Prioritization Framework

Going from 48,000+ CVEs to the 58 That Matter

OVERVIEW

Over 48,000 CVEs were published in 2025. Your vendors cannot patch them all, and your team cannot track them all. The question is not "what vulnerabilities exist?" but rather "which ones will actually impact my supply chain?"

The sheer volume of disclosures renders traditional, reactive vulnerability management mathematically impossible. To protect the supply chain, Third-Party Cyber Risk Management (TPCRM) teams require a ruthless, data-driven filtering mechanism.

The Black Kite Research Group manually analyzed 1,240 CVEs as high-priority for third-party risk in 2025, a 59% increase from 780 in 2024. This expansion reflects two realities:

1. The threat landscape demanded deeper scrutiny as exploitability and severity spiked.

2. Our AI-augmented analysis capabilities allowed us to scale without sacrificing rigor. More signal required more analysis; better tools made it possible.

2025 Vulnerability Landscape and Exploitation Trends

The above graph illustrates the prioritization funnel to reveal the high-probability, high-impact zone:

Global CVEs Published in 2025

CVEs with CVSS 7.0+

CVEs with CVSS 9.0+

High-Priority CVEs Analyzed by the Black Kite Research Group

CVEs Exploited in the Wild

The overlapping area represents:

OSINT-Discoverable CVEs (Assigned FocusTags®)

"Code Red" CVEs (EPSS >60%)

Monthly Breakdown of the 1,240 CVEs Analyzed by Black Kite

How to Prioritize Vulnerabilities in the Supply Chain

Step 1: OSINT Discoverability

If a vulnerability cannot be discovered externally, mass exploitation is highly unlikely. Threat actors operate with ruthless efficiency, utilizing Open-Source Intelligence (OSINT) tools to scan the internet for exposed systems running known vulnerable software. They do not waste time hunting for invisible targets.

By analyzing the external attack surface, the Black Kite Research Group identified 329 vulnerabilities in 2025 that were highly discoverable via OSINT. These vulnerabilities immediately received Black Kite FocusTags®, indicating that attackers can easily find and target these specific systems in the wild. Filtering for OSINT discoverability removes the noise of deeply buried internal network flaws, focusing your attention exactly where attackers are looking.

Step 2: Exploitability Filtering (EPSS + KEV)

Discoverability is only the first layer of risk; the second is exploitability. To predict the likelihood of an attack, organizations must leverage the Exploit Prediction Scoring System (EPSS). This dynamic model estimates the mathematical probability of a vulnerability being exploited within the next 30 days.

CVE Risk Tiers by EPSS Score

EPSS Range	CVE Count	Risk Status
90-100%	33	🚨 Certain Exploitation
80-90%	12	🔴 Very High
60-80%	13	🟠 High
40-60%	11	🟡 Imminent
<40%	Hundreds	Monitor

Out of tens of thousands of published CVEs, only 58 OSINT-discoverable vulnerabilities carry an EPSS score greater than 60%. These are the "Code Red" vulnerabilities. We definitively validate this predictive data by cross-referencing these flaws with the CISA Known Exploited Vulnerabilities (KEV) catalog. Combining EPSS predictions with KEV confirmation allows TPCRM teams to stop chasing theoretical severity and prioritize confirmed, imminent threats.

Step 3: Vendor Susceptibility

With the most dangerous vulnerabilities identified, the framework asks the ultimate supply chain question: "Which vulnerabilities will impact the most vendors in my ecosystem?" Evaluating the blast radius of a vulnerability requires mapping specific CVEs against your continuously monitored vendor base. In 2025, CVE-2025-26465 affected ~108,000 companies, and CVE-2025-32728 affected ~103,000 companies.

While these massive, top-tier vulnerabilities grab industry headlines, the most critical insight lies in the fragmentation of the supply chain. Approximately 82% of all company-to-CVE matches occur in the "Long Tail" of vulnerabilities falling entirely outside the Top 20 list. You cannot secure a supply chain by monitoring only a handful of major tech providers. Broad, automated visibility across your entire, fragmented vendor ecosystem is an absolute necessity.

Top 20 Most Prevalent Vulnerabilities in the Supply Chain

Step 4: The High-Probability, High-Impact Zone

The final step converges all intelligence layers into a single, actionable directive. We isolate the vulnerabilities that are OSINT-discoverable, carry a high EPSS score (>60%), appear in the KEV catalog, and demonstrate high vendor susceptibility. This methodology drops thousands of daily alerts down to a highly manageable number of critical flaws that demand immediate vendor outreach.

Vulnerability Risk Map

This intersection of data creates the High-Probability, High-Impact Zone. The vulnerabilities occupying the top-right quadrant of this map represent the ultimate convergence of severity, exploitability, and supply chain exposure. These are the exact threats that will cause downstream disruption, dictating exactly where your TPCRM program must focus its remediation efforts today.

Identifying these critical threats is only the beginning of proactive risk management.

The next section explores how FocusTags® operationalize this intelligence, providing the speed and accuracy necessary to initiate targeted vendor outreach.