Key Insight: Why This Matters

The 2025 DBIR highlights a critical area of importance for vulnerability management teams: edge vulnerabilities. 

Exploitation of edge vulnerabilities in breaches has surged eightfold. Yet, nearly one in three edge KEVs remain fully unpatched — despite being widely recognized as critical risks.

This isn’t a matter of awareness (they’re on CISA’s KEV). It’s about action and prioritization. Real-time intelligence is a must in this situation, giving insight into what attackers are targeting now — ensuring the most pressing threats are identified and resolved quickly. 

This year’s DBIR findings necessitate swift action on the part of defenders, particularly as it relates to edge exploitation. 

‍

Executive Summary 

New findings from the 2025 Verizon Data Breach Investigations Report (DBIR) reveal a critical shift in how attackers breach organizations — and how defenders are simultaneously making strides and falling short:  

‍

Speed and Awareness:

• Exploitation of edge KEVs begins immediately — the median time from disclosure to mass exploitation for edge KEVs is zero days, compared to five days for all KEVs. 
• Defenders are prioritizing edge vulnerabilities more than others:
  
  • 54% of edge KEVs were remediated, compared to 38% of all KEVs.
  • Median time to remediate edge KEVs was 32 days, faster than the 38-day median for all KEVs. 
• ‍This presents a concerning duality — on one hand, time-to-exploit for edge vulnerabilities is zero days; meanwhile, it takes defenders an average of 32 days to remediate these flaws. This significant window of exposure represents a critical risk for most organizations on their edge.

‍

Scale: 

• Vulnerability exploitation is second only to credential theft as a means of breaching organizations.  
• Edge vulnerabilities were used in 22% of breaches involving vulnerability exploitation — an eightfold increase from 3% last year. 

‍

Action Gap: 

• Despite this prioritization, nearly one in three edge KEVs remain fully unremediated — the highest rate of full non-remediation among CVEs and KEVs tracked in the DBIR. 

‍

GreyNoise research reveals a deeper complication: Old edge vulnerabilities are resurging, magnifying the risks defenders face. 

‍

Vulnerability Exploitation Is a Growing Breach Method — and Edge Vulnerabilities Are Central

Vulnerability exploitation is rising as a breach method — and edge vulnerabilities, in particular, are being exploited far more often to break into organizations. 

The Verizon DBIR shows: 

• One in five breaches involved vulnerability exploitation, a 34% rise from last year — second only to credential theft. 
• Among those breaches, exploitation of edge vulnerabilities surged eightfold. 

Despite heightened attention, edge KEVs remain the most likely vulnerabilities to be left unpatched — even though they are already recognized as critical risks. 

This points to a widening gap between risk awareness and defensive action. 

‍

GreyNoise Research Reveals the Growing Risk of Vulnerability Resurgence

The DBIR highlights how quickly attackers exploit vulnerabilities — especially those in edge technologies. 

GreyNoise research reveals a deeper problem: attackers also return to older edge vulnerabilities defenders may have deprioritized. 

• Edge vulnerabilities are already slipping through defenders’ patching efforts. 
• GreyNoise observes attackers opportunistically reviving overlooked vulnerabilities — creating unexpected exposure long after the initial disclosure fades from focus. 

Our research uncovered that resurgent vulnerabilities follow three main attack patterns, visualized as follows (read the full report here): 

‍

Static patching models, focused on CISA KEV, CVSS, and EPSS alone, can miss these shifts. 

Dynamic, exploitation-driven intelligence can reveal when old vulnerabilities become active risks again — cutting through the complex attack patterns above by relying on near real-time alerts of heightened activity. 

‍

Resurgence Disproportionately Affects the Edge 

Our analysis revealed that half of the top exploited resurgent vulnerabilities affect edge assets — with 70% of Black Swans, the most unpredictable class of resurgent flaws, affecting the edge. 

‍

The DBIR and GreyNoise research indicate that edge assets are becoming one of the most attractive targets for attackers. 

‍

What Defenders Must Do

Today’s edge threat environment demands a new approach: 

• Prioritize vulnerabilities based on observed, active exploitation, not just severity ratings. 
• Continuously monitor for resurgence — because old threats can quietly reemerge.
• Adopt dynamic, real-time intelligence models that evolve with attacker behavior. 
• Dynamically block threats with real-time intelligence. Attackers are pivoting infrastructure, utilizing trusted IPs to engage in reconnaissance and launch attacks at scale — limiting the effectiveness of static defenses. 

‍

Read the full report: A Blindspot in Cyber Defense: How Resurgent Vulnerabilities Jeopardize Organizational Security.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Attackers from every corner of the internet are exploiting a uniquely dangerous class of cyber flaws: resurgent vulnerabilities. 

These aren’t being exploited as zero-days — and spikes in activity rarely make headlines. They’re older flaws that quietly return to relevance as attacker interest reignites. Some were deprioritized years ago. Others were never seen as serious. But today, they’re being opportunistically exploited at scale, often in edge technologies like firewalls, routers, and VPNs — the very internet-facing assets attackers use for initial access and persistence. 

GreyNoise’s latest research breaks down these vulnerabilities — how they behave, why they’re dangerous, and what defenders and policymakers need to know to stay ahead. 

‍

‍

Key Takeaways:  

• Resurgent vulnerabilities fall into three distinct behavioral categories: Utility, Periodic, and Black Swan. Each category has unique exploitation patterns, with Black Swan being the most unpredictable. 
• Over half of the top exploited resurgent CVEs and nearly 70% of Black Swan vulnerabilities affect edge technologies, such as routers and VPNs — the very technologies attackers use for initial access and persistence. 
• Some CVEs are first exploited years after disclosure, creating long-standing blind spots in many patching programs. 
• Resurgent exploitation often arrives without warning, underscoring the need for adaptive patch management and dynamic blocking strategies that account for dormant but dangerous vulnerabilities. 
• Government and private threat intelligence providers have reported state-sponsored exploitation of old vulnerabilities. GreyNoise Intelligence continues to observe widespread opportunistic activity against many of the same flaws. 

‍

Inside the report: 

• A new framework for understanding how vulnerabilities resurface.
• Behavioral patterns of resurgence — and what they mean for defenders. 
• Visuals and examples of resurgent CVEs exploited at scale. 
• Tactical insights for security professionals and policymakers to improve patch prioritization, dynamic blocking, and risk mitigation.

‍

Download the full report and prepare before the next wave hits. 

‍

‍

— — —

‍

^{Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍