Challenges

The Challenge of Vulnerability Management in the Supply Chain

OVERVIEW

Modern businesses are deeply interconnected, relying on hundreds or even thousands of vendors, cloud services, and third-party software. While this interconnectivity boosts efficiency and scalability, it also expands the attack surface. A vulnerability in one supplier’s software can quickly cascade across multiple organizations, making third-party risk management (TPRM) one of the most difficult cybersecurity challenges today.

This complexity is amplified by the sheer volume of vulnerabilities disclosed each year:

were published in 2024 alone.

year-over-year increase.

This leaves security teams and risk managers with an overwhelming problem:

✔ Which vulnerabilities actually pose a risk to my organization? ✔ Which ones could impact my vendors and third parties? ✔ How do I know what to prioritize?

Why Traditional Vulnerability Management Falls Short in TPRM

Security teams often rely on Common Vulnerability Scoring System (CVSS) scores to assess risk. However, CVSS was never designed to be a prioritization tool—it measures the theoretical severity of a vulnerability, not whether it is actively exploited or likely to be weaponized.

Even if we focus only on high-severity vulnerabilities (CVSS 7.0+), we are still looking at over 20,000 CVEs in 2024 alone. Narrowing further to CVSS 9.0+ vulnerabilities, there are 4,400 CVEs to assess. That’s far too many for any security team to address effectively—let alone track across their entire vendor ecosystem.

Making matters worse:

Most exploited vulnerabilities don’t have the highest CVSS scores—many fall in the medium or low range, slipping past traditional risk assessments.

Attackers don’t care about theoretical severity—they exploit vulnerabilities that are:

easy to find
easy to weaponize
and widely used.

Many vulnerabilities remain unpatched for months or years—especially across third-party vendors, where patching cycles vary widely.

This is why traditional approaches to vulnerability management don’t work in TPRM. Organizations need a different strategy—one that considers exploitability, vendor exposure, and supply chain risk.

The Supply Chain Problem

Risk Beyond Your Perimeter

Unlike internal IT security, where organizations control their own patching and defenses, third-party risk management introduces an entirely new challenge: lack of direct control.

Hundreds or thousands of vendors use diverse, often outdated technology stacks.
A single vendor compromise can affect multiple downstream organizations.
Attackers specifically target third parties because they know organizations struggle to monitor supply chain vulnerabilities.

In 2024, this reality became painfully clear with vulnerabilities in widely used enterprise software like Ivanti Connect Secure and Cleo, which enabled large-scale data breaches across multiple industries.

Organizations don’t just need to track which vulnerabilities exist—they need to know which ones could impact their vendors, partners, and customers.

Narrowing the Scope From Thousands of CVEs to Dozens That Matter

If tens of thousands of vulnerabilities are disclosed each year, but only a handful truly lead to real-world attacks, the key question becomes:

How do we go from thousands of vulnerabilities to the ones that truly matter?

The answer lies in rethinking vulnerability prioritization.

✔ Instead of just looking at CVSS scores, organizations need to consider:

Is this vulnerability actively exploited?
How easy is it for attackers to find exposed systems?
How many vendors in my supply chain are impacted?
Does this vulnerability exist in widely used software?

✔ By shifting focus to exploitability, discoverability, and vendor exposure, organizations can move from:

40,000+ CVEs → 4,400 high-severity CVEs (CVSS 9.0+)
4,400 high-severity CVEs → 780 high-priority vulnerabilities analyzed by Black Kite
780 high-priority vulnerabilities → 295 OSINT-discoverable vulnerabilities attackers can easily find
295 OSINT-discoverable vulnerabilities → A handful that have the highest probability and impact on third parties

Vulnerability Management from a Compliance and Regulatory Perspective

On top of all the challenges in vulnerability management in the supply chain, regulations and compliance requirements put extra pressure on businesses, especially in highly regulated industries.

Policy and Regulatory Insights

Regulatory frameworks are placing increasing emphasis on third-party risk management, acknowledging that vulnerabilities in suppliers and supply chains pose systemic threats. Organizations are no longer solely responsible for their own security but are also accountable for the security posture of their vendors and service providers.

GDPR (General Data Protection Regulation)

Mandates that organizations ensure third-party service providers adhere to strict data protection measures. A breach caused by a supplier could result in liability for both the supplier and the contracting company, with severe legal and financial penalties.

CCPA (California Consumer Privacy Act)

Requires organizations to implement reasonable security controls and actively monitor supplier compliance. A third-party data breach can lead to regulatory penalties, class-action lawsuits, and reputational damage.

NIS2 (Network and Information Security Directive 2)

Strengthens cybersecurity obligations by requiring continuous monitoring of third-party suppliers and rapid mitigation of vulnerabilities in externally provided services. It mandates incident reporting for breaches related to supplier security failures, increasing accountability throughout the supply chain.

HIPAA (Health Insurance Portability and Accountability Act)

Imposes strict security requirements on third-party healthcare suppliers, holding covered entities responsible for ensuring their business associates manage vulnerabilities and apply timely patches.

The Shift from Compliance to Proactive Security

Beyond compliance, governments and regulators are encouraging a proactive stance in third-party cybersecurity. Traditional compliance approaches—periodic audits and checklists—are no longer sufficient in the face of increasingly sophisticated supply chain attacks.

Public-private partnerships like the CISA cybersecurity directives (U.S.) and the EU Cyber Resilience Act emphasize real-time threat intelligence sharing and standardized security practices across industries.
These initiatives reflect a shift from reactive patching to continuous security monitoring, ensuring that vulnerabilities are mitigated before they are exploited.
Security expectations are moving beyond “checkbox compliance.” Organizations must integrate third-party risk intelligence, continuous monitoring, and regulatory compliance into a unified cybersecurity strategy.