New vulnerabilities are discovered faster than they can be exploited, while visibility into them remains limited. Business interconnectivity increases supply chain risk because organizations may be targeted without any active fault. In 2025, more than 48,000 CVEs were published, and the time to exploitation is effectively negative, meaning exploitation can occur before patches are released. Only 58 CVEs are identified as genuinely discoverable and exploitable for enterprise supply chains. Because exploitation outpaces patching, security cannot rely on patching CVEs alone. Reducing risk requires visibility into which vulnerabilities are most critical. A method using EPSS scores, KEV inclusion, and third-party relevance narrowed 1,024 high-priority CVEs to 58 that attackers can find via OSINT.
"velocity without visibility is the new supply chain crisis"
"The mean time to exploit vulnerabilities dropped to an estimated -7 days, meaning exploitation is routinely occurring before a patch is even released."
"The approach taken by Black Kite was to select a subset of high priority CVEs (amounting to 1,024) based on their EPSS scores, KEV inclusion, and third-party relevance. From these, however, only 58 CVEs were easily discoverable to attackers through OSINT and were therefore the most critical."
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]