Appendix

PART 1: Methodology and Data Tables

A. Methodology

Black Kite Research Group Analysis Process

The findings within the 2026 Supply Chain Vulnerability Report are founded on a rigorous manual analysis process conducted by the Black Kite Research Group™. While automated scanners track the raw volume of disclosures, raw Common Vulnerability Scoring System (CVSS) data alone is insufficient for effective Third-Party Cyber Risk Management (TPCRM). To extract actionable intelligence, our researchers manually analyzed 1,240 high-priority Common Vulnerabilities and Exposures (CVEs) published in 2025.

This represents a 59% increase in manual analysis volume compared to the 780 high-priority CVEs analyzed in the 2024 reporting period. This escalating workload reflects the growing complexity of the digital supply chain and the rapid weaponization of newly disclosed flaws.

The criteria for designating a vulnerability as "high-priority" requires the flaw to extend beyond theoretical severity. The Black Kite Research Group evaluates vulnerabilities based on real-world exploitability, the prevalence of the affected product within enterprise supply chains, and the active interest of threat actors. Vulnerabilities that are strictly internal, highly theoretical, or confined to obscure hardware are filtered out of this high-priority dataset.

Data Sources

The quantitative and qualitative intelligence in this report aggregates telemetry and validated findings from multiple authoritative databases and external threat intelligence providers:

NVD

The National Vulnerability Database for baseline CVE publication data and CVSS metrics.

CISA KEV

The Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, utilized to confirm active, real-world exploitation.

EPSS

The Exploit Prediction Scoring System, used to gauge the probabilistic likelihood of exploitation within a 30-day window.

Black Kite Proprietary Data

Internal scanning telemetry, OSINT collection, company-to-CVE mapping across 250,000 continuously monitored organizations, and proprietary FocusTags® risk tracking.

External Sources

Validated intelligence from Trend Micro, the Mandiant M-Trends 2026 report, and Google Threat Intelligence regarding AI vulnerability volumes and zero-day exploitation timelines.

FocusTag® Assignment Criteria

To operationalize vulnerability data, the Black Kite Research Group utilizes FocusTags®. A FocusTag® is only assigned when a vulnerability meets strict discoverability and exploitability thresholds, significantly reducing alert fatigue.

  • OSINT Discoverability Requirement: A vulnerability must be identifiable on external-facing assets using Open-Source Intelligence (OSINT) tools. If attackers cannot see the vulnerability from the outside, it is highly unlikely to be exploited at scale across the supply chain.
  • Exploitability Indicators: The vulnerability must exhibit dynamic risk indicators, including the public availability of Proof-of-Concept (PoC) exploit code, observed exploitation by threat actors, inclusion in the CISA KEV catalog, or surging mentions within underground and security communities.

Each FocusTag® is distributed with a transparent Confidence Level to dictate the urgency of vendor outreach:

  • Very High: Direct, definitive evidence exists that the vulnerable product version is actively in use by the vendor.
  • High: The specific product is identified on the vendor's perimeter, and the vast majority of deployed versions are known to be vulnerable.
  • Medium: The specific product is identified, but only a limited subset of its versions is vulnerable. This tag requires monitoring or clarifying engagement to confirm exposure.

B. CVE Data Tables & Graphics

Table B.1: Top 20 CVEs by Company Match (2025) Note: This table reflects the vulnerabilities with the widest blast radius across the 250,000 continuously monitored organizations in Black Kite's dataset. The "Long Tail" of risk consists of vulnerabilities outside this top tier.

Rank
CVE ID
Estimated Companies Affected
Vulnerability / Product
1
CVE-2025-26465
108,000+
Microsoft
2
CVE-2025-32728
103,000+
Microsoft
3
CVE-2023-44487
72,000+
HTTP/2 Rapid Reset
4
CVE-2024-3566
~65,000
Application Component
5
CVE-2021-3618
~65,000
Application Component
6
CVE-2024-38193
~6,000
Windows Ancillary Function Driver
7
CVE-2024-38107
~6,000
Windows Power Dependency Coordinator
8
CVE-2024-38106
5,000+
Windows Kernel
9
CVE-2019-1069
~5,000
Windows Task Scheduler
10
CVE-2024-4577
~5,000
PHP CGI Component
11
CVE-2024-40898
4,000+
Server-Side Request Forgery
12
CVE-2024-6387
~3,000
OpenSSH
13
CVE-2024-4984
~2,000
Stored XSS
14
CVE-2020-3259
~1,000
Cisco ASA / FTD
15
CVE-2024-20353
1,200+
Cisco ASA / FTD
16
CVE-2024-20359
1,200+
Cisco ASA / FTD
17
CVE-2024-3400
~1,000
Palo Alto PAN-OS
18
CVE-2023-3519
900+
Citrix NetScaler
19
CVE-2023-4966
900+
Citrix NetScaler
20
CVE-2023-6549
900+
Citrix NetScaler

Table B.2: CISA KEV Additions by Month (2025) Total Additions: 245

Month
Additions
January
18
February
27
March
24
April
15
May
22
June
14
July
21
August
19
September
25
October
26
November
21
December
13

Table B.3: Zero-Day Breakdown by Vendor (2025) Total Zero-Days Tracked: 99

Vendor
Zero-Day Count
Example CVEs
Microsoft
21
CVE-2025-32706, CVE-2025-21333
Google
11
CVE-2025-5419
Apple
8
CVE-2025-24085, CVE-2025-24200
Fortinet
5
CVE-2024-55591, CVE-2025-32756
Ivanti
4
CVE-2025-0282, CVE-2025-22457
Broadcom
4
CVE-2025-22224, CVE-2025-22225
Linux
4
CVE-2024-53104, CVE-2024-50302

Graphic B.4: Top 10 Vendors by Zero-Day Vulnerabilities in 2025

Graphic B.5: Monthly Distribution of Zero-Day Vulnerabilities (2025) Peak in March

Graphic B.6: Ransomware Victim Numbers

Graphic B.7: CVSS Range Distribution (2025 Analyzed CVEs)

Graphic B.8: EPSS Range Distribution (2025 Analyzed CVEs)

Graphic B.9: Out of all unique CVEs for MICROSOFT, 2,887 have been found in Patch Management findings in companies scanned by Black Kite from the past up to February 26, 2026.

Graphic B.11: Global Distribution of Vendor Vulnerabilities by Country

Graphic B.10: Companies Suspected to High-Priority OSINT-Discoverable Vulnerabilities

C. FocusTags Reference

Summary Statistics

  • Total FocusTags Applied (2025): 158
  • CVEs Covered by Tags: 329+
  • Confidence Distribution:
    • Very High: 50
    • High: 93
    • Medium: 15

By Product Category Concentration

Brand / Product Group
FocusTag Count
Microsoft (SQL Server, SharePoint, Exchange)
29
F5 (BIG-IP, WAF)
21
Ivanti
15
Tridium (OT/ICS)
10
SonicWall
8
Others / Long Tail
36.7% of total risk

D. Threat Actor Reference

Ransomware Groups (By Global Footprint)

Lockbit

Targeted organizations across

countries.

Qilin

Targeted organizations across

countries.

INC Ransom

Targeted organizations across

countries.

Akira

Targeted organizations across

countries.

Clop

Targeted organizations across

countries.

APT Groups (By Global Footprint & Exposure)

APT29

Targeted organizations across

countries.

APT41

Targeted organizations across

countries.

Volt Typhoon

Targeted organizations across

countries.

(Highest aggregate exposure score due to critical infrastructure targeting)

UNC5221

Generated an extreme exposure score of

based on deep vertical persistence.

E. AI Vulnerability Catalog

2025 AI Vulnerability Statistics

  • Total AI-Related CVEs: 2,100+
  • Proportion of Global CVEs: 4.42% of all published vulnerabilities
  • High/Critical Severity AI CVEs: 641 total (124 Critical-severity, 517 High-severity)

Notable AI Supply Chain CVEs (2025)

CVE ID
Product
Vulnerability Description
CVE-2025-32711
Microsoft 365 Copilot
EchoLeak: Zero-click data exfiltration via poisoned context
CVE-2025-53773
GitHub Copilot
Prompt Injection Remote Code Execution (RCE), Wormable
CVE-2025-52882
Claude Code
WebSocket bypass leading to RCE in developer environments
CVE-2025-54135
Cursor IDE
CurXecute: RCE over Model Context Protocol (MCP)
CVE-2025-6514
MCP Remote
Arbitrary OS Command execution

PART 2: Glossary of Supply Chain Vulnerability Terms

Term
Definition
Vulnerability & Scoring Terms
CVE (Common Vulnerabilities and Exposures)
A publicly disclosed cybersecurity vulnerability or weakness that can be exploited by an attacker.
CVSS (Common Vulnerability Scoring System)
A standardized framework that assesses the theoretical severity and technical characteristics of a vulnerability at the time of its disclosure.
EPSS (Exploit Prediction Scoring System)
A predictive, continuously updated model that estimates the mathematical probability of a specific vulnerability being exploited within the next 30 days.
KEV (CISA Known Exploited Vulnerabilities)
A catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency listing vulnerabilities definitively confirmed to be weaponized in real-world attacks.
Zero-Day
A newly discovered vulnerability that is actively exploited by threat actors before the software vendor has released a patch or public mitigation.
N-Day
A known vulnerability for which a patch exists but remains unpatched in many environments, serving as a primary and reliable vector for threat actors.
Time-to-Exploitation (TTE)
The measured time window between a vulnerability's public disclosure or patch release and its active exploitation in the wild.
OSINT (Open Source Intelligence)
The collection and analysis of publicly available information, often utilized by attackers and defenders to discover externally exposed, vulnerable systems on the internet.
PoC (Proof of Concept)
Publicly available code or demonstrations that validate exactly how a specific vulnerability can be successfully exploited.
Attack Surface
The globally exposed foundations of a vendor ecosystem, analyzed using OSINT to map the external discoverability of vulnerabilities
RCE (Remote Code Execution)
A severe vulnerability class allowing direct, arbitrary OS command execution, increasingly recognized as a weaponizable threat in agentic AI frameworks where prompt injection acts as the "new RCE"
Black Kite & Industry Terms
FocusTag®
An intelligence indicator that links a global threat to a specific vendor's asset-level exposure, highlighting highly discoverable and exploitable flaws. Learn more about Black Kite's risk intelligence.
Ransomware Susceptibility Index® (RSI™)
A predictive metric that calculates the likelihood of a specific vendor experiencing a ransomware attack by comparing their digital footprint to real-world attack patterns. Learn more about ransomware susceptibility.
The Bridge™
A vendor engagement platform designed to operationalize intelligence, allowing organizations to securely share vulnerability evidence and track vendor remediation progress. Learn more about Black Kite's vendor engagement.
TPCRM (Third-Party Cyber Risk Management)
The comprehensive practice of identifying, tracking, and actively mitigating cyber risks across an organization's extended vendor and supplier ecosystem. Learn more about TPCRM.
Supply Chain Vulnerability
An unpatched flaw within a third-party vendor or IT asset that can cascade across thousands of downstream organizations, turning an isolated technical weakness into a systemic business disruption. Learn more about Black Kite’s Supply Chain module.
Black Kite Research Group™
The dedicated research and threat intelligence division responsible for vulnerability analysis, ecosystem risk tracking, and the curation of FocusTags. Learn more about the Black Kite Research Group.
AI-Specific Terms
MCP (Model Context Protocol)
An open standard used by agentic AI systems to securely connect with local files, development environments, and external tools.
RAG (Retrieval-Augmented Generation)
An AI framework that retrieves external content or historical context to augment a model's responses, which can be manipulated by attackers via poisoned data.
Prompt Injection
An attack vector where malicious instructions are embedded into AI inputs, tricking the model into executing unintended actions or exfiltrating data.
Shadow AI
The unauthorized, unvetted, or undisclosed use of generative AI tools by vendors, resulting in sensitive data flowing to third-party providers without visibility.
Agentic AI / AI Agents
Autonomous artificial intelligence systems capable of utilizing external tools, executing code, and taking independent actions rather than simply generating text. Learn more about Black Kite AI.
Generative AI (GenAI)
Artificial intelligence technologies rapidly adopted by vendors, which can introduce hidden data flows and new infrastructure vulnerabilities that legacy security questionnaires fail to detect
The Long Tail
The highly fragmented majority of niche products, industrial control systems, and mid-market software publishers outside the top major vendors, representing 36.7% of discoverable supply chain risk.
Threat Actor Terms
APT (Advanced Persistent Threat)
Highly sophisticated, often state-sponsored threat groups that focus on long-term network infiltration, cyber espionage, and strategic access.
RaaS (Ransomware-as-a-Service)
A cybercriminal business model where ransomware developers lease their malware and infrastructure to affiliates for widespread supply chain attacks.
Double Extortion
A ransomware tactic where attackers not only encrypt a victim's network but also exfiltrate sensitive data to threaten public release or mass-leak campaigns.
Initial Access Broker
Threat actors who specialize in gaining the initial foothold into a corporate network and subsequently selling or handing off that access to secondary actors.

For a full TPRM and TPCRM glossary, visit https://blackkite.com/knowledge-centers/tprm-tpcrm-glossary.

References:

  1. https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/fault-lines-in-the-ai-ecosystem-trendai-state-of-ai-security-report - Trend Micro TrendAI™ State of AI Security Report
  2. https://deepstrike.io/blog/ai-cyber-attack-statistics-2025 - DeepStrike AI Cyber Attack Statistics 2025, Trends, Costs, Defense
  3. https://www.cisa.gov/known-exploited-vulnerabilities-catalog - CISA KEV Catalog
  4. https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026 - Mandiant M-Trends 2026: Data, Insights, and Strategies From the Frontlines
  5. https://jerrygamblin.com/2026/01/01/2025-cve-data-review/ - 2025 CVE Data Review
  6. https://nvd.nist.gov/ - NVD NIST Database
  7. https://blackkite.com/report/2025-supply-chain-vulnerability-report/ - Black Kite, 2025 Supply Chain Vulnerability Report
PREVIOUS