2026 Supply Chain Vulnerability Report:
Velocity Without Visibility Is the New Supply Chain Crisis
By the Black Kite Research Group™
2026 Supply Chain Vulnerability Report
Velocity Without Visibility Is the New Supply Chain Crisis
By the Black Kite Research Group™
INTRODUCTION
Vulnerabilities are a supply chain risk, not just an internal IT concern.
A single unpatched flaw in a vendor can cascade across thousands of downstream organizations, turning an isolated technical weakness into a systemic business disruption.
This is Black Kite's second annual Supply Chain Vulnerability Report. We produced this research because the rules of engagement fundamentally changed in 2025.
- According to Mandiant, attackers routinely exploited vulnerabilities an average of seven days before public disclosure.
- Furthermore, artificial intelligence fully entered the vulnerability conversation, acting simultaneously as a massive new attack surface and a powerful detection tool.
Defending against this velocity requires Third-Party Cyber Risk Management (TPCRM) teams to utilize intelligence that goes far beyond raw CVSS scores. In 2025, more than 48,000 CVEs were published globally. To cut through that volume, the Black Kite Research Group™ analyzed more than 1,240 high-priority CVEs and identified just 58 that posed a genuine, discoverable, and exploitable threat to enterprise supply chains.
CVEs published
High-priority CVEs analyzed
Matter to supply chains
This is proof that precision, not volume, is the competitive advantage.
What makes this report different:
Most vulnerability reports analyze isolated Common Vulnerabilities and Exposures (CVEs). We examine how those vulnerabilities propagate through vendor ecosystems. Rather than prioritizing theoretical severity, this report focuses exclusively on OSINT discoverability, real-world exploitability, and direct vendor exposure.
To deliver this level of precision, the Black Kite Research Group™ manually analyzed 1,240 high-priority CVEs in 2025 (a 59% increase from 2024) augmented by AI-powered analysis capabilities to match the scale of the threat.
The result: of more than 48,000 CVEs published in 2025, 800+ were exploited in the wild. Yet only 58 were OSINT-discoverable and exploitable enough to pose a genuine, targeted threat to enterprise supply chains.
This report delivers three core pillars of actionable intelligence:
Intelligence that helps organizations pinpoint which vendors in their supply chain are affected.
Which IT assets and products are at risk.
How threat actors are likely to exploit them, including new AI-specific vectors.
Who should read this report
This report is built for TPCRM leaders, CISOs, security operations teams, supply chain leaders and vendor risk managers. It provides the definitive data and methodology for anyone responsible for securing an extended vendor ecosystem and transitioning their program from reactive patching to proactive risk mitigation.
TABLE OF CONTENTS
01 | EXECUTIVE SUMMARY
Why Vulnerabilities Are Now a Supply Chain Crisis
02 | 2025 VS. 2024
The Year the Rules Broke
03 | THREAT ACTORS
Who Is Attacking Your Vendors
04 | THE AI FACTOR
AI Didn't Just Change the Attack Surface, It Expanded It
05 | PRIORITIZATION FRAMEWORK
Going from 48,000+ CVEs to the 58 That Matter
06 | ACTIONABLE INTELLIGENCE
How FocusTags® Work in the Real World
07 | VENDOR ENGAGEMENT
Evidence Over Questionnaires
08 | NEXT STEPS
What TPCRM Leaders Must Do Now
09 | METHODOLOGY
Read the Executive Summary