The Rise of Vulnerability Exploits: Why Hackers Are Moving Beyond Phishing
May 5, 2025
The 2025 edition of Verizon’s Data Breach Investigations Report (DBIR) shows a new reality: about one in five confirmed breaches now starts with exploitation of a software vulnerability, a 34 percent jump over the previous year and the first time the vector has surpassed phishing.
Indusface’s State of Application Security 2024 study paints the same picture from the trenches, recording a 124 percent surge in vulnerability‑driven attacks during 2024 and finding that nearly a third of critical flaws remained open for more than 180 days. In short, unpatched weaknesses have become the easiest way into modern enterprises.
Why Vulnerability Exploits Became the Softer Target
1. Path of Least Resistance
Ten years of mandatory awareness training, tighter email hygiene, and near‑ubiquitous multi‑factor authentication have started to pay off. Verizon’s data shows social‑engineering incidents falling from 22 percent to 17 percent of breach patterns in one year. When the low‑hanging fruit gets harder to pick, adversaries look elsewhere.
2. No User Action Required
Zero‑click flaws like CVE‑2023‑27997 in Fortinet SSL‑VPN or the 2024 Trend Micro Apex One chain can be triggered remotely. Attackers no longer need to trick anyone into clicking a link or entering credentials, removing the single biggest blocker they still face with phishing.
3. CVE Tsunami Feeds the Toolkit
Public vulnerability disclosures grew from 6 449 in 2016 to roughly 40,300 in 2024, a 6‑fold jump. More bugs mean more ammunition, and most exploit kits harvest new CVEs automatically the day they appear.
Check out recent CVE details and mitigation strategies to stay ahead of threats.
4. Vibe Hacking and Point‑and‑shoot Weaponization
On average 115 fresh CVEs are published every day. Proof‑of‑concept code often appears on public repositories within hours, and generative‑AI helpers can refine those PoCs into working payloads for even low‑skill actors.
5. Reliable and Limitless Scale
Mass‑scanning services track thousands of unique IPs probing the same CVE within 24 hours. Because an exploit chain runs the same every time, attackers can sweep the internet and compromise every unpatched host without worrying about user behaviour or spam‑filter escape rates.
6. Chronic Patch Debt
Indusface telemetry shows 31 percent of critical application flaws still open after 180 days. IBM’s global breach study pegs mean time to discover at 204 days and containment at another 73. Attackers, by contrast, need minutes. The imbalance turns every missing patch into a standing invitation.
7. Expanding Edge and Shadow IT
VPN gateways, load balancers and forgotten test servers often sit outside standard patch or EDR coverage. Verizon notes an eight‑fold rise in exploits against such assets, which typically grant privileged access once breached.
8. AI‑accelerated reconnaissance
Large‑language models can draft SQL‑injection payloads, fuzz unusual parameters or reverse‑engineer patches, slashing the skills barrier and fuelling the triple‑digit spike in exploit traffic recorded by Indusface.
Real‑World Exploit Campaigns That Prove the Point
1. VMware ESXiArgs Ransomware (2023 – 2024)
More than 3 200 servers worldwide were ransomed by reviving CVE‑2021‑21974, a two‑year‑old remote‑code‑execution bug. There was no phishing and no stolen credentials—just thousands of unpatched hypervisors.
2. MOVEit Transfer Mass Breach (2024)
Within 48 hours of disclosure, threat actors abused CVE‑2024‑5806 to impersonate users over SFTP. Security researchers saw 2 700 publicly exposed instances; education, finance and insurance firms were first in line for data theft and double extortion. Check out our MOVEit Transfer SQL Injection Threat Brief.
3. Cl0p Supply‑Chain Wave (2023)
The same criminal crew leveraged CVE‑2023‑34362—an earlier MOVEit flaw—compromising hundreds of organisations in one coordinated campaign. Combined breach notifications exceeded 93 million records across sectors.
How to Close the Window on Open Vulnerabilities
1. Shrink Mean Time‑to‑Patch (MTTP)
Shift from monthly to continuous patch cycles for all internet-facing assets, and elevate mean time to patch (MTTP) to a board‑level KPI, targeting single‑digit days for critical vulnerabilities.
2. Adopt Virtual Patching for Breach‑Time Cover
WAAP platforms that inject mitigation rules at the edge can neutralize exploits hours after disclosure. Indusface data shows virtual patches blocking 62 percent of web and 71 percent of API exploit traffic* in 2024 - Indusface.
3. Automate Discovery of Shadow IT and Edge Appliances
Asset‑mapping tools flag forgotten VPN concentrators, load balancers, and test servers that rarely receive maintenance but always face the internet.
4. Pair Detection with Autonomous Remediation
Solutions like SwyftComply stitch vulnerability scanning to policy‑driven response, cutting remediation windows from months to 72 hours by rolling out compensating controls while code fixes queue up.
5. Integrate Threat Intelligence with Patch Prioritization
If SwyftComply is not feasible, the next best option is to feed CISA KEV lists and exploit‑in‑the‑wild telemetry into risk‑based scoring so security teams patch what attackers actually use, not just what scores 9.8 on CVSS.
Learn more our about risk based prioritisation – AcuRisQ here .
6. Strengthen Build Pipelines, Not Just Prod
Strengthen your software supply chain by integrating these CI/CD safeguards:
- Harden CI/CD with signed artifacts and automatic SBOM generation.
- Add static and dynamic analysis gates that break builds on exploitable flaws.
- Treat IaC misconfigurations as vulnerabilities; remediate via pull request.
7. Layer in Runtime Protection and Anomaly Detection
Exploit‑behavior analytics (memory access patterns, SQL injection signatures, outbound traffic spikes) provide the safety net when a patch slips through scheduling cracks.
Conclusion – Closing Time for the Easy Way In
The data tells a consistent story. Phishing volumes remain high, but efficacy has plateaued. In contrast, the universe of exploitable code grows by three hundred vulnerabilities every week, and attackers can weaponize the freshest ones before the coffee cools in the security operations center (SOC). Open vulnerabilities are cheaper, faster, and more scalable to abuse than tricking humans. They have thus become the adversary’s tool of choice.
Organizations that still rely on once‑a‑quarter scanning and best‑effort patch roll‑outs are playing breach roulette. The path forward is clear: continuous visibility, machine‑speed remediation, and protective controls that buy back the time humans need to test and deploy fixes. When exploited vulnerabilities are harder to find than phishing marks, the pendulum will swing back. Until then, closing the window on open flaws is the single most effective way to keep attackers out.
By combining disciplined patch hygiene with virtual patching, integrated vulnerability intelligence, and autonomous remediation, security teams can turn the attacker’s new favorite doorway into a brick wall.
Learn more about our autonomous remediation here.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
