The vulnerabilities you found are managed by a third party and not within my control.

Whilst you may not own these services and they may not be directly within your control, you are  running services through this third-party provider which means you should investigate. This could apply to a managed service provider (MSP), external IT support, or a SaaS provider.

You should contact the service provider/external support and ask for confirmation that these vulnerabilities do not pose a threat to your organisation, or that the third-party provider is taking steps to remedy these vulnerabilities.