May 21 - Verizon DBIR: vulnerability exploitation overtakes stolen creds as the #1 way in

Good Thursday morning from TX – the heat keeps cranking up, and we're not even in June yet.

-Jake

1. Verizon DBIR: vulnerability exploitation overtakes stolen creds as the top way in

What's happening: Verizon released its 2026 Data Breach Investigations Report on May 19. For the first time in the report's 19-year history, vulnerability exploitation passed credential abuse as the top initial-access vector: 31% of all breaches, vs. 13% for stolen creds and 16% for social engineering.

State of play:

Ransomware was involved in 48% of confirmed breaches (up from 44%), though only 31% of victims paid and median ransom payments dropped below $140,000.
Third-party breaches surged 60% year-over-year, now representing 48% of incidents.
Patching got worse. Only 26% of CISA KEV-listed vulnerabilities were fully remediated in 2025, down from 38% in 2024. Median patch time grew to 43 days from 32.

Manufacturing got hit hardest among industrial sectors: vulnerability exploitation accounted for 38% of initial access, ransomware was involved in 61% of breaches, and 87% of intrusions were financially motivated.

The big picture: "The rapid weaponization of known vulnerabilities by AI can create a capacity crisis for security teams," the report warns. AI is compressing the disclosure-to-exploit window from months to hours – at the same time the patch backlog is widening. The DBIR also flagged a sharp rise in attacks targeting edge devices, VPNs, firewalls, and remote management tools, exactly the perimeter gear sitting between IT and OT.

2. A 9-company "Alliance for Critical Infrastructure" launches to coordinate cross-sector crisis response

What's happening: The Alliance for Critical Infrastructure (ACI) launched in February as an industry-led nonprofit aimed at strengthening cross-sector resilience and crisis response. Founding members span energy, finance, telecom, and insurance: AIG, AT&T, Berkshire Hathaway Energy, Consolidated Edison, JPMorganChase, Lumen Technologies, Mastercard, Southern Company, and Xcel Energy.

State of play: ACI builds on a decade of work as the Tri-Sector Executive Working Group. The coalition is standing up regional pilot programs focused on incident response, information sharing, and service restoration, and plans to coordinate with sector ISACs, CISA, and sector coordinating councils – explicitly not trying to be another threat-intel feed.

Of note: Health-ISAC's CSO Errol Weiss said the integration question is the open one. "ISACs already provide operational threat intelligence and sector-specific context," he said, warning that "duplicating or bypassing that ecosystem would risk confusion for operators."

🗞️ Quick Reads

🛠️ ICS Patch Tuesday (May 13) dropped 22 new vendor advisories – 18 from Siemens, 4 from Schneider Electric. The most severe: device takeover on Siemens Sentron 7KT PAC1261, root-level command execution on Ruggedcom Rox, and 300+ third-party component flaws in Simatic CN4100. Separately, Siemens warned that its Ruggedcom APE1808 firewall product is affected by a recently disclosed Palo Alto Networks PAN-OS zero-day already being exploited in the wild – reportedly by Chinese state-sponsored actors.

⛽ CNN reported on May 15 that US officials are investigating a string of intrusions targeting automatic tank gauge (ATG) systems used at gas stations, military bases, airports, and hospitals. Iran is a leading suspect. The attackers manipulated the fuel-level readings shown to operators without changing actual tank contents – a textbook HMI-deception attack. BitSight flagged 11 ATG vulnerabilities back in September 2024; thousands of devices remain internet-exposed.

🛡️ CISA's "CI Fortify" initiative – announced by Acting CISA Director Nick Andersen – is pushing critical-infrastructure operators to plan for cyber events that disconnect them from the internet entirely. Two core asks: practice proactive isolation of OT from business networks, and document the manual fallback procedures for replacing or running systems offline. First pilots are underway in water utilities, transportation, and defense critical infrastructure.

🦾 Universal Robots disclosed a 9.8 CVSS flaw (CVE-2026-8153) in PolyScope 5, the controller software running its collaborative-robot arms across factory floors worldwide. The Dashboard Server (TCP/29999) accepts unsanitized input that an unauthenticated network attacker can use to execute commands as root – usable to alter operational parameters or pivot deeper into a poorly segmented OT fleet. CISA published the advisory on May 14. Fixed in PolyScope 5.25.1.

One More Thing: UK to public sector: AI isn't the reason your code is vulnerable. Your patching is.

What's happening: The UK government published "AI, open code and vulnerability risk in the public sector" on May 14, jointly authored by the Government Digital Service and the Department for Science, Innovation and Technology. The guidance pushes back directly on calls to close public-sector source code in response to AI-accelerated vulnerability discovery.

The argument: "Source visibility usually changes time-to-discovery and attacker uncertainty, rather than being the dominant determinant of whether a weakness exists."

The recommendations: Keep code open by default. Treat closure as an exception requiring a documented threat model. And enforce four minimum standards: named ownership with a maintenance plan, a working vulnerability-intake process, automated dependency and secret scanning, and patching SLAs that are actually met.