Skip to content

The CVE Stampede Is a Distraction, Finding the Vulns that Matter is the Challenge

With 48,000+ CVEs published annually, the challenge isn't volume. It's finding the vulnerabilities attackers will actually exploit.

Enterprise third-party risk management and vulnerability management programs are being overrun by software vulnerability disclosures. In 2025, CVE (Common Vulnerabilities and Exposures) notices exceeded 48,000. That’s an 18 percent increase from the prior year. And recent research in the security industry indicates there are more actively exploited zero-days than ever. Within that environment, how do enterprise teams keep pace and effectively triage vulnerabilities to identify the fraction that actually matter: externally exposed, actively exploitable, or flaws within their own environments or those of their supply chain?

Consider CrowdStrike's 2026 Global Threat Report, which found that 42% of exploited vulnerabilities were hit before anyone even disclosed them. Pair that with the raw numbers: more than 48,185 new CVEs reached the wire in 2025, a 20.6% jump from the year before, per independent CVE tracker JerryGamblin's annual review.

Third-party cyber risk management provider Black Kite's 2026 Supply Chain Vulnerability Report attempts to answer that question with fresh data. Researchers from the company's research group manually analyzed 1,240 high-priority CVEs published in 2025, a 59 percent increase from the 780 analyzed the prior year. To do so, they applied a four-stage prioritization framework that filters for OSINT (open-source intelligence) discoverability, EPSS (exploit prediction scoring system)- based exploitability, and vendor susceptibility mapping. The result: 329 vulnerabilities were found to be externally discoverable, and 58 "Code Red" designations represented the subset with EPSS scores above 60 percent. Of the 48,000-plus CVEs published last year, approximately 800 were exploited in the wild.

The Black Kite research demonstrates that while raw CVSS scores sort by theoretical severity, they do not distinguish between a flaw buried on an internal network segment and one running on an internet-exposed asset in 108,000 vendor environments, as was the case with CVE-2025-26465. EPSS scores, dynamically updated and calibrated to the 30-day exploitation probability, are a fundamentally different priority. That distinction matters more today than ever. Mandiant's M-Trends 2026 report found that attackers are now exploiting vulnerabilities an average of 7 days before public disclosure.

Ferhat Dikbiyik, chief research and intelligence officer at Black Kite told CYBR.SEC.Media that enterprises don’t need to focus on the top-line vulnerability numbers, but on their own bottom-line numbers. “2025 closed at more than 48,000 published CVEs. I expect 2026 to land meaningfully higher. The number actually discovered is a multiple of that, and we will never know it precisely. Here is the part that matters for a defender. Even last year’s number was not workable. No team patches 48,000 vulnerabilities, and it does not have to. In 2025, only about 800 were exploited in the wild. That ratio holds roughly steady year to year. So the job is not the 48,000. It is finding the 800 before an attacker does,” Dikbiyik said.

Related:

NIST Declares “Inbox Zero,” Pulls Back on CVE Enrichment. Now Enterprise Security Teams Must Fill the Gap
An analysis of the National Vulnerability Database’s shift to risk-based triage and what it actually means for the people patching systems (first of a two-part analysis)
BOD 26-04 Is Reshaping Vulnerability Management
CISA’s BOD 26-04 tells federal agencies how fast to patch. It’s quietly telling everyone else the same thing: through insurance underwriting, vendor contracts, and regulatory alignment.

Where does this leave security teams?

When it comes to evaluating suppliers in one’s supply chain, Jeffrey Wheatman, SVP cyber risk strategist at Black Kite, wrote that a vendor running applications with known exploited vulnerabilities is a flag, yet the final determination requires input beyond the security team. “Whether that flag warrants immediate outreach, a monitored watch posture, or an urgent board escalation depends on context the security team typically has to guess at. Which vendors are operationally critical? Which ones carry business dependencies that procurement contracts and intake forms do not capture? Those questions require someone with operational and financial visibility to answer them, and that person is rarely in the security department,” he said.

Once an attacker gains initial access to a vendor environment, the median handoff time to a secondary threat actor, often a ransomware operator, has collapsed from eight hours in 2022 to 22 seconds in 2025, according to data cited in Black Kite’s report. Point-in-time assessments and quarterly questionnaires cannot defend against a timeline measured in seconds. The architecture the data implies is continuous, automated monitoring across the full vendor ecosystem — including what the report calls the "Long Tail" of niche vendors, mid-market software publishers, and industrial control system components. Approximately 82 percent of all company-to-CVE matches in Black Kite's dataset occur outside the top 20 most-affected vulnerabilities. Organizations that monitor only their named enterprise suppliers leave the majority of their supply chain exposure untracked.

The Forum of Incident Response and Security Teams' (FIRSTs') own research shows that only 2.3% of CVEs that score CVSS 7 (Common Vulnerability Scoring System) or higher are actually observed in exploitation attempts in a given month. Internal vulnerability management teams running CVSS-threshold-based patch queues are spending the majority of their remediation capacity on vulnerabilities that will never be exploited.

For internal vulnerability management teams working to manage these risks, FIRST recommends teams use CVSS to establish severity, EPSS to add exploitation probability, and asset reachability to determine which of those risks actually matter in your environment. This and other research indicate that the NVD enrichment strategy teams have long depended upon to automate vulnerability triage is no longer reliable. NIST's April shift to selective enrichment, combined with an Inspector General finding that NVD severity scores matched independent evaluators just 12 percent of the time, means programs built around automated CVSS thresholds are now operating on an incomplete foundation.

For practitioners building third-party cyber threat management programs in this environment, Black Kite finds that organizations need to move beyond legacy third-party risk management strategies, such as questionnaires and annual assessments, which are not enough, and need to be replaced with intelligence-driven outreach based on specific CVEs, affected assets, and proof-of-concept availability.

Latest