New annual report reveals how exploitation velocity is making vendor visibility and effective prioritization the defining challenge of modern third-party cyber risk management

BOSTON, May 19, 2026 /PRNewswire/ -- Black Kite, the leader in third-party cyber risk management, today released its 2026 Supply Chain Vulnerability Report, revealing that of the 48,000+ CVEs published in 2025, only 58 represented a genuine, discoverable, and exploitable threat to enterprise supply chains.

This finding reinforces a critical shift in how organizations must approach cyber risk. The challenge is no longer just scale; it's precision. Vulnerability volume continues to surge, driven by rapid AI adoption and advances in AI-powered vulnerability discovery. At the same time, exploit timelines are compressing, with attackers moving faster than ever, exploiting vulnerabilities an average of seven days before public disclosure, a window expected to shrink further as AI technologies accelerate scanning and exploitation capabilities.

Yet despite the surge in CVE volume, the number of vulnerabilities that pose meaningful risk remains remarkably small, making the ability to quickly identify and act on what truly matters more essential than ever to defending the supply chain.

"As AI accelerates both defense and exploitation, we expect risk to become even more concentrated, particularly among mid-market vendors and open-source maintainers that may not have the resources to invest in advanced, AI-driven security capabilities. In the near future, these smaller suppliers are likely to account for a growing share of exploited vulnerabilities, raising the stakes for the entire ecosystem as enterprises increasingly rely on these shared vendors," said Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite.

AI Changed and Expanded the Attack Surface

AI adoption is reshaping the supply chain risk landscape, creating a widening gap between organizations with advanced security capabilities and those without.

Large enterprises that have adopted AI-powered vulnerability scanning have reduced detection timelines to an average of 14 days and remediation cycles to 21 days. In contrast, mid-market vendors, smaller software providers, and open-source maintainers that often lack these advanced defenses, still average 197 days for detection and 60 days for remediation.

As enterprise perimeters harden through AI-driven security, threat actors are increasingly shifting their focus to these "Tier 2" suppliers, driving risk to concentrate around the smaller vendors that enterprises depend on. For TPCRM programs, this means mid-market vendors now carry a significantly higher systemic threat profile.

Key findings from the report:

• AI is driving vulnerability growth: 2,130 AI-related vulnerabilities were reported in 2025, a more than 200% increase since 2023.
• Volume is rising, but risk remains concentrated: More than 48,000 CVEs were published in 2025 (an 18% increase year-over-year), yet just 58 posed a genuine supply chain threat.
• Exploitation timelines are compressing: According to Mandiant, attackers exploited vulnerabilities an average of seven days before public disclosure in 2025, a window expected to shrink further as AI accelerates exploitation capabilities. Anthropic's 2026 Project Glasswing demonstrated that AI models can autonomously identify zero-day flaws at scale. This means the volume and velocity of zero-day exploitation may accelerate far beyond what any reactive program can absorb.
• AI is expanding the attack surface: AI coding assistants and agentic frameworks are emerging as actively targeted attack vectors, with high-severity CVEs on the rise. Prompt injection is also gaining recognition as a weaponizable vulnerability class, effectively acting as the "new RCE" (Remote Code Execution) for agentic systems.
• Risk is shifting downstream: As larger enterprises improve average time to detection and response with AI, the share of exploited vulnerabilities targeting mid-market and smaller vendors are expected to rise significantly in the near future.
• Proactive prioritization is critical: In modern TPCRM, time is the ultimate metric. Organizations relying solely on the CISA KEV catalog are reacting to threats that may already be actively exploited.

The report, based on analysis of more than 1,240 manually reviewed high-priority CVEs published in 2025, details a five-stage prioritization framework that filters raw vulnerability data through discoverability, exploitability, and vendor exposure to surface only the threats that demand immediate action. In 2025, that process produced 329 FocusTags^® (asset-level threat signals that link a global vulnerability directly to a specific vendor's confirmed exposure), and identified just 58 highest-priority designations representing the vulnerabilities most likely to impact supply chains.

Black Kite applied a FocusTag^® for 95.2% of OSINT-discoverable vulnerabilities before they were added to the KEV or within 24 hours of their addition, enabling customers to take a proactive approach to supply chain risk and mitigate threats before vulnerabilities are widely exploited.

Designed for TPCRM leaders, CISOs, security operations teams, and vendor risk managers, Black Kite's report provides the definitive data and methodology for organizations seeking to secure their extended vendor ecosystem and transition from reactive patching to proactive risk mitigation. To download the report, visit https://blackkite.com/reports/2026-supply-chain-vulnerability-report.

Methodology
The findings within the 2026 Supply Chain Vulnerability Report are founded on a rigorous manual analysis process conducted by the Black Kite Research Group. While automated scanners track the raw volume of disclosures, raw CVSS data alone is insufficient for effective TPCRM. To extract actionable intelligence, Black Kite researchers manually analyzed 1,240 high-priority CVEs published in 2025. The criteria for designating a vulnerability as "high-priority" requires the flaw to extend beyond theoretical severity. The Black Kite Research Group evaluates vulnerabilities based on real-world exploitability, the prevalence of the affected product within enterprise supply chains, and the active interest of threat actors. Vulnerabilities that are strictly internal, highly theoretical, or confined to obscure hardware are filtered out of this high-priority dataset.

About Black Kite
Black Kite is the AI-native third-party cyber risk management platform trusted by over 3,000 customers to manage every supplier and every risk across their extended ecosystem. Powered by the industry's highest-quality risk intelligence, spanning over 40 million companies, Black Kite is differentiated by the accuracy, transparency, and actionability of its data. The platform automates vendor monitoring and risk assessments, surfacing reliable insights into ransomware susceptibility, regulatory gaps, financial exposure, and more. With Black Kite, security and risk teams gain always-on visibility and trusted intelligence to act early, reduce exposure, and stay ahead of third-party threats. Black Kite has received numerous industry awards and recognition from customers. Learn more at www.blackkite.com, or on the Black Kite blog.

Media Contact:
Michelle Kearney
Hi-Touch PR
443-857-9468
kearney@hi-touchpr.com

View original content to download multimedia:https://www.prnewswire.com/news-releases/black-kite-research-finds-just-58-cves-posed-a-critical-supply-chain-threat---out-of-more-than-48-000-published-302775231.html

SOURCE Black Kite