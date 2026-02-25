In a reversal of a long-standing trend, researchers at IBM’s X-Force threat intelligence unit say they have observed a 44% increase in cyber attacks that begin with the exploitation of vulnerable public-facing applications, outpacing credential abuse by a significant margin.

In recent years, a quip that runs along the lines of “attackers don’t hack the cloud, they log in” has become a popular adage in the cyber community, reflecting a surge in attacks beginning with phished or stolen credentials.

Logging in legitimately means threat actors do not have to burn valuable hoarded zero days, and can get away with disguising their attacks as everyday activity, taking the path of least resistance in search of a payday.

Although the misuse of valid accounts still accounted for just under a third of the cases represented in the X-Force data, the latest report suggests the exploitation of vulnerabilities, which its researchers claim formed the initial access vector in 40% of incidents it tracked last year, is seeing a renewed burst of enthusiasm among threat actors.

What is more, the team says artificial intelligence (AI) tools may be driving this trend by making it easier for attackers to seek out misconfigured, unprotected or vulnerable applications. They said this highlights a critical need for stronger access controls, rigorous patching and secure deployment practices.

“Attackers aren’t reinventing playbooks, they’re speeding them up with AI,” said Mark Hughes, IBM global managing partner for cyber security services.

“The core issue is the same: businesses are overwhelmed by software vulnerabilities. The difference now is speed. With so many vulnerabilities requiring no credentials, attackers can bypass humans and move straight from scanning to impact.

“Security leaders need to shift to a more proactive approach, using agentic-powered threat detection and response to identify gaps and catch threats before they escalate,” said Hughes.

X-Force said its penetration tests still revealed “persistent weaknesses” in both software configuration and credential hygiene, with misconfigured access controls a common entry point across the board.