This threat analysis discusses the accelerating velocity of supply chain vulnerabilities and the shrinking time to exploitation, often occurring before patches are released. The 2025 supply chain vulnerability report from Black Kite and Mandiant data show over 48,000 CVEs published with exploitation times averaging negative seven days. Despite the volume, only a small subset of CVEs are truly critical and discoverable by attackers through open sources. The rapid increase in vulnerabilities is driven by AI-assisted discovery, frequent software updates, and the introduction of agentic AI tools with access privileges. The lack of visibility into software components and vulnerabilities, including incomplete or inaccurate SBOMs, limits organizations' ability to prioritize and mitigate risks effectively. Defensive AI may assist but requires careful deployment to avoid operational disruptions. The core issue remains the need for enhanced visibility to manage vulnerability velocity in supply chains.

The impact is a heightened risk environment where organizations face an unmanageable volume of vulnerabilities with exploitation often preceding patch availability. This undermines traditional patch management strategies and increases the likelihood of supply chain compromises. The lack of visibility into critical vulnerabilities and software components means organizations may be unaware of their exposure and unable to prioritize remediation effectively. AI-driven vulnerability discovery and software development practices are expected to increase the volume and velocity of threats, potentially overwhelming security teams. While many vulnerabilities may be background noise, the few critical ones pose significant risks to enterprise supply chains.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should focus on improving visibility into their supply chain vulnerabilities by identifying the relatively few critical and exploitable CVEs through threat intelligence and OSINT. Enhancing software component transparency via accurate and complete SBOMs is recommended, although current SBOM implementations may be insufficient. Defensive AI tools may aid in managing vulnerability velocity but should be deployed with caution, considering operational risk and the need for human oversight in critical systems. Prioritizing vulnerability management based on exploitability and relevance to the enterprise supply chain is essential to cope with the volume of vulnerabilities.