Executive Summary
Why Vulnerabilities Are Now a Supply Chain Crisis
OVERVIEW
In 2025, the average time to exploit a vulnerability dropped to minus seven (-7) days. In 2024, time-to-exploitation sat at 14 days. This inverted change means attackers are striking before patches even exist, turning the traditional vulnerability management lifecycle upside down. Traditional supply chain defenses are failing against this unprecedented velocity. Yet of the 48,000+ CVEs published that year and approximately 800 exploited in the wild, Black Kite's research identified just 58 that posed a genuine, discoverable, and exploitable threat to enterprise supply chains — a finding that redefines what precision looks like in modern TPCRM.
To arrive at that finding, the Black Kite Research Group™ manually analyzed 1,240 high-priority Common Vulnerabilities and Exposures (CVEs) in 2025 to map exactly how these threats propagate through vendor ecosystems. The resulting data reveals a threat landscape characterized by extreme speed, severe impact, and the disruptive introduction of artificial intelligence.
The Headline Numbers: 2024 vs. 2025
*Mandiant, M-Trends 2026: Data, Insights, and Strategies From the Frontlines, https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026
Four Key Shifts
1. More Exploited Vulnerabilities, Same High Bar
CISA's Known Exploited Vulnerabilities (KEV) catalog added 245 new actively exploited flaws in 2025, a 32% increase over 2024. The severity threshold remained severe, with approximately 87% of these additions classified as High or Critical. Furthermore, of the 1,240 high-priority vulnerabilities analyzed by the Black Kite Research Group as being of particular interest to third-party risk programs, 84% are classified as High or Critical. The sheer volume of these CVEs make the "patch everything" approach mathematically and operationally impossible.
CISA KEV additions in 2025
increase from 2024
2. The Exploitation Window Inverted
The window for remediation no longer exists. In fact, it has inverted. The average time from vulnerability disclosure to active exploitation collapsed to -7 days in 2025, meaning attackers are actively exploiting flaws a full week before they are publicly discovered. Compounding this speed, the median time from initial access to a handoff to a secondary threat actor, such as a ransomware cartel, plummeted from 8 hours in 2022 to an astonishing 22 seconds in 2025. Once a vendor is compromised, escalation is nearly instantaneous.
days from disclosure to exploitation
seconds from initial access to handoff to threat actor
3. Attribution Stayed Murky
Despite the 32% year-over-year growth in the KEV catalog, attribution remains a massive intelligence gap. Only 24 of these additions (9.8%) were explicitly linked to known ransomware campaigns. The remaining 221 exploited vulnerabilities carry "Unknown" attribution, proving that severe threat intelligence gaps persist, even as active exploitation scales globally.
KEVs attributed to ransomware
KEVs attributed to "unknown"
4. AI Entered the Vulnerability Conversation
Artificial intelligence shifted from a theoretical threat to a tracked attack vector. In 2025, 2,130 AI-related CVEs were published, representing a 34.6% year-over-year increase. Major AI coding assistants and agentic frameworks recorded high-severity CVEs, establishing prompt injection as the "new RCE" (Remote Code Execution) for agentic systems. In addition, Anthropic's 2026 Project Glasswing demonstrated that AI models can autonomously identify zero-day flaws at scale. This means the volume and velocity of zero-day exploitation may accelerate far beyond what any reactive program can absorb.
AI-related CVEs in 2025
increase from 2024
What This Means for TPCRM
Reactive vulnerability management is obsolete
With a negative time-to-exploitation, waiting for periodic assessments or vendor self-reporting leaves your ecosystem entirely exposed.
The "Long Tail" demands attention
There’s considerable risk beyond the largest vendors. 36.7% of discoverable risk lies in the "Long Tail" of niche products and mid-market suppliers, and this requires equal attention.
The security divide is widening
Large enterprises are leveraging AI to compress vulnerability detection timelines dramatically. Mid-market and smaller vendors are not keeping pace, making Tier 2 suppliers an increasingly concentrated point of risk for enterprise supply chains.
Advance warning is achievable
Intelligence-driven detection (instant alerts for high-profile risks with FocusTags®) provided advance warning before or on the day of KEV addition 95.2% of the time.
AI introduces shadow risk
The rapid, undisclosed adoption of generative AI by vendors creates hidden data flows and new vulnerabilities that legacy questionnaires will never detect.
95.2% of FocusTags® were applied before or on the day a vulnerability was added to the CISA KEV catalog, giving Black Kite customers advance warning before threats became confirmed exploits.
What TPCRM Leaders Should Do Now
Cyber risks do not exist in isolation, and neither should your vulnerability management strategy. TPCRM leaders must take three immediate actions:
1. Adopt exploitability-based prioritization
Stop chasing every CVE. TPCRM teams must shift to exploitability-based prioritization (leveraging dynamic EPSS predictions and CISA KEV data) rather than relying solely on static CVSS scores.
2. Add AI supply chain questions to vendor assessments
Immediately require third parties to disclose their generative AI usage, document security controls for agentic AI systems with code execution capabilities, and define their AI-specific vulnerability monitoring practices.
3. Shift to continuous risk hunting
Replace manual vendor questionnaires with targeted, intelligence-driven collaboration. On the Black Kite platform, utilize The Bridge™ vendor engagement to instantly filter your vendor ecosystem by FocusTag® exposure, provide vendors with specific vulnerability evidence, and track their remediation timelines in real time.
To understand where the supply chain stands today, it helps to see exactly how much changed in a single year.
Here's what the data shows when you put 2024 and 2025 side by side.