Black Kite says 58 CVEs pose critical supply threat

Black Kite has published research finding that 58 vulnerabilities posed a critical supply chain threat out of more than 48,000 CVEs disclosed in 2025. The study suggests a much narrower set of risks than headline vulnerability volumes imply.

Researchers manually reviewed 1,240 high-priority CVEs from 2025 to assess whether they were discoverable, exploitable and relevant to enterprise suppliers. That process identified 329 FocusTags, which Black Kite describes as asset-level threat signals linking a vulnerability to a specific vendor's confirmed exposure, and narrowed the highest-priority group to 58 vulnerabilities judged most likely to affect supply chains.

The findings reflect a broader shift in third-party cyber risk management. Security teams face a growing volume of disclosed flaws, but only a small share present immediate and material risk through suppliers. The report argues that the challenge is moving from broad monitoring to faster identification of the few issues that can spread across vendor ecosystems.

One factor behind that shift is the speed of exploitation. Black Kite cited Mandiant data showing that attackers exploited vulnerabilities an average of seven days before public disclosure in 2025. That suggests many organisations are already behind if they rely only on public catalogues and post-disclosure patching cycles.

AI pressure

The report says artificial intelligence is changing both the number of reported vulnerabilities and the speed at which attackers and defenders act on them. It found that 2,130 AI-related vulnerabilities were reported in 2026, more than 200% higher than in 2023.

Black Kite argues that AI tools are also widening the gap between larger organisations with automated security operations and smaller suppliers with fewer resources. Large enterprises using AI-based vulnerability scanning reduced detection timelines to an average of 14 days and remediation cycles to 21 days. Mid-market vendors, smaller software providers and open-source maintainers averaged 197 days for detection and 60 days for remediation.

That disparity matters for supply chains because attackers may increasingly target weaker links rather than heavily defended large enterprises. As bigger companies improve internal defences, more of the risk is likely to shift to smaller and less mature suppliers that still sit within the same commercial networks.

"As AI accelerates both defense and exploitation, we expect risk to become even more concentrated, particularly among mid-market vendors and open-source maintainers that may not have the resources to invest in advanced, AI-driven security capabilities. In the near future, these smaller suppliers are likely to account for a growing share of exploited vulnerabilities, raising the stakes for the entire ecosystem as enterprises increasingly rely on these shared vendors," said Ferhat Dikbiyik, chief research and intelligence officer at Black Kite.

Concentrated risk

The report's core argument is that raw CVE counts can distort how security leaders assess supplier exposure. More than 48,000 CVEs were published in 2025, an 18% annual increase, but only a small subset were both exploitable in practice and materially relevant to third-party risk, according to Black Kite.

Its methodology filtered out vulnerabilities considered theoretical, internal-only or confined to obscure hardware with little presence in enterprise supply chains. Researchers instead focused on flaws that combined real-world exploitability, active threat actor interest and exposure in products commonly used by vendors.

The approach is meant to address a persistent problem for chief information security officers and vendor risk teams: deciding which software flaws at suppliers require urgent intervention. In modern third-party cyber risk management, the report argues, timing matters more than volume because security teams have limited windows to respond once attackers begin active exploitation.

The report also highlighted the limits of relying on the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue as a primary source for action. Organisations using the KEV alone may be responding to threats that are already under attack in the wild, Black Kite said.

According to the study, Black Kite applied a FocusTag for 95.2% of open-source intelligence-discoverable vulnerabilities before they were added to the KEV list or within 24 hours of their addition. It said that gave customers earlier warning that a supplier had confirmed exposure to a specific flaw.

New targets

The report says AI coding assistants and agentic frameworks are emerging as direct attack vectors, with high-severity vulnerabilities rising in these systems. It also says prompt injection is gaining recognition as a weaponisable class of vulnerability and describes it as the "new RCE" for agentic systems.

Black Kite pointed to Anthropic's Project Glasswing as an example of how AI models can identify zero-day flaws at scale. If such techniques become more widely available, the report warns, the pace and volume of zero-day exploitation could outstrip reactive security programmes.

That leaves supplier risk managers under pressure to build processes that tie software flaws to named vendors and known exposure, rather than treating every published CVE as equally urgent. In Black Kite's analysis, the practical burden is not the total number of disclosures but the ability to isolate the few vulnerabilities that can move quickly through the supply chain.

Among the 1,240 high-priority CVEs examined by Black Kite's research team, only 58 met that threshold.