COMMENTARY: Security teams last year were put on notice when Broadcom disclosed three zero-day vulnerabilities in VMware products that were already being exploited in the wild.For days, weeks, or even months, attackers had been inside enterprise networks, forcing security teams to scramble in response.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]This wasn’t an isolated incident. Third-party breaches have doubled to 30% of all security incidents, according to the 2025 Verizon Data Breach Investigations Report. Meanwhile, roughly 50-60% of newly- disclosed vulnerabilities have exploit code written for them within 48 hours. This lets attackers compromise one vendor and reach many downstream targets through trusted relationships that aren't defended as heavily as direct entry points.Security teams have gotten really good at catching compromised credentials and phishing attacks, two of the most common attack methods. But zero-day vulnerabilities in third-party vendors are increasingly being used to infiltrate enterprises that have their more traditional hatches battened down. The reason comes down to a simple operational reality that favors attackers.Vulnerability management can't keep upVulnerability management remains a weak spot for security teams because of its operational complexity. Forcing password resets and checking logs for suspicious account activity takes much less time than patching vulnerabilities. That requires an entire team and a test environment to ensure that installing the patch doesn’t interfere with programs or take down a system. As a result, security teams prioritize easier fixes.The Linux vulnerability (XZ Utils Backdoor) was a sophisticated supply chain attack in late 2024 that threatened millions of third-party vendors using the affected software. The complexity and ubiquity of this core dependency meant companies required weeks or more just to complete the initial assessment of their exposure before they could begin remediation efforts.In another example, a ransomware group used a zero-day exploit in Cleo managed file transfer software to access sensitive data of potentially dozens of large companies around the world. The same criminal group claimed credit for exploiting a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer program to steal data from 130 organizations.Attacker advantage keeps growingThe success of these large-scale attacks fuels a growing underground marketplace for exploits and stolen credentials, expanding threat actor capabilities. Criminal groups have more money to buy zero-days or attract technically-capable people who can create them. Meanwhile, security teams often struggle with lean budgets and limited personnel.Zero-days often present problems even if organizations have hardened their perimeters well. Phishing or stolen credentials can offer an easy way through to internal networks, where attackers can then use exploits for zero-days on software in that more trusted environment.A zero-day in Oracle E-Business Suite in October gave unauthenticated attackers access to enterprise resource planning systems in third-party vendors. Once inside, they stole massive amounts of sensitive financial and HR data from thousands of companies.While security teams attempt to stay on top of vulnerability reports, attackers have armies of botnets scanning for exposed systems they can compromise. AI makes this scanning more efficient and targeted. High-severity and trivial-to-execute vulnerabilities give attackers easy access to greater numbers of victims. The scanning never stops; botnets are only upgraded to add more CVEs to scan for.Three tips for managing third-party riskOrganizations can't eliminate third-party vulnerabilities, but they can reduce their impact by focusing on these three areas:AI will accelerate this entire cycle—both the discovery of vulnerabilities and the speed of exploitation. We're moving toward a future where vulnerability scanning becomes fully automated and exploit development happens at machine speed.But this same technology will help defenders by enabling faster threat detection and automated response capabilities. That’s why organizations must adapt their third-party risk strategies as attackers continue advancing these AI-powered methods.Jeanette Miller-Osborn, field chief intelligence officer, DataminrSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Practice due diligence, or face the consequences: Cyber insurers have shifted toward negligence standards when evaluating claims. If the team hasn’t done due diligence on security posture, whether for the organization or for vendors, it could be liable. One major U.S. cyber insurance carrier excludes coverage for losses caused by vulnerabilities with a CVSS score of 8.0 or higher if the patch has been available and unapplied for more than three weeks. Ignorance is no longer a defense.
- Apply zero-trust to defend against these attacks: Zero-trust architecture can defend against these supply chain attacks by assuming compromise from the start and limiting lateral movement. Instead of trusting vendor relationships by default, zero-trust requires verification at every step and contains breaches when they occur. This approach recognizes that perimeter defenses will eventually fail.
- Know the team’s exposure in real-time: Organizations need visibility into their threat landscape as it evolves, not after an attack. This means understanding which vulnerabilities affect the specific environment, tracking emerging threats before they hit mainstream news, and having systems that can prioritize risks based on the company’s actual infrastructure rather than generic severity scores. We must move from incident response to threat prevention.





