerabilities in cloud services, containers, web applications, Internet of Things (IoT) devices, virtual machines, and other IP-connected assets.
To meet the demands of today’s organizations for cost-effective protection from escalating risk, exposure management platforms represent an emerging solution class that offers visibility into a company’s total attack surface, so you can holistically analyze cyber risk and prioritize vulnerability remediation.
Key features of leading exposure management platforms include:
- Comprehensive coverage to identify vulnerabilities across all your environments, from on-premises IT to cloud services to containers to web applications.
- AI-driven analytics to anticipate and prioritize threats and proactively block likely attacks.
- DevSecOps support to help find vulnerabilities earlier in the software development lifecycle, including automated remediation.
- Dashboards to help business and technical leaders communicate effectively about cyber risk.
- Integration with existing tools to enhance exposure analysis and leverage current investments.
What are the benefits of exposure management?
The goal of a vulnerability management or exposure management program is not to be 100% successful at remediating all known vulnerabilities—the goal is to keep sensitive data secure.
Accurately identifying and prioritizing your actual risks is key. For example, even if you only patched the top ten most widely exploited vulnerabilities in your environment, you could block about 80% of all the exploits targeting you right now.
Giving you a complete, unified view of exposure across your entire attack surface in one dashboard can be a game-changer, especially for SMBs that may struggle to integrate and interpolate disparate data sources.
Some of the top advantages of an exposure management platform include:
- Stronger data protection
- Comprehensive visibility into vulnerabilities, misconfigurations, and other risks across the entire attack surface, including public cloud, SaaS solutions, container environments, virtual infrastructure, IT systems, operational technology (OT) assets, IoT devices, and more.
- Enhanced support for your risk management process so you can more effectively communicate about and address business risk.
- A streamlined, fine-tuned exposure prioritization process to optimize remediation efforts based on vulnerability severity and true attack risk.
- Support for regulatory compliance, such as PCI DSS, HIPAA, or Sarbanes-Oxley, all of which mandate vulnerability management practices.
- Cost savings by proactively reducing the risk of financial and reputational impacts from a data breach or other cyber incident.
- More potential cost savings by improving the efficiency of your cybersecurity program, including reducing IT complexity and software costs.
- Independent data to help you evaluate vendor risk and identify weaknesses in third-party systems that could hurt your cybersecurity posture.
- Demonstrating to customers, management, and other stakeholders that you care about security.
- Gaining direct feedback on the effectiveness of your patch management, change management, new security controls, etc.
Maximizing your exposure management success with our Tenable One managed service
A holistic plan to understand and address cybersecurity risk exposure is key to protecting sensitive data while optimizing resource usage. But managing vulnerabilities takes more than tools—it requires strategy, expertise, and consistent execution.
To support our clients in navigating the complexities of exposure management and transform cyber risk into a competitive edge, CBIZ Pivot Point Security offers expert Tenable One managed services. Tenable One is a comprehensive exposure management solution suite that seamlessly combines key capabilities like attack surface management, vulnerability management, cloud security posture management, cloud infrastructure entitlement management, and more—empowering businesses to achieve unrivaled visibility, prioritize vulnerabilities with precision, and take informed, proactive steps to mitigate risk.
To ensure our clients get all the benefits of this superior technology, we provide expert management, training, and operational support, eliminating the burden on in-house resources.
What’s next?
To discuss how best to identify and alleviate cyber risks in your unique environment, contact CBIZ Pivot Point Security to speak with an exposure management expert today.
