OSINT Discoverability
The Next Layer of Prioritization
OVERVIEW
Managing vulnerabilities in the supply chain is not just about identifying high-risk CVEs; it’s about focusing on the right ones. Even after narrowing down from over 1,000 vulnerabilities analyzed by BRITE to 780 high-priority CVEs, the sheer volume remains overwhelming for Third-Party Risk Management (TPRM) teams.
Security teams face a critical question: Which vulnerabilities actually pose a threat to our vendors, and by extension, to us?
Even High-Priority Vulnerabilities (780) Are Too Many for Efficient TPRM
Tracking 780 vulnerabilities across an extended vendor network is neither scalable nor practical. Even if organizations had unlimited resources, prioritization is essential because threat actors don’t attack indiscriminately—they focus on vulnerabilities that are easily discoverable and weaponized.
Attackers don’t waste time looking for obscure weaknesses. They use open-source intelligence (OSINT) tools to scan the internet for exposed systems running known vulnerable software. The easier it is to find a vulnerable system, the more likely it is to be exploited.
Steps to Prioritize Vulnerabilities:
STEP 1: OSINT Discoverability
Identifying the Most Exposed CVEs (BRITE OSINT Analysis)
To refine prioritization, BRITE conducted an OSINT analysis to determine which high-priority vulnerabilities are externally visible and easy to find.
The findings reveal a stark reality:
- 295 of the 780 high-priority vulnerabilities are OSINT-discoverable.
- This means that attackers can identify affected systems using publicly available tools, making these vulnerabilities prime targets for exploitation.
STEP 2: Filtering for Exploitability
Refining Prioritization Further
The fact that a vulnerability is discoverable does not necessarily mean it will be exploited. Prioritization must incorporate exploitability factors to ensure security teams focus on vulnerabilities that are both visible to attackers and likely to be weaponized.
Two key indicators help refine this focus: EPSS & CISA KEV
1. EPSS: Predicting the Likelihood of Exploitation
The Exploit Prediction Scoring System (EPSS) is a data-driven model that estimates the probability of a vulnerability being exploited in the next 30 days. Unlike CVSS, which remains largely static after initial scoring, EPSS is dynamic, updating as new exploitation patterns emerge.
Key Differences Between CVSS and EPSS:
- CVSS (Common Vulnerability Scoring System) assesses the theoretical severity of a vulnerability at the time of disclosure. Once assigned, it rarely changes.
- EPSS, on the other hand, is predictive and continuously updated based on real-world exploitation data. A vulnerability with a low EPSS score today may become a high-priority risk tomorrow if threat actors start using it.
EPSS - CVSS Correlation of High-Priority OSINT-Discoverable CVEs
This graph shows how OSINT-discoverable CVEs are distributed based on their exploitability scores. Hover over the data in the graph for more information.
2. CISA KEV: Confirming Exploitation in the Wild
Another crucial factor in prioritization is whether a vulnerability has been confirmed as actively exploited. The CISA Known Exploited Vulnerabilities (KEV) Catalog is a federal list of vulnerabilities that have been weaponized in real-world attacks.
A vulnerability’s presence in KEV confirms that threat actors are already using it, making it a must-patch priority for any affected organization.
By combining EPSS predictions with KEV confirmation, security teams can go beyond static severity scores and make risk-based decisions grounded in real-world threat intelligence.
By layering OSINT discoverability, EPSS-based exploitability predictions, and KEV validation, we can reduce the vulnerabilities that need to be actively managed in the supply chain from hundreds to a far more manageable number.
This multi-factor approach ensures that organizations prioritize vulnerabilities based on actual threat activity, rather than just theoretical severity—allowing them to stay ahead of attackers and protect their supply chain from the most pressing cyber risks.
STEP 3: The Impact in the Supply Chain
Looking at the Number of Impacted Vendors
Even after filtering for OSINT discoverability and exploitability, an essential question remains:
Which vulnerabilities will impact the most vendors in my supply chain?
Some vulnerabilities, even if highly exploitable, may only affect a handful of niche vendors. Others are widespread across an organization’s supply chain, making them significantly more dangerous. This is where vendor susceptibility becomes a deciding factor.
BRITE maps all the 295 High-Priority OSINT-discoverable CVEs to a set of 250,000 companies monitored by Black Kite customers and check if they are susceptible to any of these vulnerabilities. The charts below show the distribution of CVEs for all these companies.
Company Ratio of Each High-Priority OSINT-Discoverable CVE
Top CVEs with the Highest Match Rates
Notable CVE Details
CVE-2024-38193 – Privilege Escalation – Windows Ancillary Function Driver (WinSock) – 8.896%
- This vulnerability allows attackers to gain SYSTEM privileges on affected Windows systems.
- Actively exploited in the wild.
- NVD Listing
CVE-2024-38107 – Privilege Escalation – Windows Power Dependency Coordinator – 8.612%
- Successful exploitation enables attackers to obtain SYSTEM privileges.
- Confirmed as actively exploited.
- CrowdStrike Analysis
CVE-2024-38106 – Privilege Escalation – Windows Kernel – 8.505%
- Attackers can escalate privileges to SYSTEM level, gaining full control over the affected system.
- Exploited in targeted attacks.
- Tenable Analysis
CVE-2019-1069 – Privilege Escalation – Windows Task Scheduler – 7.877%
- An older but still actively exploited vulnerability that allows arbitrary code execution with elevated privileges.
- Frequently targeted due to poor patch adoption.
CVE-2024-4577 – Remote Code Execution – PHP CGI Component – 7.169%
- This vulnerability affects PHP’s CGI component, allowing attackers to execute arbitrary commands remotely.
- Exploited in web-facing applications.
But it’s important to note that while vulnerability systems like EPSS and KEV catalogs provide valuable insights, they each have limitations. EPSS, for example, may sometimes underestimate the likelihood of exploitation, while KEV catalogs might be updated after vulnerabilities have already been exploited in the wild. To overcome these limitations, a combined approach that leverages the strengths of multiple metrics is crucial. This allows organizations to gain a more comprehensive understanding of vulnerability risk and prioritize mitigation efforts accordingly.
STEP 4: Combining for the Right Visibility
The High-Probability, High-Impact Zone: The Future of Smart TPRM
Imagine cutting through the noise of thousands of vulnerabilities and zeroing in on the handful that truly matter—the ones most likely to be exploited, most easily discoverable by attackers, and most prevalent in your supply chain. That’s exactly what the High-Probability, High-Impact Zone delivers.
This isn’t just about reducing numbers—it’s about unlocking a new level of strategic risk management. Instead of drowning in endless CVE reports, TPRM teams can now say with confidence:
“These are the vulnerabilities that matter.”
“These are the ones our third parties are exposed to.”
“These are the ones that attackers are actively targeting.”
By layering OSINT discoverability, EPSS predictions, KEV inclusion, and vendor susceptibility, we create a data-driven, precision-guided vulnerability prioritization system. The result? A radical reduction in vulnerabilities that demand attention—from hundreds down to a manageable, actionable set.
Vulnerability Risk Map
(Bubble size is proportional to company match)
This level of clarity transforms how organizations approach supply chain security. No more guesswork. No more wasted resources on vulnerabilities that pose no real threat. For the first time, TPRM teams can act decisively, focusing on the vulnerabilities that attackers will exploit next—before the damage is done.
RESULT: From Hundreds to a Manageable Number
Reducing the Number of Vulnerabilities to Those That Really Matter
By applying these four layers of prioritization, organizations can radically reduce the number of vulnerabilities requiring attention in the supply chain:
- Start with 780 high-priority vulnerabilities.
- Narrow down to 295 OSINT-discoverable vulnerabilities.
- Refine further using EPSS & KEV.
- Prioritize vulnerabilities with the highest vendor susceptibility.
- Focus on the High-Probability, High-Impact Zone—reducing the final set to a manageable number.