Black Kite today released its 2026 Supply Chain Vulnerability Report, revealing that of the 48,000+ CVEs published in 2025, only 58 represented a genuine, discoverable, and exploitable threat to enterprise supply chains.
This finding reinforces a critical shift in how organizations must approach cyber risk. The challenge is no longer just scale; it’s precision. Vulnerability volume continues to surge, driven by rapid AI adoption and advances in AI-powered vulnerability discovery. At the same time, exploit timelines are compressing, with attackers moving faster than ever, exploiting vulnerabilities an average of seven days before public disclosure, a window expected to shrink further as AI technologies accelerate scanning and exploitation capabilities.
Yet despite the surge in CVE volume, the number of vulnerabilities that pose meaningful risk remains remarkably small, making the ability to quickly identify and act on what truly matters more essential than ever to defending the supply chain.
AI Changed and Expanded the Attack Surface
AI adoption is reshaping the supply chain risk landscape, creating a widening gap between organizations with advanced security capabilities and those without.
Large enterprises that have adopted AI-powered vulnerability scanning have reduced detection timelines to an average of 14 days and remediation cycles to 21 days. In contrast, mid-market vendors, smaller software providers, and open-source maintainers that often lack these advanced defenses, still average 197 days for detection and down from 60 days for remediation.
As enterprise perimeters harden through AI-driven security, threat actors are increasingly shifting their focus to these “Tier 2” suppliers, driving risk to concentrate around the smaller vendors that enterprises depend on. For TPCRM programs, this means mid-market vendors now carry a significantly higher systemic threat profile.
Key findings from the report:
- AI is driving vulnerability growth: 2,130 AI-related vulnerabilities were reported in 2026, a more than 200% increase since 2023.
- Volume is rising, but risk remains concentrated: More than 48,000 CVEs were published in 2025 (an 18% increase year-over-year), yet just 58 posed a genuine supply chain threat.
- Exploitation timelines are compressing: According to Mandiant, attackers exploited vulnerabilities an average of seven days before public disclosure in 2025, a window expected to shrink further as AI accelerates exploitation capabilities. Anthropic’s 2026 Project Glasswing demonstrated that AI models can autonomously identify zero-day flaws at scale. This means the volume and velocity of zero-day exploitation may accelerate far beyond what any reactive program can absorb.
- AI is expanding the attack surface: AI coding assistants and agentic frameworks are emerging as actively targeted attack vectors, with high-severity CVEs on the rise. Prompt injection is also gaining recognition as a weaponizable vulnerability class, effectively acting as the “new RCE” (Remote Code Execution) for agentic systems.
- Risk is shifting to less mature vendors: As larger enterprises improve average time to detection and response with AI, the share of exploited vulnerabilities targeting mid-market and smaller vendors are expected to rise significantly in the near future.
- Proactive prioritization is critical: In modern TPCRM, time is the ultimate metric. Organizations relying solely on the CISA KEV catalog are reacting to threats that may already be actively exploited.
The report, based on analysis of more than 1,240 manually reviewed high-priority CVEs published in 2025, details a five-stage prioritization framework that filters raw vulnerability data through discoverability, exploitability, and vendor exposure to surface only the threats that demand immediate action. In 2025, that process produced 329 FocusTags® (asset-level threat signals that link a global vulnerability directly to a specific vendor’s confirmed exposure), and identified just 58 highest-priority designations representing the vulnerabilities most likely to impact supply chains.
Black Kite applied a FocusTag® for 95.2% of OSINT-discoverable vulnerabilities before they were added to the KEV or within 24 hours of their addition, enabling customers to take a proactive approach to supply chain risk and mitigate threats before vulnerabilities are widely exploited.
Designed for TPCRM leaders, CISOs, security operations teams, and vendor risk managers, Black Kite’s report provides the definitive data and methodology for organizations seeking to secure their extended vendor ecosystem and transition from reactive patching to proactive risk mitigation. To download the report, visit https://blackkite.com/reports/2026-supply-chain-vulnerability-report.
Methodology
The findings within the 2026 Supply Chain Vulnerability Report are founded on a rigorous manual analysis process conducted by the Black Kite Research Group. While automated scanners track the raw volume of disclosures, raw CVSS data alone is insufficient for effective TPCRM. To extract actionable intelligence, Black Kite researchers manually analyzed 1,240 high-priority CVEs published in 2025. The criteria for designating a vulnerability as “high-priority” requires the flaw to extend beyond theoretical severity. The Black Kite Research Group evaluates vulnerabilities based on real-world exploitability, the prevalence of the affected product within enterprise supply chains, and the active interest of threat actors. Vulnerabilities that are strictly internal, highly theoretical, or confined to obscure hardware are filtered out of this high-priority dataset.
Related
This entry was posted on May 19, 2026 at 9:00 am and is filed under Commentary with tags Black Kite. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Black Kite Research Finds Just 58 CVEs Posed a Critical Supply Chain Threat – Out of More Than 48,000 Published
Black Kite today released its 2026 Supply Chain Vulnerability Report, revealing that of the 48,000+ CVEs published in 2025, only 58 represented a genuine, discoverable, and exploitable threat to enterprise supply chains.
This finding reinforces a critical shift in how organizations must approach cyber risk. The challenge is no longer just scale; it’s precision. Vulnerability volume continues to surge, driven by rapid AI adoption and advances in AI-powered vulnerability discovery. At the same time, exploit timelines are compressing, with attackers moving faster than ever, exploiting vulnerabilities an average of seven days before public disclosure, a window expected to shrink further as AI technologies accelerate scanning and exploitation capabilities.
Yet despite the surge in CVE volume, the number of vulnerabilities that pose meaningful risk remains remarkably small, making the ability to quickly identify and act on what truly matters more essential than ever to defending the supply chain.
AI Changed and Expanded the Attack Surface
AI adoption is reshaping the supply chain risk landscape, creating a widening gap between organizations with advanced security capabilities and those without.
Large enterprises that have adopted AI-powered vulnerability scanning have reduced detection timelines to an average of 14 days and remediation cycles to 21 days. In contrast, mid-market vendors, smaller software providers, and open-source maintainers that often lack these advanced defenses, still average 197 days for detection and down from 60 days for remediation.
As enterprise perimeters harden through AI-driven security, threat actors are increasingly shifting their focus to these “Tier 2” suppliers, driving risk to concentrate around the smaller vendors that enterprises depend on. For TPCRM programs, this means mid-market vendors now carry a significantly higher systemic threat profile.
Key findings from the report:
The report, based on analysis of more than 1,240 manually reviewed high-priority CVEs published in 2025, details a five-stage prioritization framework that filters raw vulnerability data through discoverability, exploitability, and vendor exposure to surface only the threats that demand immediate action. In 2025, that process produced 329 FocusTags® (asset-level threat signals that link a global vulnerability directly to a specific vendor’s confirmed exposure), and identified just 58 highest-priority designations representing the vulnerabilities most likely to impact supply chains.
Black Kite applied a FocusTag® for 95.2% of OSINT-discoverable vulnerabilities before they were added to the KEV or within 24 hours of their addition, enabling customers to take a proactive approach to supply chain risk and mitigate threats before vulnerabilities are widely exploited.
Designed for TPCRM leaders, CISOs, security operations teams, and vendor risk managers, Black Kite’s report provides the definitive data and methodology for organizations seeking to secure their extended vendor ecosystem and transition from reactive patching to proactive risk mitigation. To download the report, visit https://blackkite.com/reports/2026-supply-chain-vulnerability-report.
Methodology
The findings within the 2026 Supply Chain Vulnerability Report are founded on a rigorous manual analysis process conducted by the Black Kite Research Group. While automated scanners track the raw volume of disclosures, raw CVSS data alone is insufficient for effective TPCRM. To extract actionable intelligence, Black Kite researchers manually analyzed 1,240 high-priority CVEs published in 2025. The criteria for designating a vulnerability as “high-priority” requires the flaw to extend beyond theoretical severity. The Black Kite Research Group evaluates vulnerabilities based on real-world exploitability, the prevalence of the affected product within enterprise supply chains, and the active interest of threat actors. Vulnerabilities that are strictly internal, highly theoretical, or confined to obscure hardware are filtered out of this high-priority dataset.
Share this:
Like this:
Related
This entry was posted on May 19, 2026 at 9:00 am and is filed under Commentary with tags Black Kite. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.