Executive Summary

The Rising Supply Chain Risk in Vulnerability Management

OVERVIEW

The year 2024 marked a sharp increase in published vulnerabilities, with over 40,000 CVEs disclosed—a 38% year-over-year (YoY) increase. More than 20,000 of these had a CVSS score of 7.0 or higher, and over 4,400 were classified as critical (CVSS 9.0+). However, focusing solely on CVSS scores is insufficient for risk management. A deeper analysis reveals that exploitability, vendor exposure, and supply chain interdependencies play a more significant role in determining real-world risk.

To address this, Black Kite’s Research & Intelligence Team (BRITE) conducted a targeted analysis of 780 high-priority vulnerabilities, identifying those that threat actors actively exploit and that pose significant third-party risks. These vulnerabilities impact widely used enterprise software, cloud services, and third-party dependencies, making their mitigation crucial for supply chain security.

Key Insights from the Report

Third-Party Risk is the Critical Weak Link

  • Many of 2024’s most exploited vulnerabilities were found in widely used third-party software rather than internally developed applications.
  • High-profile vulnerabilities in MOVEit, Fortra GoAnywhere, and Ivanti products demonstrated how supply chain risks propagate.

Rising Trends in Exploitability and Ransomware Association

  • A significant portion of vulnerabilities were weaponized within days of disclosure, reinforcing the need for rapid risk assessment and response.
  • Ransomware groups increasingly leverage known exploited vulnerabilities (KEVs) to maximize impact.

High-Profile Vulnerabilities Had Widespread Supply Chain Implications

  • Vulnerabilities affecting major software vendors (Microsoft, Cisco, VMware, etc.) had far-reaching consequences, as they are embedded in countless enterprise environments.
  • The interconnected nature of digital supply chains magnified the potential damage.

The Role of Black Kite in Enhancing Visibility and Response

  • Black Kite’s intelligence platform allows organizations to identify which vendors in their supply chain are exposed to critical vulnerabilities.
  • Customers integrate real-time vulnerability intelligence into their rapid response workflows, reducing the window of exploitation.
  • By tracking exploitability metrics, Black Kite helps organizations prioritize patches based on real-world attack trends, not just CVSS scores.

A Proactive Approach to Supply Chain Security

The findings in this report reinforce that vulnerability management must evolve beyond internal patching strategies. Organizations must continuously assess their vendor ecosystem, identify high-priority vulnerabilities, and adopt proactive mitigation strategies to reduce exposure.

Cyber risks do not exist in isolation—neither should your vulnerability management strategy.

About This Report

What This Report Covers

This report provides an in-depth analysis of vulnerabilities identified in 2024, offering key insights into:

  • Vulnerability Trends and Statistics – A breakdown of critical vulnerabilities, exploitability metrics, and patterns across industries and vendors.
  • Supply Chain and Third-Party Risk – How vulnerabilities in widely used software (e.g., MOVEit, Fortra GoAnywhere) created systemic risks.
  • Ransomware and Threat Actor Exploitation – An analysis of how ransomware groups leveraged known vulnerabilities to target vendors and their customers.
  • Vendor and Product Discoverability – Insights into how attackers identify exploitable systems and how Black Kite enhances visibility through advanced intelligence models.
  • Regulatory and Policy Developments – The impact of global cybersecurity frameworks like NIS2 and GDPR on supply chain security.
  • Recommendations for Resilience – Actionable steps to mitigate third-party risk, improve vulnerability response, and strengthen cybersecurity posture.

By shifting the focus from individual Common Vulnerabilities and Exposures (CVEs) to the broader supply chain impact, this report aims to provide cybersecurity professionals, risk managers, and business leaders with the intelligence needed to navigate today’s evolving threat landscape.

Focus of This Report

Cyber risks do not exist in isolation—neither should vulnerability management. Understanding the intersection between severity, exposure, and exploitability is key to building a more resilient digital supply chain.

Focus on the intersection of:

  • Severity of Vulnerabilities
  • Exposure within Vendor Ecosystems
  • Exploitability driving Threat Actor Behavior

RESEARCH SCOPE

This report presents findings from the Black Kite Research & Intelligence Team (BRITE), which analyzed over 1,000 vulnerabilities in 2024. Among them, 780 vulnerabilities were identified as particularly significant due to their real-world exploitability, supply chain impact, and third-party risk implications.

Rather than treating vulnerabilities as isolated technical issues, this report prioritizes a third-party risk management (TPRM) perspective—analyzing how vulnerabilities propagate through vendor ecosystems and which industries, geographies, and threat actors are most affected.

  1. Total Vulnerabilities Examined – Overview of the vulnerabilities analyzed, with a focus on the 780 included in this report.
  2. Critical and High-Risk Vulnerabilities – How many of these vulnerabilities are exploitable in real-world attacks.
  3. Industry and Geographic Impact – Which sectors and regions faced the most exposure.
  4. Exploitability Metrics – How quickly vulnerabilities were weaponized by attackers.
  5. Supply Chain and Third-Party Risks – The role of vendors and third-party software in widening exposure.

2024 Vulnerability Landscape and Exploitation Trends

This figure illustrates the total number of CVEs published in 2024 (40,000+), highlighting the subset with a CVSS score of 7.0 or higher (20,000+) and those classified as critical (CVSS 9.0+, 4,400+ CVEs). Among these, BRITE analyzed 780 high-priority vulnerabilities, providing targeted intelligence to help organizations assess third-party risk. Notably, according to the “2024 Trends in Vulnerability Exploitation” report published by VulnCheck, 768 of these vulnerabilities were actively exploited in the wild, reinforcing the critical relevance of our analysis in pinpointing vulnerabilities that pose the most significant risk to supply chains.

For more information on CVEs and the ability to filter them by CVSS, EPSS, and FocusTag, visit blackkite.com/cve-database.

By focusing on vulnerabilities with real-world supply chain implications, this report delivers actionable intelligence for cybersecurity professionals, risk managers, and business leaders to strengthen vendor risk management strategies and proactively mitigate threats.

Dig into the challenges standing in the way of successful third-party vulnerability management.

PREVIOUS
NEXT