The 2025 Verizon Data Breach Investigations Report (DBIR) has raised serious concerns about the state of VPN and edge device security. According to the report, just over half of the zero-day vulnerabilities exploited last year were fully patched. Even then, it took a median of 32 days for those patches to be applied.
Hackers increasingly targeted VPNs and internet-facing appliances from vendors like Fortinet, Citrix, Ivanti, and SonicWall. As a result, vulnerability exploitation rose by 34% compared to the previous year. This method became the second most common entry point for attackers, right after stolen login credentials.
Verizon’s team found that 22% of all vulnerability-based attacks focused on edge devices and VPNs. That figure is nearly eight times higher than what was reported last year. While companies worked hard to secure their systems, only 54% of the affected devices were fully protected by year-end.
The data mirrors reports from cybersecurity researchers. Ransomware groups and state-sponsored attackers are launching ongoing campaigns against firewalls, edge routers, and VPNs. These critical systems are often left exposed due to delayed patching.
Credential abuse remained a major issue, accounting for 22% of initial breaches—unchanged from the prior year. However, ransomware cases tied to data extortion rose sharply. This type of attack appeared in 44% of breaches, up 37% from the previous year. Interestingly, the median ransom payment dropped from $150,000 to $115,000.
Companies are also becoming more resistant to paying. Around 64% of ransomware victims refused to meet payment demands—up from 50% two years ago. The trend differs based on company size. While 39% of large enterprises experienced ransomware-related breaches, that number jumped to 88% for small and mid-sized businesses.
Supply chain attacks also saw a worrying rise. These breaches, triggered through compromised software vendors or managed service providers, doubled to 30% of all incidents. On average, it took companies 94 days to fix secrets exposed in public code repositories.
The DBIR draws from global forensic sources, including law enforcement, insurers, and cybersecurity teams. This year’s report analyzed over 22,000 incidents and confirmed 12,195 data breaches.
State-sponsored hackers played a larger role this year. These actors were responsible for 17% of breaches, with 70% of those involving unpatched vulnerabilities. While espionage remains their main goal, 28% of state-linked breaches aimed for financial gain, suggesting some attackers are operating for profit.
Human error continues to be a weak link. About 60% of breaches involved phishing, data misdelivery, or password reuse. Verizon also pointed to bring-your-own-device (BYOD) practices as a serious risk. Malware logs revealed that nearly half of compromised endpoints were personal devices storing both business and personal login credentials.
Now in its 17th year, the DBIR remains one of the most trusted reports on real-world cybersecurity trends. This edition makes one thing clear: delays in patching VPNs and edge devices aren’t just risky—they’re a top reason companies are getting breached.
