The AI Factor
AI Didn't Just Change the Attack Surface, It Expanded It
OVERVIEW
AI is not replacing vulnerability management. It is adding a new dimension to it. The fundamentals still apply: prioritize what is exploitable, focus on vendor exposure, and act on intelligence. However, AI introduces new components to track, new attack vectors to understand, and new questions to ask your vendors.
AI Vulnerabilities by the Numbers
The integration of artificial intelligence into enterprise software has expanded the attack surface. In 2025, according to Trend Micro's Fault Lines in the AI Ecosystem report, the industry recorded over 2,100 AI-related CVEs, representing 4.42% of all published vulnerabilities globally. This marks a 34.6% year-over-year increase from approximately 1,600 AI CVEs tracked in 2024, and a sharp rise from just around 700 in 2023.
Severity dictates the true metric of risk. Of the AI-related CVEs published in 2025, 641 are classified as High or Critical, broken down into 517 High-severity and 124 Critical-severity flaws. Corroborating this external data, the Black Kite Research Group identified 389 specific AI-related vulnerabilities directly impacting third-party ecosystems.
AI-related CVE Growth
Number or AI-Related CVEs published each year:
- 2018: 178
- 2019: 201
- 2020: 194
- 2021: 539
- 2022: 569
- 2023: 692
- 2024: ~1,600
- 2025: 2,130
Notable AI CVEs in 2025
AI coding assistants and agentic frameworks are now actively targeted attack vectors. Prompt injection is no longer a theoretical novelty; it is a legitimate, weaponizable vulnerability class that functions as the "new RCE" (Remote Code Execution) for agentic systems.
These are weaponized flaws with high severity scores threatening millions of developers and downstream organizations.
Notable 2025 CVEs include:
EchoLeak (CVE-2025-32711)
A critical flaw (CVSS 9.3) in Microsoft 365 Copilot enabling zero-click data exfiltration via poisoned context.
GitHub Copilot (CVE-2025-53773)
A wormable prompt injection RCE (CVSS 7.8-9.6) that allows for full developer machine compromise.
Claude Code (CVE-2025-52882)
A WebSocket bypass vulnerability (CVSS 8.8) that creates a browser-to-IDE attack chain, enabling RCE in developer environments.
Cursor IDE (CVE-2025-54135)
Dubbed "CurXecute," this high-severity flaw allows RCE over the Model Context Protocol (MCP).
MCP Remote (CVE-2025-6514)
A vulnerability allowing direct, arbitrary OS command execution.
Notable AI-related CVEs
Two Threat Vectors to Watch
AI introduces hidden dependencies and uncharted infrastructure for TPCRM programs. Organizations must actively monitor two primary threat vectors:
1. Shadow AI (Unauthorized GenAI Use by Vendors):
Vendors are adopting generative AI without formal security reviews or public disclosure. This unauthorized GenAI use means sensitive corporate data is flowing to third-party Large Language Model (LLM) providers entirely outside of your visibility. Legacy vendor questionnaires cannot detect these unauthorized data flows.
2. Exposed Agentic Infrastructure:
As vendors deploy autonomous AI agents, they expose new, easily discoverable attack surfaces. Model Context Protocol (MCP) servers and self-hosted LLM instances with default configurations are highly discoverable via OSINT. These systems are frequently deployed rapidly without basic security hardening and operate entirely outside the scope of traditional vulnerability scans.
Comparison of AI Threat Vectors
Shadow AI
Exposed Agentic Infrastructure
Shadow AI
Exposed Agentic Infrastructure
of orgs hit by AI-driven attack
vulnerable AI components online
In 2025, 87% of organizations experienced at least one AI-driven cyberattack. Attackers leverage these capabilities heavily for initial access, with 82.6% of phishing campaigns now utilizing AI. Furthermore, internet scans have revealed over 3,000 publicly accessible and vulnerable AI components currently online.
The Emerging Security Divide
AI adoption is creating a two-tier security landscape across the global supply chain.
Tier 1
Large enterprises utilizing advanced, AI-powered vulnerability scanning tools have dramatically compressed their security timelines:
Early adopters report reducing vulnerability detection to an average of 14 days and remediation cycles to 21 days, a fraction of the industry baseline.
Tier 2
Mid-market vendors, small software publishers, and open-source projects operate under fundamentally different constraints:
Without AI-powered scanning, detection timelines remain at the current general average of 197 days, with remediation cycles averaging 60 days. With enterprise cloud deployments of AI scanning solutions costing between $500,000 and $2 million annually, closing that gap is not currently feasible for most of these organizations.
When enterprise perimeters harden through AI automation, attackers adapt. Threat actors are aggressively shifting their focus to these "Tier 2" targets. Industry analysts expect the share of exploited vulnerabilities targeting mid-market and open-source targets to rise significantly by 2027. Risk is migrating and concentrating exactly where enterprises depend on smaller suppliers. For TPCRM programs, this means the mid-market vendors in your ecosystem now carry a significantly higher systemic threat profile.
AI Risks Are Migrating Downstream
Tier 1: Enterprises ⮕
Tier 2: Mid-Market/OSS
Assessing Vendor AI Risk
AI-specific blind spots cannot be reliably uncovered through vendor self-reporting alone. In a threat landscape moving at -7 days, waiting for a vendor to disclose their AI usage is no longer a viable strategy.
It’s imperative to have continuous, intelligence-driven visibility that doesn't depend on vendors telling you anything at all, in addition to point-in-time assessments.
To assess vendor AI risk across your entire vendor ecosystem without relying on questionnaire responses, TPCRM teams can leverage the unified, open standard Black Kite Global Adaptive AI Assessment Framework™ (BK-GA³™). It is a scalable methodology for surfacing the AI exposure that vendors may not even know to disclose.
If a baseline of understanding about the vendor’s GenAI use is in place, that would help to initiate the right assessment for the vendor. Establishing this baseline requires shifting from passive questioning to active detection. Organizations must utilize Open-Source Intelligence (OSINT) to continuously monitor the external attack surface for AI-specific footprints.
The Black Kite platform detects and summarizes a vendor's generative AI footprint from external signals.
This includes detecting visible generative AI adoption, identifying exposed Model Context Protocol (MCP) servers, and locating self-hosted Large Language Model (LLM) instances operating outside traditional security boundaries.
With this continuous visibility established, Third-Party Cyber Risk Management (TPCRM) teams no longer operate in the dark regarding Shadow AI. Identifying a vendor's active AI footprint acts as an immediate trigger. Rather than distributing generic compliance checklists, teams can initiate a targeted assessment driven by definitive exposure evidence, specifically evaluating the exact generative AI tools, data flows, and agentic infrastructure a vendor is proven to be using.
Black Kite pinpoints the exact AI infrastructure a vendor is running, down to the product, subdomain, and IP.
With 48,000+ CVEs published in 2025, the next section outlines how to filter the noise and focus on what actually matters to your supply chain.