Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

2026 Supply Chain Vulnerability Report: Velocity Without Visibility Is the New Supply Chain Crisis

Of 48,000+ CVEs Published in 2025, Only 58 Posed a Genuine Threat to Enterprise Supply Chains

by the Black Kite Research Group™ · Ferhat Dikbiyik, Chief Research and Intelligence Officer

One vendor compromise does not stay contained. It travels downstream, touching every organization that depends on that vendor's software or infrastructure, and what begins as an isolated technical weakness becomes a systemic business disruption at scale. That is the supply chain vulnerability problem. What changed in 2025 is how fast it happens.

According to Mandiant's M-Trends 2026 report, attackers exploited vulnerabilities an average of seven days before public disclosure. The traditional patch lifecycle, already strained, is now functionally inverted. Your vendors are exposed before a fix exists. Periodic assessments cannot close a window that no longer opens. Continuous monitoring is no longer a program maturity goal. It is the baseline requirement for defending a modern supply chain.

The volume problem compounds the velocity problem. Global CVE publications crossed 48,000+ in 2025, an 18% year-over-year increase driven partly by rapid AI adoption and AI-powered vulnerability discovery tools. Attempting to track and remediate that volume is mathematically impossible. The critical discipline is not coverage. It is precision: identifying the small subset of vulnerabilities that are OSINT-discoverable, actively exploitable, and directly mapped to vendors in your ecosystem.

That is exactly what the Black Kite Research Group™ built this report to deliver. Our researchers manually analyzed 1,240 high-priority CVEs published in 2025, a 59% increase from the prior year, applying a four-stage prioritization framework that filters raw vulnerability data through discoverability, exploitability, and nth-party visibility to surface only the threats demanding immediate action. The result: 329 FocusTags® assigned to OSINT-discoverable vulnerabilities, and just 58 "Code Red" designations representing the vulnerabilities most likely to disrupt enterprise supply chains. This report is your blueprint for replicating that precision inside your own Third-Party Cyber Risk Management program.

(No download required)

Key Findings From the 2026 Supply Chain Vulnerability Report

Vendors Are Compromised 7 Days Before a CVE Exists 

The exploitation window no longer exists. It has inverted. In 2023, the average time from vulnerability disclosure to active exploitation was five days. In 2025, that figure collapsed to negative seven days: attackers are routinely exploiting flaws a full week before public disclosure or patch availability. 

Compounding that inversion, once an attacker gains initial access to a vendor environment, the handoff to a secondary threat actor, such as a ransomware operator, now takes a median of 22 seconds. In 2022, that same handoff took eight hours. Escalation is no longer a process. It is instantaneous. The implication for vendor risk monitoring programs is direct: point-in-time assessments cannot defend against a timeline measured in seconds.

Only 58 of 48,000+ 2025 CVEs Threaten Supply Chains

Volume is not risk. Of the 48,000+ CVEs published in 2025, approximately 800 were exploited in the wild. Of those, only 58 were both OSINT-discoverable and carried an EPSS score high enough to constitute a genuine, targeted threat. Black Kite's prioritization funnel, moving from 48,000+ global publications through OSINT discoverability, Exploit Prediction Scoring System (EPSS) filtering, and vendor susceptibility mapping, is the mechanism that produces that number.

CISA's Known Exploited Vulnerabilities (KEV) catalog expanded by 32% year-over-year to 245 additions, with 84% of Black Kite's analyzed set classified as High or Critical severity. Organizations relying solely on KEV for triage are reacting to threats that may already be actively exploiting their vendors.

AI-Related CVEs Rose 34.6% in 2025, With Prompt Injection Now a Top RCE Class

Artificial intelligence entered the vulnerability conversation as both an amplifier and a new attack class. 2,130 AI-related CVEs were published in 2025, a 34.6% year-over-year increase and a more than 200% rise since 2023. Major AI coding assistants and agentic frameworks, including GitHub Copilot, Cursor, and Claude Code, recorded their first high-severity CVEs. 

Prompt injection is now a legitimate, weaponizable vulnerability class, routinely receiving CVSS scores above 9.0 and functioning as the effective "new RCE" for agentic systems. Anthropic's 2026 Project Glasswing demonstrated that AI models can autonomously identify zero-day flaws at scale, meaning the velocity of zero-day exploitation may accelerate beyond what any reactive program can absorb. For vendor evaluation teams, this introduces a mandatory new question set: which vendors are running agentic infrastructure, and what controls govern it?

Open-Source Software Carries 14.4% of OSINT-Discoverable Supply Chain Risk

The security divide is widening. Large enterprises adopting AI-powered vulnerability scanning have reduced detection timelines to an average of 14 days and remediation cycles to 21 days. Mid-market vendors, small software publishers, and open-source maintainers, without access to tools costing $500,000 to $2 million annually, still average 197 days for detection and 60 days for remediation. As enterprise perimeters harden, threat actors are shifting focus to these "Tier 2" suppliers

Open-source software carries 14.42% of all OSINT-discoverable risk in Black Kite's dataset, confirming a pattern the data has shown consistently: the real entry point for supply chain risk sits inside software dependencies, embedded long before any commercial product reaches an enterprise procurement decision. For TPCRM programs built around a short list of named enterprise vendors, this data identifies the gap.

FocusTags® Beat 95.2% of CISA KEV Additions in 2025

Intelligence timing is the operational variable that separates proactive from reactive programs. For 95.2% of OSINT-discoverable vulnerabilities, Black Kite applied a FocusTag® before the CVE was added to the CISA KEV catalog, or within 24 hours of their addition. 

That lead time is the difference between mandating vendor remediation before a vulnerability is weaponized at scale and scrambling after confirmation. FocusTags®, which translate a global vulnerability into a pinpointed signal tied to a specific vendor's confirmed asset exposure, are issued only after a vulnerability clears strict discoverability and exploitability thresholds. In 2025, the Black Kite Research Group™ applied 158 FocusTags covering 329+ related CVEs across four categories: Data Breach, Ransomware, High-Profile Cyber Event, and KEV.

Key Stats: 

  • 48,000+ CVEs published in 2025 
  • 1,240+ high-priority CVEs manually analyzed
  • 329 FocusTags® assigned
  • 58 "Code Red" CVEs identified
  • -7 days average time-to-exploitation
  • 95.2% of FocusTags applied before or on day of KEV addition

The Four-Stage Prioritization Framework: From 48,000 CVEs to 58 That Matter

The core operational contribution of this report is a replicable, four-stage filtering methodology that any TPCRM program can adopt. Raw CVSS scores are insufficient for supply chain triage. The Black Kite Research Group™ applies four sequential filters to identify only the vulnerabilities that demand immediate vendor outreach.

Step 1: OSINT Discoverability Eliminates Most Published CVEs Immediately

Attackers do not hunt for invisible targets. They scan the internet systematically for exposed systems running known vulnerable software, using the same OSINT tools available to any defender. If a vulnerability cannot be found externally, it will not be exploited at scale across a supply chain. That single filter, applied first, eliminates the overwhelming majority of published CVEs from the actionable queue immediately. In 2025, the Black Kite Research Group™ identified 329 vulnerabilities meeting this threshold, each receiving a FocusTag® to signal the link between a global threat and specific vendor exposure. This step removes the noise of buried internal network flaws and focuses remediation energy exactly where attackers are looking.

Step 2: EPSS Scores Above 60% Flag Near-Certain Exploitation

Discoverability establishes opportunity. Exploitability establishes urgency. The Exploit Prediction Scoring System (EPSS) estimates the mathematical probability that a specific vulnerability will be exploited within the next 30 days, making it a far more operationally relevant signal than a static CVSS severity rating. Of the 329 OSINT-discoverable CVEs in Black Kite's 2025 dataset, only 58 carried an EPSS score above 60%, placing them in the "Code Red" tier of certain or near-certain exploitation. Cross-referencing those 58 against the CISA KEV catalog confirms real-world exploitation status. Organizations that combine EPSS prediction with KEV confirmation stop chasing theoretical severity and start prioritizing confirmed, imminent threats.

Step 3: Vendor Mapping Reveals Which Flaws Sit Inside Your Ecosystem

A vulnerability that affects 108,000 companies has a fundamentally different blast radius than one affecting 3,000.The third filter answers what vulnerability databases cannot: which critical flaws are running inside vendors in your ecosystem. In 2025, CVE-2025-26465 affected approximately 108,000 companies, and CVE-2025-32728 affected approximately 103,000. More telling is what lies below those headline figures: approximately 82% of all company-to-CVE matches in Black Kite's dataset occur in the "Long Tail" of vulnerabilities outside the Top 20 list. Broad, automated nth-party visibility across your entire fragmented vendor base is the only mechanism that captures this exposure.

Step 4: The High-Probability, High-Impact Zone Dictates Outreach Today

The final step combines all three filters into a single actionable directive. Vulnerabilities that are OSINT-discoverable, carry a high EPSS score, appear in the KEV catalog, and demonstrate high vendor susceptibility form what the report calls the High-Probability, High-Impact Zone. These are the exact threats dictating where TPCRM programs must direct vendor outreach today. The Ransomware Susceptibility Index® (RSI™) adds an additional predictive layer, identifying which vendors in your ecosystem face elevated ransomware exposure given their confirmed vulnerability posture.

Bubble chart showing the High-Probability, High-Impact Vulnerabilities that are OSINT-discoverable, carry a high EPSS score, appear in the KEV catalog, and demonstrate high vendor susceptibility

Ransomware, APTs, and AI-Enabled Attackers Targeting Supply Chains in 2025

Understanding the prioritization framework requires understanding who is applying pressure on the other side. The Black Kite Research Group™ mapped global threat actor monitoring data against vendor exposure to identify the specific groups executing supply chain attacks and the precise components they target for initial access.

Ransomware Cartels Hit 2,280+ Victims Across 89 Countries in 2025

Ransomware groups do not attack organizations one by one. They compromise the shared software and infrastructure the world relies on, then achieve horizontal scale instantly. Qilin targeted 1,066 victims across 89 countries in 2025. Clop targeted 522 victims across 52 countries. Akira targeted 692 victims across 55 countries. These numbers confirm what the vulnerability data shows: single attack campaigns achieve massive global reach by exploiting ubiquitous third-party software. An interconnected vendor ecosystem without continuous monitoring is the architecture ransomware cartels are built to exploit.

Volt Typhoon Generated the Highest Exposure Score in Black Kite's 2025 Dataset

Advanced Persistent Threat (APT) actors operate with different objectives than ransomware groups. APT29 targeted organizations across 49 countries. APT41 targeted organizations across 37 countries. Volt Typhoon, targeting organizations across only 13 countries, generated the highest overall exposure score in Black Kite's entire dataset by establishing long-term, deep vertical persistence within critical infrastructure and edge devices. 

The threat intelligence gap is severe: only 24 of the 245 CISA KEV additions in 2025 were explicitly attributed to known ransomware campaigns. The remaining 221 exploited vulnerabilities carry "Unknown" attribution. Severe cyber risk intelligence gaps persist even as active exploitation scales globally.

AI Coding Tools Logged Their First High-Severity CVEs in 2025

The most operationally significant shift in the 2025 threat landscape is the entry of AI tools into the exploited vulnerability catalog. EchoLeak (CVE-2025-32711) enabled zero-click data exfiltration in Microsoft 365 Copilot via poisoned context (CVSS 9.3). CurXecute (CVE-2025-54135) allowed remote code execution over the Model Context Protocol in Cursor IDE (CVSS 8.6). 

In 2025, 87% of organizations experienced at least one AI-driven cyberattack, with 82.6% of phishing campaigns utilizing AI. Internet scans revealed over 3,000 publicly accessible and vulnerable AI components currently online. Shadow AI, the unauthorized adoption of generative AI by vendors without formal security review, creates hidden data flows that legacy vendor compliance questionnaires will never surface. The Black Kite Global Adaptive AI Assessment Framework™ (BK-GA³™) provides the open standard methodology for assessing this exposure systematically.

How TPCRM Leaders Should Respond in 2026

The data from 2025 makes the direction clear. Traditional, reactive vulnerability management is no longer viable. These are the four actions that separate programs that will contain supply chain risk in 2026 from those that will absorb it.

Replace CVSS Triage With a Three-Part Filter: Discoverability, Exploitability, and Vendor Exposure

Stop processing every CVE through a static severity score. TPCRM programs must adopt dynamic EPSS predictions and CISA KEV data as the primary triage mechanism, replacing CVSS as the default sorting layer. The 58 "Code Red" vulnerabilities identified in this report all share three properties: OSINT discoverability, EPSS above 60%, and confirmed or near-confirmed exploitation. Programs that apply this filter to their incoming vulnerability feeds can dramatically reduce alert volume while increasing the accuracy of vendor outreach. The vendor risk response workflow should trigger on confirmed, imminent threats, not on theoretical severity ratings.

Add Mandatory AI Supply Chain Questions to Every Vendor Assessment

The AI attack surface is real, trackable, and growing faster than most vendor assessment programs have adapted. Immediately require third parties to disclose their generative AI usage, document security controls for agentic AI systems with code execution capabilities, and define their AI-specific vulnerability monitoring practices. 

Passive disclosure requests are insufficient: organizations must utilize OSINT to continuously monitor the external attack surface for AI-specific footprints, detecting visible generative AI adoption, exposed Model Context Protocol (MCP) servers, and self-hosted Large Language Model (LLM) instances operating outside traditional security boundaries. The Black Kite AI platform surfaces this evidence automatically, providing the detection baseline before a vendor discloses anything.

Replace Questionnaires with Evidence-Based Vendor Outreach

Mass questionnaires yield approximately 30% response rates, lose intelligence in vendor management inboxes, and produce delayed mitigation. Intelligence-driven outreach, providing vendors with specific CVEs, affected assets, KEV status, and proof-of-concept availability, targets response rates above 70% and compresses remediation timelines to under 30 days for Critical CVEs.

The Bridge™ vendor engagement workflow automates this process: FocusTag® detection triggers ecosystem filtering, structured evidence routes directly to vendor SOC teams, and remediation progress is tracked in real time. The mechanism is collaboration, not interrogation. Vendors remediate faster when they receive specific guidance rather than generic inquiries.

Build Continuous Visibility Across the Full Long Tail of Vendors

Periodic assessments cannot defend against a -7-day exploitation window. The architecture required is always-on: continuous, automated visibility across the full fragmented vendor ecosystem, including the Long Tail of niche vendors, industrial control systems, and mid-market software publishers that represent 36.7% of OSINT-discoverable risk. 

Programs that monitor only named enterprise vendors are leaving the majority of their supply chain exposure untracked. Vendor risk monitoring must scale to the actual footprint of the ecosystem, not the list of vendors prominent enough to appear in security briefings. The financial impact of a single undetected supply chain compromise, measured against the cost of broad continuous monitoring, makes the investment calculus straightforward.

How Black Kite Built the 2026 Supply Chain Vulnerability Report

1,240 High-Priority CVEs Manually Analyzed in 2025

The findings in this report are built on manual analysis conducted by the Black Kite Research Group™ — a 59% increase from the 780 CVEs analyzed in the prior reporting period. Automated scanners track raw disclosure volume; this report goes further.  The bar for high-priority designation is intentionally strict. Theoretical severity alone does not qualify a vulnerability. 

The Black Kite Research Group™ requires evidence of real-world exploitability, confirmation that the affected product is present within enterprise supply chains at meaningful scale, and demonstrated interest from active threat actors. CVEs that are purely internal in scope, lack practical exploitation paths, or affect hardware too obscure to register in enterprise vendor ecosystems are excluded from the dataset entirely.

Validated Across NVD, CISA KEV, EPSS, and Mandiant Data

The National Vulnerability Database (NVD) provides baseline CVE publication data and CVSS metrics. The CISA Known Exploited Vulnerabilities catalog confirms active, real-world exploitation. The Exploit Prediction Scoring System (EPSS) provides probabilistic exploitation likelihood within 30-day windows. 

Black Kite proprietary data contributes internal scanning telemetry, OSINT collection, and company-to-CVE mapping across 250,000 continuously monitored organizations. External validation draws from Trend Micro's Fault Lines in the AI Ecosystem report, the Mandiant M-Trends 2026 report, and Google Threat Intelligence data on AI vulnerability volumes and zero-day exploitation timelines.

Every FocusTag® Requires OSINT Discoverability and Exploitability Evidence

FocusTags® are not assigned at volume. Each tag is applied only when a vulnerability meets strict discoverability and exploitability thresholds, specifically designed to reduce alert fatigue and ensure that every signal reaching a TPCRM team corresponds to a confirmed, actionable threat. The OSINT Discoverability Requirement demands that a vulnerability be identifiable on external-facing assets using OSINT tools. 

Exploitability Indicators require dynamic evidence: public Proof-of-Concept availability, observed threat actor exploitation, KEV catalog inclusion, or surging mentions within underground and security communities. Each FocusTag® carries a transparent Confidence Level (Very High, High, or Medium) calibrated across three dimensions: version depth, configuration dependency, and access requirement.

Continuous Monitoring Across 250,000 Organizations

The vendor susceptibility analysis underlying this report draws from Black Kite's continuous monitoring of over 250,000 organizations. Company-to-CVE matching maps each high-priority vulnerability against the specific vendors running affected systems, producing blast radius data that transforms a global CVE list into an ecosystem-specific risk profile. This is the operational intelligence layer that answers the question raw vulnerability databases cannot: which of these critical flaws are running inside vendors in your supply chain right now.

READ THE INTERACTIVE REPORT (No download required)

Previous Editions

Related Resources

Black Kite 2026 Supply Chain Vulnerability Report laptop cover

Got 25 Minutes?

See every supplier, every risk with a quick demo.