A software flaw no longer needs to be exploited after being published to become a problem. In the digital supply chain, many vulnerabilities are already being used even before the sector knows they exist.
This is one of the main conclusions that can be drawn from the 2026 Supply Chain Vulnerability Report, sponsored by Black Kite Research Group. The document describes a structural shift in business cybersecurity where speed has completely surpassed visibility.
During the past year, more than 48,000 CVEs were published (with about 800 actively exploited), but only 58 represented a real and direct threat to supply chains. The paradox is evident, as there is a massive volume of alerts, but the real risk is concentrated in an extremely small number of critical vulnerabilities.
Furthermore, this shows a ‘noise’ problem. This large volume of published vulnerabilities makes any comprehensive review strategy impossible. During the past year, the catalog of known exploited flaws by CISA increased by 32%, but the report warns of a discrepancy between real compromise and its cataloging.
One of the most disruptive data points of the report is the inversion of the exploitation cycle. According to Mandiant’s threat intelligence ecosystem, attackers are exploiting vulnerabilities an average of seven days before their public disclosure. This breaks the traditional security model based on post-publication patches. Thus, when a breach is announced, in many cases it is already too late.
This acceleration is compounded by a second equally concerning phenomenon. Once the attacker accesses a provider, the transition to ransomware actors can occur in just 22 seconds on average. What was once an intrusion chain that could take hours or even days today is practically instantaneous.
This means that, in practice, the compromised access does not ‘remain in the hands’ of the initial acquirer but instead enters an automated or highly coordinated cybercrime circuit where it is monetized instantly.
Artificial intelligence as a new attack vector
The emergence of artificial intelligence adds an additional layer of complexity. In 2025, more than 2,130 vulnerabilities related to AI systems were identified, with an annual growth exceeding 30%. This type of flaw affects not only emerging tools but also development assistants and programming environments increasingly integrated into the software production cycle.
Techniques such as prompt injection are consolidating as a new class of vulnerability, comparable in impact to remote code execution in traditional systems. The risk no longer resides solely in the programs a company runs but also in the models that interpret and generate that software.
The report also reveals a growing gap between organizations with advanced detection capabilities and the rest of the ecosystem. While large companies have significantly reduced their response times thanks to AI-based tools, many medium-sized providers and open-source projects continue to operate with detection cycles exceeding six months.
Open-source software represents about 14% of the detectable risk through OSINT, confirming its structural role as an entry point in numerous supply chains. As large corporations strengthen their defenses, attackers shift their focus to these less visible but widely integrated links.
The study’s conclusion points to a profound transformation in the understanding of third-party cybersecurity. Instead of relying on traditional metrics like CVSS, the document proposes an approach based on the combination of detectability, likelihood of exploitation, and real exposure within the supplier ecosystem.
Click Here For The Original Source.
