2025 Supply Chain Vulnerability Report

by the Black Kite Research Group™ 

More than 40,000 CVEs were published in 2024, a 38% increase over the prior year. Security teams across every industry felt it: an unrelenting flood of disclosures, each one demanding triage, each one a potential liability if ignored. For third-party risk management teams, the problem compounds fast. You're not managing one organization's patch backlog. You're managing hundreds or thousands of vendors, each with their own attack surface, their own exposure gaps, and their own patch cycles.

The Black Kite Research Group™ manually analyzed 780 high-priority CVEs from 2024 (those scored CVSS 7.0 or higher), cross-referencing NVD, CISA KEV, EPSS, and VulnCheck data alongside Black Kite's own OSINT-based discovery methodology. The analysis examined how vulnerabilities propagate through vendor ecosystems, which industries face the greatest exposure, and how threat actors select their targets. Of the 780 analyzed, only 295 were OSINT-discoverable. Of those, 768 were actively exploited in the wild.

What the data reveals is a systemic mismatch between how the security industry measures vulnerability severity and how attackers actually choose their targets. Most exploited vulnerabilities don't carry the highest CVSS scores. Attackers don't care about theoretical severity. They exploit what's easy to find, easy to trigger, and widely deployed across the vendors their targets depend on. CVSS-only triage leaves TPRM teams chasing the wrong risks while real, active threats move through their supply chain undetected.

This report is your blueprint for reducing thousands of CVEs to the handful that genuinely threaten your vendor ecosystem. It also lays out the intelligence-driven workflow that keeps your TPRM program ahead of the next wave.

(No download required)

Key Findings From the 2025 Supply Chain Vulnerability Report

40,000+ CVEs Published in 2024, a 38% Year-Over-Year Increase

Vulnerability volume didn't just grow in 2024. It accelerated. The sheer number of disclosures has overwhelmed traditional triage processes that rely on CVSS scores and severity bands. Security teams that haven't shifted to risk intelligence-based prioritization are spending the most time on the least dangerous vulnerabilities.

295 High-Priority CVEs Were OSINT-Discoverable and Supply-Chain-Relevant

Black Kite's research methodology doesn't start with a score. It starts with discoverability. Only vulnerabilities that threat actors can actually find through open-source intelligence are viable supply chain threats. This filter alone cuts the high-priority list by more than 60% before any other risk factor is applied.

768 Actively Exploited Vulnerabilities Confirmed in the Wild

Of the CVEs cross-referenced against CISA KEV, EPSS, and VulnCheck datasets, 768 showed confirmed exploitation activity. These are not theoretical risks. They are active attack vectors that have been used against real organizations and their third-party vendors.

CVSS Scores Do Not Predict Exploitation. Attackers Select for Discoverability, Not Severity

The most consistent finding across the dataset: attackers don't exploit the highest-CVSS vulnerabilities. They exploit vulnerabilities that are easy to find through passive reconnaissance, easy to weaponize, and present across many organizations at once. CVSS-only prioritization systematically misdirects TPRM teams toward lower-probability risks while leaving high-probability threats unaddressed.

250,000+ Organizations Monitored Continuously for Emerging Vendor Exposure

The platform intelligence underlying this report draws from continuous monitoring across more than 250,000 organizations. This scale enables the kind of cross-ecosystem pattern recognition that single-organization security tools cannot replicate. It surfaces which vendors share exposure to the same CVE cluster and which industries are being targeted by the same threat actor.

Why Traditional Vulnerability Management Fails in TPRM

CVSS Was Built for Internal IT, Not for Vendor Ecosystems

CVSS scores measure theoretical severity in a controlled environment. They don't account for how widely a vulnerable product is deployed across your specific vendor portfolio, whether a vulnerability is actually reachable from the outside, or whether threat actors are already using it. For vendor risk assessment teams, a severity score with no discoverability context is just noise.

Most Exploited Vulnerabilities Fall in the Medium CVSS Range

The report's dataset confirms what experienced threat researchers already know: the most dangerous vulnerabilities in active supply chain attacks often score in the 5.0–7.9 CVSS range. Organizations that hard-filter below 8.0 or 9.0 are systematically blind to the CVEs that threat actors are actually weaponizing against their vendors.

Patching Cycles at Third Parties Are Structurally Slower Than at Direct Operators

Even when a critical vulnerability is disclosed, vendors patch at a fraction of the speed of the organizations that depend on them. This is especially true of third and fourth parties, where patch cycles are rarely visible from the outside. Fourth-party risk management requires visibility into the patch status of vendors' vendors, not just immediate suppliers. Without that layer, a known critical CVE can persist across your supply chain for months after the fix is available.

The Four-Step Prioritization Framework: From 40,000 CVEs to the Dozen That Demand Vendor Outreach

Step 1: OSINT Discoverability Filters High-Priority CVEs to Only Those Attackers Can Find

The first filter isn't severity. It's visibility. Black Kite's methodology begins by identifying which high-priority CVEs are actually discoverable through the kind of passive, open-source intelligence that threat actors use to select targets. Vulnerabilities that can't be found through reconnaissance can't be reliably weaponized at scale. This filter removes the majority of the high-priority list before any other variable is applied.

Step 2: EPSS Scores Replace CVSS as the Exploitation Probability Signal

CVSS tells you how bad a vulnerability could theoretically be. EPSS (the Exploit Prediction Scoring System) tells you how likely it is to be exploited within the next 30 days, based on real-world threat intelligence. Substituting EPSS for CVSS as the primary prioritization signal produces a materially different action list. High CVSS / low EPSS vulnerabilities drop in priority. Low CVSS / high EPSS vulnerabilities move to the front.

Step 3: Vendor Match Rates Determine Which CVEs Live Inside Your Ecosystem

A vulnerability matters to your TPRM program only if your vendors are actually running the affected software. Black Kite cross-references the filtered CVE list against the technology stack profiles of organizations in your vendor inventory. This step converts a universal threat landscape into a portfolio-specific exposure map. You see the CVEs that affect your vendors, not the entire internet.

Step 4: The High-Probability, High-Impact Zone Surfaces the Vulnerabilities That Demand Vendor Outreach Today

The final step maps remaining CVEs against two axes: probability of exploitation (EPSS-based) and breadth of vendor exposure (how many of your vendors are affected). The intersection of high EPSS and high vendor match rate defines the action zone. These are the vulnerabilities that justify immediate vendor risk response and direct outreach through The Bridge™.

Why TPRM Programs Must Replace CVSS-Only Triage With Intelligence-Driven Vendor Action

Replace Annual Vendor Assessments With Continuous Vulnerability Monitoring Across Your Portfolio

Vendor risk monitoring can't operate on an annual cycle when critical vulnerabilities emerge and get weaponized within days. The 2025 Supply Chain Vulnerability Report makes clear that the window between disclosure and active exploitation has collapsed. TPRM teams need a live view of which vendors have open exposure to the CVEs that threat actors are actively using. That view needs to be updated continuously, not quarterly.

Shift From Questionnaire-Based Evidence to Intelligence-Based Vendor Outreach

Asking vendors to self-report on patching status against a list of CVEs produces compliance theater, not risk reduction. Intelligence-driven vendor engagement means presenting vendors with specific, verified evidence of their exposure: the CVE, the affected product version, and the OSINT signal that confirms discoverability. Then track remediation progress directly. Response rates from evidence-led outreach are significantly higher than from generic questionnaire cycles.

Build a Prioritization Workflow That Uses OSINT, EPSS, and Vendor Match Rate as a Combined Signal

No single signal is sufficient. CVSS measures severity in isolation. EPSS measures exploitation probability without vendor context. OSINT discoverability confirms attacker viability without quantifying business impact. Organizations that combine all three into a structured prioritization workflow reduce their actionable vulnerability list from thousands to dozens and direct analyst time toward the exposures that actually threaten their vendor ecosystem. FocusTags® automate this signal aggregation at scale.

Map Fourth-Party Exposure Before Threat Actors Do

The 2025 Supply Chain Vulnerability Report documents how supply chain attacks propagate through multiple vendor tiers. Organizations that limit their visibility to direct suppliers miss the downstream concentration risk that attackers exploit. Nth-party visibility tools map the full dependency chain. When a critical CVE drops, you know immediately which vendors' vendors are exposed, not just the vendors you directly manage.

How Black Kite Built the 2025 Supply Chain Vulnerability Report

780 High-Priority CVEs Manually Analyzed by the Black Kite Research Group™

The Black Kite Research Group™ began with every CVE published in 2024 carrying a CVSS score of 7.0 or higher. Researchers manually reviewed each entry, cross-referencing disclosure details, affected product information, and available proof-of-concept data to assess real-world exploitability beyond the score.

Validated Against NVD, CISA KEV, EPSS, and VulnCheck Data Sources

No single database captures the full exploitation picture. Black Kite's methodology cross-references the National Vulnerability Database (NVD), CISA's Known Exploited Vulnerabilities (KEV) catalog, Exploit Prediction Scoring System (EPSS) data, and VulnCheck's independent exploitation intelligence. Discrepancies between sources are resolved manually rather than algorithmically.

OSINT-Based Discoverability Testing Across Real Vendor Environments

Researchers applied the same open-source intelligence techniques that threat actors use to test which CVEs in the dataset were actually discoverable from the outside. Only CVEs that passed the OSINT discoverability filter were carried forward as genuine supply chain security risks. This distinguishes the report's methodology from severity-only rankings that don't account for the attacker perspective.

Continuous Monitoring Across 250,000+ Organizations in the Black Kite Platform

The vendor exposure analysis underlying the prioritization framework draws from Black Kite's live platform data, which monitors more than 250,000 organizations continuously. This scale enables pattern recognition at the ecosystem level. It surfaces which CVEs are disproportionately present across vendor portfolios in specific industries, geographies, or technology stacks.

(No download required)

New Editions