Skip to main content
CybersecurityVulnerability Management

Vulnerabilities Dwindle to Manageable Number in Supply Chain Risk Landscape

Risk analyst examines supply chain data on tablet in industrial setting.

Only 58 vulnerabilities in 2025 were both exposed and highly exploitable, according to an analysis that sifted through roughly 1,200 high‑priority CVEs — a narrow frontier of real, immediate risk amid an exploding volume of reported flaws.

Black Kite’s narrow battlefield: 1,200 CVEs, 58 urgencies

Cyber risk strategist Jeffrey Wheatman and his colleagues at Black Kite examined about 1,200 high‑priority CVEs from 2025 and concluded that just 58 required immediate remediation. "What organizations need to do is they need to focus on the stuff that is very real, very dangerous and very impactful," Wheatman told ISMG. Black Kite framed the problem as one of selectivity: only a handful of vulnerabilities sit at the intersection of visibility to attackers and ease of exploitation.

Why exposure and exploitability decide the risk

Black Kite’s assessment rests on two practical filters: whether a vulnerability is discoverable in the wild and whether attackers can quickly weaponize it. The company argued that a vulnerability "only becomes a real threat when threat actors can quickly locate it within an exposed system," and noted that hackers "do not waste time hunting for invisible targets." By that logic, most CVEs remain functionally inert so long as they stay buried inside internal networks.

Visibility is rare: less than 0.7% were open to OSINT

The analysis found that under 0.7% of last year’s CVEs were discoverable through open source intelligence; the overwhelming majority were "buried within internal networks." That visibility gap matters because it separates theoretically serious bugs from practically exploitable ones — and it shapes where defenders should invest scarce patching hours.

Patch windows, attacker timelines: Verizon and Mandiant findings

Two additional data points underline the urgency of focusing on the narrow set of exploitable, exposed bugs. The Verizon Breach Report: Vulnerability Exploitation Surges found that even organizations "at the top of their patch management game" typically fix only 30% to 40% of actively exploited hardware and software bugs within the first week after detection. Meanwhile, Mandiant reported that the average time to exploit a new vulnerability is seven days before a patch is available. Those timelines produce a race in which attackers can strike in days while many defenders remain weeks behind.

OpenSSH: two CVEs with broad downstream impact

Among the small group of critical vulnerabilities Black Kite highlighted were two bugs in the open‑source networking toolkit OpenSSH: CVE‑2025‑26465 and CVE‑2025‑32728. Black Kite reported that each of those CVEs affected more than 100,000 enterprises, placing them squarely in the "very real, very dangerous and very impactful" category Wheatman described. Those OpenSSH entries illustrate how a single exposed, easily exploitable flaw can produce outsized downstream reach.

What this means for security teams, procurement leaders, and threat actors

  • Security teams: The Black Kite finding implies a triage approach — prioritize patches that are both externally discoverable and easy to weaponize, and treat the identified 58 urgent CVEs as the immediate focus for remediation.
  • Procurement and enterprise IT leaders: Large‑scale effects from OpenSSH CVE‑2025‑26465 and CVE‑2025‑32728 (each impacting more than 100,000 enterprises) underscore the need to track vendor advisories and component inventories to identify downstream exposure rapidly.
  • Threat actors: The record documented by Black Kite, Verizon and Mandiant suggests attackers will keep concentrating on discoverable, quickly exploitable bugs; as the company put it, attackers "do not waste time hunting for invisible targets."

The arithmetic at the center of this analysis is stark: from roughly 1,200 high‑priority CVEs studied, only 58 demanded immediate remediation, and a pair of OpenSSH vulnerabilities each touched six‑figure enterprise counts. With Mandiant reporting average exploit times of seven days and Verizon documenting low first‑week patch rates even among top performers, defenders that cannot fix everything must fix the right things — and do so fast.

Original story: https://www.govinfosecurity.com/only-handful-cves-mattered-for-supply-chain-in-2025-a-31715