Supply Chain Security Crisis: 48,000 Vulnerabilities Discovered in 2025, Visibility Lags

New vulnerabilities are emerging at an alarming rate, with the time-to-exploitation shrinking significantly. This situation has raised serious concerns about the visibility organizations have into these vulnerabilities, particularly within the context of supply chain security.

The interconnected nature of modern business systems has made supply chain threats a critical cybersecurity issue. Many organizations remain unaware of their position within the supply chain, leaving them vulnerable to attacks that occur without any direct fault on their part.

The 2026 Supply Chain Vulnerability Report

The 2026 supply chain vulnerability report from Black Kite asserts that “velocity without visibility is the new supply chain crisis.” The report outlines three key findings:

1. Over 48,000 Common Vulnerabilities and Exposures (CVEs) were published in 2025.
2. The time to exploitation has dropped to a negative figure.
3. Only 58 of these CVEs pose a genuine, discoverable, and exploitable threat to enterprise supply chains.

The first finding is a documented fact, while the second has been corroborated by both Black Kite and Mandiant, which noted in its M-Trends 2026 report that “the mean time to exploit vulnerabilities dropped to an estimated -7 days, meaning exploitation is routinely occurring before a patch is even released.”

These findings illustrate that organizations cannot rely solely on patching CVEs to maintain security, highlighting Black Kite’s concern regarding the velocity of vulnerabilities.

The Need for Visibility

The third takeaway emphasizes the necessity for improved visibility into vulnerabilities to manage their numbers effectively. Black Kite’s methodology involved selecting a subset of high-priority CVEs, totaling 1,024, based on their Exploit Prediction Scoring System (EPSS) scores, Known Exploited Vulnerabilities (KEV) inclusion, and third-party relevance. However, only 58 of these CVEs were easily discoverable by attackers through Open Source Intelligence (OSINT), marking them as the most critical vulnerabilities. Identifying these key vulnerabilities is essential for managing the velocity of threats.

Future Implications and the Role of AI

While the challenges of velocity and visibility were evident in 2025, they are expected to worsen. AI is both a direct and indirect factor in this escalation. It is anticipated that frontier model AI will identify more vulnerabilities in 2026 than in previous years. Additionally, the rapid development of easily coded applications is leading to an influx of software with inherent weaknesses. The frequency of software updates influenced by AI may also introduce malicious vulnerabilities that can be exploited later.

Jeffrey Wheatman, Senior Vice President and Cyber Risk Strategist at Black Kite, notes that the growth of agentic systems is leading to additional exposures. These tools often have authorization, authentication, and access, complicating visibility for IT and security departments. Such systems can be hidden within downloaded web applications or introduced through shadow AI.

The number of vulnerabilities is expected to continue rising, with the time to exploitation shrinking. Wheatman acknowledges that while the numbers are increasing, much of this may be considered “background noise.” For instance, amidst the discussions surrounding vulnerabilities identified by Mythos, attention was drawn to a 27-year-old bug in OpenBSD. However, its practical exploitability remains limited.

The Challenge of Autonomous Defensive AI

Wheatman expresses optimism that defensive AI could play a role in addressing these challenges. However, the increasing velocity of threats raises concerns about the reliance on fully autonomous defensive AI. The decision-making process in cybersecurity often requires human oversight, particularly in high-stakes environments. For example, a bank may hesitate to disable automated updates for its trading system due to the potential financial repercussions, while it might be more willing to do so for less critical systems.

The CrowdStrike incident serves as a cautionary tale. A faulty configuration update to the Falcon Sensor on Windows systems led to the automatic deployment of a problematic update, causing approximately 8.5 million systems to crash. This incident prompted discussions about the risks associated with automated updates versus the necessity of maintaining up-to-date signatures and definitions.

The Visibility Gap and the Role of SBOMs

A significant issue remains the lack of visibility into the software being utilized. Software Bill of Materials (SBOMs) are intended to provide insights into vulnerabilities but often fall short in terms of completeness and accuracy. Wheatman mentions the emerging concept of AI SBOMs, which could offer a more comprehensive view of vulnerabilities, although they are still in development.

Ultimately, the core issue remains: velocity without visibility constitutes a new supply chain crisis. Gaining visibility into critical vulnerabilities is essential for organizations to effectively manage their cybersecurity posture.

For further insights into the evolving landscape of cybersecurity, including the latest developments and threat intelligence, visit SecurityWeek.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.