The 2025 Verizon Data Breach Impact Report paints a stark picture of web application security, and as someone who contributes hundreds of thousands of vulnerabilities yearly to this report, I see the truth daily at Edgescan. We’re proud to be a data source for this year’s DBIR again – Verizon’s annual report is crucial for industry understanding. Here’s what’s really happening in the web application layer, straight from our continuous scanning of APIs and web apps across thousands of domains.
Basic Web Application Attacks Are Back in Style
The “get in, get the data, get out” attacks are alarmingly common. With 1,701 incidents and 1,387 confirmed data compromises, these aren’t isolated events. What worries me most? Every single breach came from external actors. No insider threats here – it’s the bad guys coming at you from outside your walls.
But here’s the twist: espionage now drives 61% of these attacks. That’s a major shift from financial motives dominating previous years. The data they’re after? Mostly “other” data (65%), but personal information (36%) and credentials (35%) are right behind.
The Credential Crisis Gets Worse
The numbers don’t lie. Stolen credentials power 88% of web application breaches. Where are attackers finding these credentials? Web applications (39%), development environments and CI/CD pipelines (66%), and cloud infrastructure (43%). That’s right – your development secrets are more exposed than your web apps.
The credential ecosystem is sophisticated:
- Infostealers grab passwords and cookies
- Marketplaces sell them
- Premium channels offer exclusive access
- Live logs give real-time access to breached data
And remember – 54% of ransomware victims had their domains in infostealer logs. The connection is clear.
What Our Vulnerability Data Shows
Our 2025 Vulnerability Statistics Report digs deeper into what automated scanners miss. Here’s what you need to know:
- Over 33% of vulnerabilities found across the stack are critical or high severity
- SQL Injection (CWE-89) is still the top web vulnerability – it’s been that way since 2022
- Web apps take longer to fix: 74.3 days vs 54.8 days for network issues
- Larger companies are worse at patching: 45.4% of their vulnerabilities remain unfixed after 12 months
The numbers are staggering: 40,009 new CVEs in 2024. CISA added 185 to their Known Exploited list. And 768 CVEs saw real-world attacks – that’s 20% more than 2023.
Different Industries, Different Problems
Software companies fix things faster (63 days average). Construction firms? Not so much (104 days). The gap shows how industry matters in security response.
But here’s something troubling: the complex vulnerabilities that automated tools miss? You need human expertise to find them. And those are often the ones that matter most.
The Attack Methods Keep Working
The basics still work:
- Brute force attacks haven’t gone away
- VPN and edge device exploits jumped from 3% to 22%
- 42% of exploits hit web applications
- Once in, attackers use backdoors to maintain access
What Really Needs to Change
Based on what we see daily:
- MFA Implementation: Multi-factor authentication should be mandatory and not optional for both Externally Exposed Applications and for Remote Network Access.
- Scrutinize Logins: Implement additional protection around cookies and session keys.
- Passphrase Management: Encourage long passwords and secure configurations.
- OS Hardening: Secure configurations for endpoint systems and domain controllers.
- Continuous Vulnerability Management: Establish and maintain a vulnerability management process
- Establish and Maintain a Remediation Process: Prioritize vulnerabilities which matter
The stats don’t lie. Web applications remain a prime target, credentials are too easy to steal, and most organizations aren’t patching fast enough. The threat actors are organized, motivated, and successful.
Download our full Vulnerability Statistics Report for the complete data: https://www.edgescan.com/stats-report/
The trend is clear. Are you ready for what’s coming?