03 | ACTIVE THREATS

Active Threats: Wholesale & Retail’s Vulnerabilities from the CISA KEV Catalog

The previous chapters established that the Retail and Wholesale ecosystem is highly vulnerable due to compromised credentials and general security hygiene failures.

This chapter isolates the most critical threats by focusing solely on flaws listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog. The KEV Catalog is a crucial resource for prioritizing vulnerabilities that have been actively weaponized by threat actors in real-world attacks.

This analysis reveals that a significant portion of the critical vendor pool as well as direct Retail and Wholesale companies are exposed to vulnerabilities that are currently being leveraged for initial access and compromise, indicating where the next industry-wide attack is most likely to originate.

We’ll look at:

Supply Chain KEV

Wholesale KEV

Retail KEV

The Scale of KEV Exposure in the Supply Chain

The assessment of the 2,620 critical supply chain vendors shows a massive, collective exposure to KEV flaws.

(1,210 of 2,620) critical vendors have at least one vulnerability listed in the CISA KEV Catalog

Unique KEV vulnerabilities found in the Wholesale/Retail vendor ecosystem

of the 165 unique CVEs are known to be used in ransomware campaigns

of the 165 unique CVEs were used in attacks but have not yet been publicly associated with a specific ransomware group

Supply Chain Vulnerabilities by Top Vendors and Products

To prioritize remediation, TPRM programs must identify which vendors and products are introducing the most risk to Wholesale & Retail companies.

Vulnerabilities by Top Vendors

Vendor	Count
Microsoft	45
IETF	11
Apache	9
Fortinet	9
Synacor	7
Citrix	6
VMware	6
Oracle	6
Dahua	4
Ivanti	4

The vendor analysis of the KEV list clearly identifies Microsoft as the primary focus area for threat actors, leading significantly with 45 associated vulnerabilities. This high count is largely driven by the volume of Microsoft products in use globally and the critical role of its components (Windows, Exchange) in enterprise environments.

Following Microsoft, the list shows a distinct focus on vendors providing key network infrastructure and platform services:

IETF (11 CVEs, largely related to the HTTP/2 protocol), Apache (9 CVEs), and specialized security/network hardware providers like Fortinet (9 CVEs), Citrix, VMware, and Oracle (6 CVEs each). This distribution highlights that adversaries prioritize ubiquitous enterprise platforms and high-value, externally-facing network perimeter devices to gain initial access.

Common Vulnerability Types in the Supply Chain

The analysis of the KEV list highlights the primary techniques favored by threat actors, emphasizing critical flaws that enable rapid system compromise and effective post-exploitation movement.

Common Vulnerability Types

Vulnerability Type	Approximate CVE Count	Description
Remote Code Execution (RCE) / Command Injection	20	Critical vulnerabilities allowing an attacker to execute arbitrary code remotely on the target system
Privilege Escalation (PE)	15	Flaws enabling an attacker to gain higher access permissions (e.g., administrator rights) within a compromised system.
DoS and Memory Vulnerabilities (Buffer Overflow)	11	Flaws that lead to denial of service attacks or system instability due to memory corruption.
Authentication/Access Control Bypass	10	Vulnerabilities exploited to gain system access or perform privileged actions without valid credentials.
Code/Data Deserialization Vulnerabilities	9	Flaws in data handling that often lead to RCE when processing malicious data packets.
Path Traversal	7	Vulnerabilities allowing an attacker unauthorized access to files and directories on the system.

The most prevalent and high-impact vulnerability type is Remote Code Execution (RCE) / Command Injection, accounting for the largest share of flaws (approx. 20 CVEs). These vulnerabilities offer direct and complete control over targeted systems, often serving as the initial entry point for major attacks, including those involving ransomware.

Following RCE, attackers prioritize flaws that facilitate lateral movement and persistence:

Privilege Escalation (PE)

are critical for raising access levels within a compromised network.

DoS and Memory Vulnerabilities

and Authentication/Access Control Bypass flaws

remain significant vectors for disruption and initial access, respectively.

Vulnerabilities related to application logic, such as Deserialization (9 CVEs) and Path Traversal (7 CVEs), also appear frequently, underlining the continuous risk posed by flaws in core data handling and file system operations. The data strongly suggests a strategic focus by adversaries on flaws that offer the highest return on investment: immediate control (RCE) and elevated internal access (PE).

Supply Chain Vulnerabilities by Ransomware Campaign Use

Some of these vulnerabilities have been exploited by well-known ransomware groups, highlighting the need for immediate patching.

Specifically, in recent months, the Cl0p ransomware group has carried out mass attacks by exploiting CVE-2025-61882 in Oracle E-Business Suite (Oracle EBS).

It is also worth noting that Advanced Persistent Threat (APT) groups have used some of these same CVEs. One of them is Salt Typhoon, it's a highly sophisticated and well-organized Advanced Persistent Threat (APT) group believed to be operated by China's Ministry of State Security (MSS). It was revealed that this group exploited CVE-2021-26858 and CVE-2021-27065 in their attacks.

Secondly, it was revealed that APT29, which is believed to be Russian state-sponsored, exploited the CVE-2023-42793 vulnerability. Finally, it was revealed that Storm-1849, also believed to be Chinese state-sponsored, exploited the CVE-2025-20333 vulnerability.

CVE (in the Supply Chain)	Associated Ransomware Groups
CVE-2019-1069	Conti
CVE-2019-11043	NextCry, DeadBolt
CVE-2021-26855	Black Kingdom, DearCry, Conti
CVE-2021-34473	Babuk, Hive, COBALT MIRAGE, Cuba, LV, LockBit, BlackByte, Conti
CVE-2021-27065	Black Kingdom, Babuk, DearCry
CVE-2022-24521	Vice, Cuba
CVE-2022-40684	Akira
CVE-2022-42475	Rorschach
CVE-2023-22518	Cerber
CVE-2023-24880	Magniber
CVE-2023-3519	ALPHV, RansomHub, Lynx, INC Ransom
CVE-2023-40044	Reichsadler Cybercrime Group
CVE-2023-4966	LockBit, ALPHV
CVE-2023-22527	LockBit
CVE-2024-1709	LockBit, Stormous, Black Basta and Bl00dy
CVE-2024-37085	BlackByte, Akira, Scattered Spider
CVE-2024-4577	“TellYouThePass” ransomware campaign, Qilin
CVE-2024-50623	Cl0p
CVE-2025-61882	Cl0p

CVE (in the Supply Chain)	Associated Advanced Persistent Threat (APT) Groups
CVE-2021-26858	Salt Typhoon
CVE-2021-27065	Salt Typhoon
CVE-2023-42793	APT29
CVE-2025-20333	Storm-1849

The Scale of KEV Exposure in Wholesale

Now let’s look at KEV exposure data on the Wholesale side of the industry. Out of 226 Wholesale companies, 120 have at least one vulnerability listed in the KEV catalog.

(120 of 226) Wholesale companies have at least one vulnerability listed in the CISA KEV Catalog

Unique KEV vulnerabilities found in Wholesale companies

of the 56 unique CVEs are known to be used in ransomware campaigns

of the 56 unique CVEs were used in attacks but have not yet been publicly associated with a specific ransomware group

Wholesale Vulnerabilities by Ransomware Campaign Use

The data indicates that some of these vulnerabilities have been exploited by well-known ransomware groups. Specifically, in recent months, the Cl0p ransomware group has carried out mass attacks by exploiting CVE-2025-61882 in Oracle E-Business Suite (Oracle EBS). It is also worth noting that Advanced Persistent Threat (APT) groups have used some of these same CVEs. One of them is Salt Typhoon, it's a highly sophisticated and well-organized Advanced Persistent Threat (APT) group believed to be operated by China's Ministry of State Security (MSS). It was revealed that this group exploited CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in their attacks.

Secondly, it was revealed that APT41, which is believed to be China state-sponsored, exploited the CVE-2021-26855 vulnerability. Finally, it was revealed that Storm-1849, also believed to be Chinese state-sponsored, exploited the CVE-2025-20333 vulnerability.

CVE (in Wholesale Companies)	Associated Ransomware Groups
CVE-2021-26855	Black Kingdom, DearCry, Conti
CVE-2020-3259	Akira
CVE-2021-27065	Black Kingdom, Babuk, DearCry
CVE-2021-34473	Babuk, Hive, COBALT MIRAGE, Cuba, LV, LockBit, BlackByte, Conti
CVE-2023-3519	ALPHV, RansomHub, Lynx, INC Ransom
CVE-2023-4966	LockBit, ALPHV
CVE-2024-4577	“TellYouThePass” ransomware campaign, Qilin
CVE-2025-61882	Cl0p

CVE (in Wholesale Companies)	Associated Advanced Persistent Threat (APT) Groups
CVE-2021-26857	Salt Typhoon
CVE-2021-26858	Salt Typhoon
CVE-2021-27065	Salt Typhoon
CVE-2021-26855	APT41
CVE-2025-20333	Storm-1849

The Scale of KEV Exposure in Retail

Now let’s look at KEV exposure data on the Retail side of the industry. Out of 614 Retail companies, 348 have at least one vulnerability listed in the KEV catalog.

(348 of 614) Wholesale companies have at least one vulnerability listed in the CISA KEV Catalog

Unique KEV vulnerabilities found in Retail companies

of the 79 unique CVEs are known to be used in ransomware campaigns

of the 79 unique CVEs were used in attacks but have not yet been publicly associated with a specific ransomware group

Retail Vulnerabilities by Ransomware Campaign Use

Secondly, it was revealed that APT41, which is believed to be China state-sponsored, exploited the CVE-2021-26855 vulnerability. Finally, it was revealed that APT29, which is believed to be Russian state-sponsored, exploited the CVE-2023-42793 vulnerability.

CVE (in Retail Companies)	Associated Ransomware Groups
CVE-2020-3259	Akira
CVE-2021-26855	Black Kingdom, DearCry, Conti
CVE-2021-27065	Black Kingdom, Babuk, DearCry
CVE-2021-34473	Babuk, Hive, COBALT MIRAGE, Cuba, LV, LockBit, BlackByte, Conti
CVE-2023-22518	Cerber
CVE-2023-22527	LockBit
CVE-2023-24880	Magniber
CVE-2023-3519	ALPHV, RansomHub, Lynx, INC Ransom
CVE-2023-4966	LockBit, ALPHV
CVE-2024-4577	“TellYouThePass” ransomware campaign, Qilin
CVE-2025-61882	Cl0p

CVE (in Retail Companies)	Associated Advanced Persistent Threat (APT) Groups
CVE-2021-27065	Salt Typhoon
CVE-2021-26857	Salt Typhoon
CVE-2021-26858	Salt Typhoon
CVE-2021-26855	APT41
CVE-2023-42793	APT29

Chapter 3 Takeaways

The focus of this chapter is on KEV exposure, identifying the most critical, high-impact flaws that bypass traditional TPRM visibility.

1. Uniform KEV Mandate is Non-Negotiable:

With over 46% of the supply chain, 57% of Retail, and 53% of Wholesale exposed to KEV, remediation can no longer be voluntary. TPRM programs must enforce a mandatory, zero-tolerance policy for any vendor or internal system running KEV-listed software, recognizing these are the vulnerabilities actively used by both financial ransomware and nation-state APT groups.

2. RCE and PE Must Be the Top Priority:

The dominance of Remote Code Execution (RCE) and Privilege Escalation (PE) flaws in the KEV catalog confirms that attackers seek immediate control and internal movement. TPRM enforcement must audit vendor patching efforts based strictly on KEV vulnerability type, focusing first on RCE/PE flaws in ubiquitous platforms like Microsoft Windows and Exchange.

3. Third-Party Patching Must Outpace APTs:

The fact that the same KEVs are exploited by both ransomware gangs and sophisticated APT groups (Salt Typhoon, APT29) means patching windows for vendors must shrink dramatically. TPRM must enforce and continuously verify that vendors are patching KEV flaws within days, not weeks or months, to prevent nation-state entry points.

4. Audit Ubiquitous Platforms:

The vendor and product analysis highlights that risk concentration lies in high-value, common platforms like Microsoft, Fortinet, and Oracle. TPRM resources must be aggressively allocated to auditing the patching status of vendors using these ubiquitous platforms, as failure here creates the most scalable supply chain risk.