Black Kite Research Reveals Traditional Approaches to Vulnerability Management Fall Short in Third-Party Risk Management (TPRM)
Amplified by 38% year-over-year increase in published CVEs, TPRM is one of the most difficult cybersecurity challenges facing organizations today
BOSTON, April 8, 2025 /PRNewswire/ -- Black Kite, the leader in third-party cyber risk intelligence, today announced its newest report, 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties, which provides an in-depth analysis of vulnerabilities identified in 2024 and delves into those with real-world implications. By shifting the focus from individual Common Vulnerabilities and Exposures (CVEs) to the broader supply chain impact, the report aims to provide cybersecurity professionals and risk managers with actionable intelligence to navigate the ever-evolving threat landscape.
"Focusing solely on Common Vulnerability Scoring System (CVSS) scores is insufficient for risk management," said Ferhat Dikbiyik, Chief Research & Intelligence Officer, Black Kite. "CVSS is not a prioritization tool and cannot inform security teams whether a vulnerability is being exploited or the likelihood it will be weaponized. Further exacerbating the challenges, security teams are overwhelmed by the sheer number of vulnerabilities to address and track, while most exploited vulnerabilities slip past traditional risk assessments as they fall in the medium or low range. In today's environment, organizations need to understand how vulnerabilities can propagate through the ecosystem. They must rethink their vulnerability management strategy to include exploitability, vendor exposure, and supply chain risk."
As organizations increasingly rely on third-party vendors, open-source components, and cloud services to bolster efficiency and scalability, they also open themselves to risks. A vulnerability in one supplier's software can quickly cascade across multiple organizations, making TPRM one of the most difficult cybersecurity challenges. In fact, over the past year, third-party risk became more apparent, with high-impact vulnerabilities in widely used software and services exposing organizations to ransomware attacks, data breaches, and operational failures.
2024 marked a sharp increase in published vulnerabilities, with over 40,000 CVEs disclosed, representing a 38% year-over-year increase. 20,000-plus had a CVSS score of 7.0 or higher, and over 4,400 were classified as critical (CVSS 9.0+). However, CVSS scores alone fall short. Organizations need to know more than what vulnerabilities exist – they need to know which ones could impact their vendors, partners, and customers. As uncovered by Black Kite's Research & Intelligence Team (BRITE), exploitability, vendor exposure, and supply chain interdependencies play a significant role in determining real-world risk.
The report's key findings include:
- Third-Party Risk is the Critical Weak Link: Many of 2024's most exploited vulnerabilities were found in widely used third-party software rather than internally developed applications, with high-profile vulnerabilities in MOVEit, Fortra GoAnywhere, and Ivanti products demonstrating how supply chain risks can propagate.
- Rising Trends in Exploitability and Ransomware Association: A significant portion of vulnerabilities were weaponized within days of disclosure, reinforcing the need for rapid risk assessment and response. Additionally, ransomware groups increasingly leverage known exploited vulnerabilities (KEVs) to maximize impact.
- High-Profile Vulnerabilities Had Widespread Supply Chain Implications: Vulnerabilities affecting major software vendors such as Microsoft, Cisco, and VMware had far-reaching consequences, as they are embedded in countless enterprise environments. The interconnected nature of digital supply chains magnified the potential damage.
To mitigate risks, organizations need a paradigm shift from reactive risk management to proactive risk intelligence. Only then can security teams leverage the insights needed to make TPRM truly effective. As evidenced in the report's findings, organizations that do not adapt will continue to struggle with supply chain blind spots, slow vendor response times, and rising cyber risk exposure.
By focusing on vulnerabilities with real-world supply chain implications, 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties enables organizations to strengthen vendor risk management strategies and proactively mitigate threats. Read the report here.
Methodology
The report presents findings from the Black Kite Research & Intelligence Team (BRITE), which analyzed over 1,000 vulnerabilities in 2024. Among them, 780 vulnerabilities were identified as particularly significant due to their real-world exploitability, supply chain impact, and third-party risk implications.
Rather than treating vulnerabilities as isolated technical issues, the report prioritizes a third-party risk management (TPRM) perspective, analyzing how vulnerabilities propagate through vendor ecosystems and which industries, geographies, and threat actors are most affected.
About Black Kite
Black Kite gives companies a comprehensive, real-time view into cyber ecosystem risk so they can make informed risk decisions and improve business resilience while continuously monitoring more vendors, partners, and suppliers in an ever-changing digital landscape.
Through an automated process, and a combination of threat, business and risk information, Black Kite provides cyber risk intelligence that goes beyond a simple risk score or rating.
Black Kite serves more than 3,000 customers in a wide range of industries and has received numerous industry awards and recognition from customers.
Learn more at www.blackkite.com, or on the Black Kite blog.
Copyright © 2025 Black Kite, Inc. All rights reserved. All other brand names, product names, or trademarks belong to their respective holders.
Media Contact:
Michelle Kearney
Hi-Touch PR
443-857-9468
[email protected]
SOURCE Black Kite
Share this article