Written by: Ferdi Gül

In this week’s Focus Friday, we examine high-impact vulnerabilities affecting Palo Alto Networks PAN-OS, Ivanti Connect Secure, Zimbra Collaboration, and Cacti, all of which pose significant third-party risk concerns. These vulnerabilities range from remote code execution (RCE) flaws to SQL injection attacks that could lead to data breaches, system takeovers, and supply chain risks.

Organizations relying on network security appliances, email collaboration tools, and monitoring frameworks must take proactive measures to assess their exposure and secure their vendor ecosystem against these threats. In this blog, we provide an in-depth Third-Party Risk Management (TPRM) perspective, detailing how these vulnerabilities could impact vendor security postures and what questions security teams should ask to mitigate risks.

Additionally, we highlight how Black Kite’s FocusTags™ provide real-time insights into vendor exposure, helping organizations prioritize remediation efforts and streamline their risk management processes.

CVE-2025-0108, CVE-2025-0110: Authentication Bypass & Command Injection in PAN-OS

What are the PAN-OS Authentication Bypass and Command Injection Vulnerabilities?

Two high-severity vulnerabilities have been identified in Palo Alto Networks PAN-OS, affecting network security devices:

• CVE-2025-0108 (Authentication Bypass – CVSS: 8.8):
  This vulnerability affects the management web interface of PAN-OS. An unauthenticated attacker with network access can bypass authentication and invoke specific PHP scripts. While it does not allow remote code execution, it compromises system integrity and confidentiality.
• CVE-2025-0110 (Command Injection – CVSS: 8.6):
  Found in the OpenConfig plugin, this vulnerability enables an authenticated administrator with gNMI request privileges to inject and execute arbitrary commands. The commands run as the _openconfig user, which has Device Administrator privileges, potentially leading to full system compromise.

Both vulnerabilities were published on February 12, 2025. One proof-of-concept exploit is available on github.com. There is no evidence of active exploitation or inclusion in CISA’s KEV catalog at this time. However, PAN-OS vulnerabilities have been targeted in the past, making proactive mitigation crucial.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

Third-party risk management (TPRM) professionals should be concerned due to the critical role of PAN-OS in enterprise cybersecurity.

• Authentication Bypass (CVE-2025-0108):
  Attackers could exploit this flaw to gain unauthorized access to PAN-OS management functions, leading to potential misconfigurations, unauthorized changes, or exposure of sensitive network settings.
• Command Injection (CVE-2025-0110):
  If the OpenConfig plugin is enabled, an attacker with administrator access could execute arbitrary system commands, escalating privileges or deploying persistent malware on PAN-OS devices.

For vendors relying on PAN-OS for perimeter security, exploitation of these vulnerabilities could lead to network-wide security breaches, data exposure, and compromised firewall configurations.

What Questions Should TPRM Professionals Ask Vendors?

To assess vendor exposure, TPRM professionals should ask:

1. Have you identified any PAN-OS devices in your environment that are running vulnerable versions (before PAN-OS 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, 10.1.14-h9)?
2. Do you use the OpenConfig plugin in PAN-OS? If so, have you verified that it is updated to version 2.1.2 or later?
3. What access controls are in place to restrict exposure of the PAN-OS management web interface to untrusted networks?
4. Have you applied Palo Alto Networks’ recommended mitigations, such as disabling unused plugins and restricting management access?

Remediation Recommendations for Vendors Subject to this Risk

To mitigate the risk associated with these vulnerabilities, vendors should:

✔ Upgrade PAN-OS to patched versions:

• PAN-OS 11.2 → Upgrade to 11.2.4-h4 or later
• PAN-OS 11.1 → Upgrade to 11.1.6-h1 or later
• PAN-OS 10.2 → Upgrade to 10.2.13-h3 or later
• PAN-OS 10.1 → Upgrade to 10.1.14-h9 or later
• If running PAN-OS 11.0 (EoL), upgrade to a supported version.

✔ Update OpenConfig plugin to version 2.1.2 or later (if enabled).
✔ Restrict management interface access to trusted internal IPs only.
✔ Disable the OpenConfig plugin if not in use to reduce the attack surface.
✔ Monitor system logs for unusual access or command execution activity.
✔ Apply Palo Alto Networks’ Threat Prevention rules to block potential exploits (Threat IDs 510000, 510001).

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite has tagged this issue as “PAN-OS – Feb2025” with a VERY HIGH confidence level.

• The FocusTag™ identifies vendors potentially affected by CVE-2025-0108 and CVE-2025-0110.
• Black Kite provides asset intelligence, including IP addresses and subdomains hosting vulnerable PAN-OS instances.

The FocusTag™ was published on February 13, 2025, allowing TPRM teams to take proactive measures before potential exploitation.

CVE-2025-22467, CVE-2024-38657, CVE-2024-10644: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure

What Are the Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure?

Multiple critical vulnerabilities have been identified in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products:

• CVE-2025-22467 (CVSS: 9.9): A stack-based buffer overflow vulnerability in ICS versions prior to 22.7R2.6. This flaw allows a remote authenticated attacker with low privileges to execute arbitrary code, potentially leading to full system compromise.
• CVE-2024-38657 (CVSS: 9.1): An external control of file name or path vulnerability affecting ICS (before 22.7R2.4) and IPS (before 22.7R1.3). A remote authenticated attacker with administrative privileges can write arbitrary files on the system, which may lead to unauthorized file manipulation or system compromise.
• CVE-2024-10644 (CVSS: 9.1): A code injection vulnerability in ICS (before 22.7R2.4) and IPS (before 22.7R1.3). This allows a remote authenticated attacker with administrative privileges to execute arbitrary commands on the system, potentially resulting in complete system control.

These vulnerabilities were publicly disclosed on February 11, 2025. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Other vulnerabilities to be mindful of include CVE-2024-12058 (arbitrary file read), CVE-2024-13842 (sensitive data exposure), and CVE-2024-13843 (cleartext storage of sensitive information), which, despite their lower CVSS scores, should still be carefully considered.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

Third-Party Risk Management (TPRM) professionals should be concerned due to the following reasons:

• Remote Code Execution Risks: Exploitation of these vulnerabilities could allow attackers to execute arbitrary code or commands, leading to unauthorized access, data breaches, and potential lateral movement within the network.
• Privilege Escalation: Attackers with low-level access could exploit these flaws to escalate privileges, gaining administrative control over critical systems.
• Supply Chain Impact: Vendors utilizing vulnerable versions of ICS and IPS may inadvertently expose connected organizations to security risks, emphasizing the importance of assessing third-party security postures.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

To assess vendor exposure, TPRM professionals should inquire:

1. Which versions of Ivanti Connect Secure and Ivanti Policy Secure are currently deployed within your environment?
2. Have the identified vulnerabilities (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644) been remediated by updating to the latest recommended versions?
3. What measures are in place to monitor and detect potential exploitation attempts related to these vulnerabilities?
4. Is multi-factor authentication (MFA) enabled for all administrative access to these systems?

Remediation Recommendations for Vendors Subject to This Risk

To mitigate the risks associated with these vulnerabilities, vendors should:

✔ Update to Patched Versions:

• For Ivanti Connect Secure, upgrade to version 22.7R2.6 or later.
• For Ivanti Policy Secure, upgrade to version 22.7R1.3 or later.

✔ Restrict Administrative Privileges:

• Limit administrative access to essential personnel.
• Enforce principle of least privilege to reduce risk.

✔ Implement Multi-Factor Authentication (MFA):

• Ensure MFA is enabled for all administrative and remote access.

✔ Monitor System Logs:

• Regularly review logs for unusual activities or signs of attempted exploitation.

✔ Apply Security Best Practices:

• Follow Ivanti’s security guidelines to mitigate risks associated with authenticated users.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite has tagged these vulnerabilities under “Ivanti Connect Secure – Feb2025” with a HIGH confidence level.

• The FocusTag™ provides detailed information on vendors potentially affected by these vulnerabilities.
• Black Kite’s asset intelligence helps identify IP addresses and subdomains hosting vulnerable instances.
• This enables TPRM teams to proactively assess and address risks associated with these vulnerabilities.

CVE-2025-25064: Zimbra Collaboration SQL Injection Vulnerability

Zimbra Collaboration (formerly known as Zimbra Collaboration Suite or ZCS) is an open-source and commercial groupware email platform. It includes features such as email, calendaring, contacts, task management, instant messaging, and file sharing, designed for enterprises, government institutions, and service providers.

What is CVE-2025-25064?

CVE-2025-25064 is a critical SQL injection vulnerability affecting Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. This flaw arises from insufficient sanitization of user-supplied parameters in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this vulnerability by manipulating specific request parameters to inject arbitrary SQL queries, potentially allowing unauthorized retrieval of email metadata and other sensitive information. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 0.05%. It was publicly disclosed on February 9, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned About CVE-2025-25064?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-25064 due to its potential impact on email security. Zimbra Collaboration is widely used by organizations for email and collaboration services. Exploitation of this vulnerability could allow attackers to access sensitive email metadata, leading to unauthorized disclosure of confidential information. If a vendor utilizes vulnerable Zimbra Collaboration products, their compromised systems could serve as entry points for attackers, resulting in data breaches and disruptions that may affect connected organizations.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-25064?

To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:

1. Have you updated all instances of Zimbra Collaboration to versions 10.0.12 or 10.1.4, where CVE-2025-25064 has been patched?
2. Can you confirm if you have implemented access restrictions to the ZimbraSync Service SOAP endpoint to trusted networks and users as recommended?
3. Have you deployed Web Application Firewalls (WAFs) to detect and block SQL injection attempts targeting Zimbra Collaboration?
4. Do you regularly monitor server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service?

Remediation Recommendations for Vendors

Vendors using affected Zimbra Collaboration products should:

• Update Software: Upgrade to Zimbra Collaboration versions 10.0.12 or 10.1.4, where this vulnerability has been addressed.
• Restrict Access: Limit access to the ZimbraSync Service SOAP endpoint to trusted networks and users to minimize potential exploitation vectors.
• Implement Web Application Firewalls (WAF): Deploy WAFs to detect and block SQL injection attempts and other malicious activities targeting web applications.
• Monitor Logs: Regularly review server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite has proactively addressed this issue by publishing the “Zimbra – Feb2025” FocusTag™ on February 11, 2025. This tag enables TPRM professionals to identify vendors potentially affected by CVE-2025-25064. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.

CVE-2025-22604: Critical Remote Code Execution Vulnerability in Cacti

Cacti is an open-source network monitoring and graphing tool designed to collect, store, and visualize performance data for IT infrastructure. It is widely used by network administrators and IT professionals to monitor network devices, servers, and applications in real time.

What is the Cacti Remote Code Execution Vulnerability?

CVE-2025-22604 is a critical security flaw in Cacti, an open-source network monitoring and fault management framework. This vulnerability allows authenticated users with device management permissions to execute arbitrary commands on the server by injecting malformed Object Identifiers (OIDs) into SNMP responses. When processed by functions like ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), parts of these OIDs are used as keys in an array that becomes part of a system command, leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.1. It was publicly disclosed on January 26, 2025. There is no evidence of proof of exploitation at the moment.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-22604 because Cacti is widely used by organizations to monitor network performance and availability. A successful exploit of this vulnerability could allow attackers to execute arbitrary commands on the server, potentially compromising system integrity and data security. This could lead to unauthorized access to sensitive information, disruption of network monitoring capabilities, and further exploitation within the organization’s network. Given the critical nature of this vulnerability and the availability of proof-of-concept exploit code, it is imperative for organizations to assess their exposure and ensure that their vendors have addressed this issue.

What Questions Should TPRM Professionals Ask Vendors About CVE-2025-22604?

To assess the risk associated with this vulnerability, TPRM professionals should consider asking vendors the following questions:

1. Have you identified any instances of Cacti within your infrastructure that are affected by CVE-2025-22604?
2. If so, have you updated all affected Cacti installations to version 1.2.29 or later to mitigate this vulnerability?
3. What measures have you implemented to restrict SNMP access to trusted users and networks?
4. Do you regularly monitor system logs and SNMP activity for unusual or unauthorized actions?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to remediate the risk associated with CVE-2025-22604:

• Upgrade Cacti: Update all Cacti installations to version 1.2.29 or later, as this version addresses the vulnerability.
• Restrict SNMP Access: Limit SNMP access to trusted users and networks to reduce potential attack vectors.
• Monitor Systems: Regularly review system logs and SNMP activity for any unusual or unauthorized actions.
• Review Permissions: Ensure that only necessary personnel have device management permissions within Cacti.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite has published a FocusTag™ titled “Cacti – Feb2025” to help organizations identify potential exposure to CVE-2025-22604. TPRM professionals can utilize this tag to assess their vendors’ risk related to this vulnerability. By leveraging Black Kite’s platform, professionals can identify vendors using vulnerable versions of Cacti and take proactive steps to mitigate potential risks. This includes obtaining asset information such as IP addresses and subdomains associated with the vendors’ systems, which is crucial for effective risk assessment and management.

Maximizing TPRM Effectiveness with Black Kite’s FocusTags™

With high-profile vulnerabilities such as PAN-OS authentication bypass (CVE-2025-0108), Ivanti Connect Secure RCE (CVE-2025-22467), Zimbra SQL injection (CVE-2025-25064), and Cacti remote code execution (CVE-2025-22604), organizations must rapidly assess third-party security risks to prevent cascading impacts. Black Kite’s FocusTags™ enable security teams to efficiently identify, analyze, and mitigate these threats by offering:

✅ Real-Time Risk Identification – Instant visibility into which vendors are affected by the latest vulnerabilities, allowing organizations to take immediate action.
✅ Risk Prioritization – Insights into vendor importance and vulnerability severity, helping security teams allocate resources effectively.
✅ Informed Vendor Engagement – Targeted discussions with vendors about their security measures and remediation strategies for identified vulnerabilities.
✅ Comprehensive Security Posture Enhancement – A holistic view of third-party risks, enabling organizations to make data-driven security decisions.

By leveraging Black Kite’s FocusTags™, organizations can stay ahead of evolving cyber threats, ensuring proactive risk mitigation in their third-party ecosystems. These tags provide critical intelligence, transforming complex vulnerability data into actionable insights for better vendor security management.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
• Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra – Feb2025: CVE-2025-25064, SQLi Vulnerability in Zimbra Collaboration.
• Cacti – Feb2025: CVE-2025-22604, Remote Code Execution Vulnerability in Cacti.
• FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.
• QNAP QTS – Jan2025: CVE-2024-53691, CVE-2023-39298, Remote Code Execution Vulnerability, Link Following Vulnerability, Missing Authorization Vulnerability in QNAP QTS.
• Mongoose: CVE-2025-23061, Search Injection Vulnerability in Mongoose.
• W3 Total Cache: CVE-2024-12365, Missing Authorization Vulnerability in WordPress’ W3 Total Cache Plugin.
• Juniper Junos: CVE-2025-21598, Out-of-bounds Read Vulnerability in Juniper’s Junos.
• Rsync: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, Heap-Buffer-Overflow Vulnerability, Remote Code Execution Vulnerability, Information Leak Vulnerability, File Leak Vulnerability, Path Traversal Vulnerability, Race Condition Vulnerability, Privilege Escalation Vulnerability in Rsync.
• SimpleHelp: CVE-2024-57727, CVE-2024-57728, CVE-2024-57726, Unauthenticated Path Traversal Vulnerability, Arbitrary File Upload Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in SimpleHelp.
• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0108

https://nvd.nist.gov/vuln/detail/CVE-2025-0110

https://security.paloaltonetworks.com/CVE-2025-0108

https://security.paloaltonetworks.com/CVE-2025-0110

https://securityonline.info/cve-2025-0108-cve-2025-0110-palo-alto-networks-fixes-high-severity-pan-os-vulnerabilities

https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US

https://forums.ivanti.com/s/article/KB29805?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2025-22467

https://nvd.nist.gov/vuln/detail/CVE-2024-10644

https://securityonline.info/cve-2025-22467-cvss-9-9-ivanti-connect-secure-vulnerability-allows-remote-code-execution

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://nvd.nist.gov/vuln/detail/CVE-2025-25064

https://securityonline.info/cve-2025-25064-cvss-9-8-critical-sql-injection-bug-in-zimbra-collaboration

https://nvd.nist.gov/vuln/detail/CVE-2025-22604

https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36

https://securityonline.info/cve-2025-22604-cvss-9-1-remote-code-execution-flaw-in-cacti-poc-released

The post Focus Friday: Addressing Third-Party Risks in PAN-OS, Ivanti Connect Secure, Zimbra, and Cacti Vulnerabilities appeared first on Black Kite.

Plus: The OnePlus Watch 3 has big battery claims, Ninja’s Swirl can make ice cream and soft-serve, Google sets a date for I/O, and more

Staggering sales drops, swastika-daubed EVs, companies culling fleet models, and fan-forum owners selling their cars—Elon Musk's alt-right antics are seriously impacting his electric car business.

Chargers funded through the program were due to be just a small share of those opening this year. The longer-term effects aren’t yet clear.

The first major WordCamp of the year is here! WordCamp Asia 2025 lands in Manila, Philippines, from February 20-22, bringing together open source enthusiasts, developers, and WordPress professionals from across the region—and the world.

With three packed days of learning, networking, and collaboration, this year’s event promises fresh insights, dynamic discussions, and plenty of opportunities to connect.

Solutions spotlight

Throughout the conference days, multiple presentations will focus on the solutions provided by our amazing sponsors. This is a great opportunity to learn more about their initiatives and solutions.

Keynotes, panels, and deep dives

The main conference, which will be held on February 21-22, will feature a lineup of notable keynote speakers, including digital innovation leaders and open-source advocates. Attendees can expect diverse sessions on business strategy, development of best practices, and technical advancements.

For those looking to sharpen their skills, presentations will dive deep into topics like SEO for WordPress, performance optimization, and AI-powered content creation. Plus, don’t miss the electrifying WordPress Speed Build Battle, where developers race to create stunning sites in record time.

YouthCamp

On February 22, WordCamp Asia 2025 will host YouthCamp, a pre-registered event designed to introduce young minds to WordPress and its endless possibilities. This initiative aims to engage the next generation of WordPress users, developers, and contributors through hands-on activities and interactive sessions

Closing Q&A with Matt Mullenweg

WordPress Cofounder Matt Mullenweg will wrap up the event with a live Q&A session on February 22. Whether attending in person or tuning in online, you can catch his insights live on the WordPress YouTube channel at 4:00 p.m. Philippine Time (08:00 UTC).

After party

As the sun sets on WordCamp Asia 2025, the excitement continues with the After Party (theme: Island Vibe)! Get ready to experience the vibrant spirit of the Philippines with a lively gathering at The Forum at PICC. Expect a night filled with great conversations, music, and a celebration of the WordPress community.

Get WordCamp-ready

• Secure your WordCamp Asia 2025 tickets (if you haven’t already!)
• Browse the full schedule of sessions to plan your experience
• Follow WordCamp Asia on X, LinkedIn, and Instagram for real-time updates

As always, be part of the conversation! Whether you’re attending in Manila or following along online, share your experiences using #WCAsia and #WordPress.

Manila is calling—see you at WordCamp Asia 2025!

On a memorable evening in Tokyo, State of the Word 2024 brought together WordPress enthusiasts from around the world—hundreds in person and millions more online. This event marked the first time State of the Word was hosted in Asia, reflecting the platform’s growing global reach. The setting couldn’t have been more fitting: a city where tradition and technology coexist in seamless harmony. Tokyo, much like WordPress itself, reflects a powerful blend of legacy and innovation, craftsmanship and technology, and moments of vast scale balanced by serene stillness.

During the event, the concept of kansei engineering emerged as a central theme. This Japanese design philosophy seeks to create experiences that go beyond function and aesthetics, focusing on how something feels. As highlighted during the keynote, this principle has quietly influenced WordPress’s development, shaping its design and user experience in ways that resonate on an instinctive level.

The evening also celebrated Japan’s deep-rooted connection to WordPress. Nearly 21 years ago, Japan became the first country to localize WordPress, long before a formal translation framework existed. It all started with a single forum post from a user named Otsukare, launching a translation project that helped WordPress become a truly global platform. Seeing how far the Japanese WordPress community has come—both in market share and cultural influence—was a powerful reminder of what shared purpose can achieve.

Wapuu, WordPress’s beloved mascot, was also born in Japan. What began as a simple idea for a fun and friendly representation of WordPress evolved into a global phenomenon. Thanks to Kazuko Kaneuchi’s generous open-source contribution, Wapuu has been reimagined by WordPress communities worldwide, each version infused with local character. This uniquely Japanese creation has helped make WordPress more welcoming, approachable, and fun wherever it appears.

WordPress Growth in 2024

WordPress cofounder Matt Mullenweg highlighted significant achievements that underscored WordPress’s growth, resilience, and expanding global presence in 2024. He shared that WordPress now powers 43.6% of all websites globally. In Japan, WordPress’s influence is even more pronounced, powering 58.5% of all websites. This remarkable statistic reinforces the platform’s enduring role as a cornerstone of the open web and accentuates Japan’s deep-rooted commitment to the WordPress ecosystem and its developers’ significant contributions.

WordPress sites using languages other than English are expected to surpass English-language sites by 2025. German recently overtook Japanese as the third-most-used language, though Japanese remained close behind. Meanwhile, emerging languages like Farsi experienced rapid adoption, reflecting the platform’s expanding multilingual ecosystem. In Southeast Asia, languages such as Indonesian, Vietnamese, and Thai saw substantial year-over-year growth, signaling broader adoption across diverse regions.

Core downloads surged to nearly half a billion annually, with the notable releases of WordPress 6.5, 6.6, and 6.7.

WordPress’s design and development ecosystem flourished as well. Over 1,700 new themes were uploaded in 2024, bringing more than 1,000 block themes to the official repository and reflecting increased interest in modern, flexible site design.

The plugin ecosystem also saw record-breaking activity this year. Plugin downloads surged toward 2.35 billion, representing a 20% year-over-year increase. Plugin updates exceeded 3 billion and are on track to surpass 3.5 billion by year’s end. Notably, the Plugin Review Team made transformative improvements, drastically reducing the average review wait time. Their efficiency gains were complemented by the launch of the Plugin Check tool, which reduced submission issues by 41% while enabling the team to approve 138% more plugins each week.

These accomplishments showcase WordPress’s resilience, adaptability, and ever-expanding influence. As the platform continues to evolve, its global community remains at the heart of its success, driving innovation and ensuring that WordPress thrives as the leading tool for building the open web.

Advancing the Platform

WordPress lead architect, Matías Ventura, highlighted WordPress’s evolution through the lenses of writing, design, building, and development, demoing various pieces of new and forthcoming enhancements.

Writing

The writing experience in WordPress saw notable advancements this year, with an improved distraction-free mode that helps users to focus on content creation without interface distractions. Now you can directly select the image itself to drag and drop it where you want, even enabling on-the-fly gallery creation when you drop images next to each other.

Additionally, the introduction of block-level comments in the editor, currently an experimental feature, promises to reshape collaborative workflows by enabling teams to leave notes directly on blocks.

These enhancements all work together to make writing, composing, and editing in WordPress feel more fluid, personal, and pleasant than ever.

Design

Along with new default theme Twenty Twenty-Five, more than 1,000 block themes offer tailored starting points for different site types, including portfolios, blogs, and business sites. Designers can also utilize the improved Style Book for a comprehensive view of their site’s appearance, ensuring a smooth design process.

Design work isn’t just about aesthetics—it’s also about creating the right environment and guardrails. It’s important that users can interact with their site, add content, replace media, and choose sections without needing to know the layout details. We’re implementing better default experiences to help you focus exclusively on the content or on the design, depending on your needs at the moment. 

This all works seamlessly with the zoom-out view, where users can compose content using patterns without having to set up every individual block. Having a bird’s-eye view of your site can really help you gain a different perspective.

These design capabilities scale with you as your WordPress projects grow. WordPress’s approach to design is systematic: blocks combine to form patterns, patterns form templates, and templates help separate content from presentation.

Building

WordPress’s content management capabilities allow working at scale and across teams. Central to this is the introduction of Block Bindings, which merge the flexibility of blocks with the structured power of meta fields. This feature allows block attributes to be directly linked to data sources like post meta, reducing the need for custom blocks while creating deeper, more dynamic content relationships. The familiar block interface remains intact, making complex data management feel seamless. This connects naturally with our broader work on Data Views for post types and meta fields. 

These updates reinforce WordPress’s role as a powerful content management system by connecting its core primitives—blocks, post types, taxonomies, and meta fields—more intuitively. 

Development

Lastly, Matías showcased a range of groundbreaking tools that empower WordPress developers and streamline their workflows. One of the highlights was the new Templates API, which has simplified the process of registering and managing custom templates. Future updates to the API will allow users to register and activate templates seamlessly, enabling dynamic site customizations such as scheduling different homepage templates for special events or swapping category archives during campaigns. This flexible approach offers developers greater creative control in a standardized way. 

The session also explored the Interactivity API, designed to deliver fast, seamless website experiences by enabling server-rendered interactivity within WordPress. Unlike JavaScript-heavy frameworks, this technology keeps everything within WordPress’s existing ecosystem, bridging the gap between developers and content creators. Attendees saw live demos showcasing instant search, pagination, and commenting—all without page reloads—while maintaining a perfect performance score of 100 on Lighthouse. In addition, it was announced that responsive controls will receive significant attention, with new features being explored, like block visibility by breakpoint and adding min/max controls to the columns block.

The WordPress Playground also emerged as a game-changer, allowing users to spin up WordPress sites directly in their browsers, experiment with Blueprints, and manage projects offline. With improved GitHub integration and expanded documentation, WordPress developers now have a more accessible and powerful toolkit than ever before.

An AI Future

Returning to the stage, Matt noted that Gutenberg’s evolution is paving the way for AI-powered site building while keeping creative control in users’ hands. A recent speed building challenge on WordPress’s YouTube channel showcased this potential, with Nick Diego using AI-assisted tools and Ryan Welcher building manually. While the AI-assisted approach won, the key takeaway was that AI isn’t here to replace developers but to enhance creativity and efficiency.

Community Impact and Global Reach

When WordPress Executive Director Mary Hubbard took the stage, she emphasized WordPress’s commitment to its open-source mission and the power of its global community. Mary shared her passion for defending WordPress’s principles, reaffirming that when users choose WordPress, they should receive the authentic, community-driven experience that the platform stands for. This commitment to clarity, trust, and open-source integrity is central to ensuring WordPress’s long-term sustainability and success.

In 2024, WordPress’s global influence surged through expanded educational programs, developer contributions, and grassroots initiatives. The platform’s social media following grew to 2.3 million, while major events like WordCamps and live-streamed gatherings attracted millions of attendees and viewers, connecting people worldwide.

Learn WordPress introduced Structured Learning Pathways, offering tailored tracks for beginners and developers, fostering a growing network of creators eager to learn and contribute. Grassroots programs flourished, with WP Campus Connect bringing WordPress education to Indian colleges and innovation competitions in Uganda empowering young creators. In Latin America, the Community Reactivation Project reignited meetups across nine cities, fostering a network of over 150 active members and setting the stage for three new WordCamps in 2025.

WordPress’s efforts also advanced through Openverse, which expanded its free content library to 884 million images and 4.2 million audio files, serving millions of creators worldwide and supporting WordPress’s broader mission of democratizing publishing.

Whether through educational platforms, developer-driven innovation, or community-led projects, WordPress’s ecosystem continues to nurture shared learning, creativity, and collaboration, ensuring its growth and relevance for future generations.

Japanese Community Highlights

Junko Fukui Nukaga—Community Team rep, program manager, and WordCamp organizer—noted that WordPress’s prominence in Japan contributes to an economy now estimated to exceed 100 billion yen.

In October of 2024, the Japanese WordPress community celebrated DigitalCube’s IPO on the Tokyo PRO Market, marking a milestone for the local WordPress ecosystem. Major contributors like Takayuki Miyoshi’s Contact Form 7 plugin surpassed 10 million active users, while companies like Sakura Internet and XServer built specialized WordPress infrastructure.

Community events in Japan have also flourished, with 189 local meetups held throughout the year, fueled by dedicated volunteers and organizers. Translation Night gatherings have ensured WordPress remains accessible to Japanese users, reflecting a thriving collaborative spirit.

Matt gave special recognition to Japan’s standout contributor, Aki Hamano, a Core Committer whose exceptional efforts elevated WordPress development over the past year. Hamano-san made an impressive 774 contributions to WordPress core, earning 162 props for WordPress 6.5, rising to 274 props for 6.6 as the second-highest contributor, and securing the top spot with 338 props for 6.7.Other notable Japanese contributors included Akira Tachibana, an active Docs Team member, and Nukaga, recognized for her exceptional community organizing efforts. Additionally, 13 Japanese contributors supported 5.4% of WordPress 6.6 development, showcasing the country’s growing influence in the WordPress ecosystem.

Data Liberation

Reflecting on the progress since the initiative’s launch last year, the focus remained on ensuring that WordPress not only becomes more powerful but also embodies freedom in its deepest sense—the freedom to move content anywhere, collaborate without limits, and create without constraints. This vision extends beyond individual sites to a broader web where content flows seamlessly across platforms, enabling unrestricted creativity and innovation.

One compelling example demonstrated how easily ePub files could be imported into a WordPress site, integrating seamlessly with existing designs. This represents the initiative’s broader goal: making content migration and integration effortless. WordPress Playground plays a critical role in this vision by enabling easy site migration through a simple browser extension. With Playground as a staging area, migrating and adapting sites becomes intuitive and accessible.

Q&A

The floor was opened to questions in both Japanese and English.

Questions from the audience, including Tokyo Vice author Jake Adelstein, covered the future of blogging, WordPress performance, the impact of AI search, and what democratizing publishing means today. Matt shared his excitement for more open platforms such as Mastodon and Bluesky, as well as his recommendations for optimizing your site for both humans and AI. A common thread throughout was that a personal website is an important part of your digital identity, and WordPress allows you to express yourself in fun and unique ways.

Panels

After attendees enjoyed a special performance by the pianist, Takai-san, industry leaders, creators, and innovators took the stage for panel discussions about the present and future of WordPress, moderated by Mary Hubbard.

Publishing in the Open

Featuring:

• Mieko Kawakami, Japanese Author and Poet 
• Craig Mod, Author of Things Become Other Things 
• Matt Mullenweg, WordPress Cofounder and Automattic CEO

This first panel explored the transformative power of open-source publishing. Panelists shared insights into how open publishing has influenced their creative journeys, expanded audience engagement, and shaped storytelling across cultural boundaries.

Publishing in the open has defined what I’ve done. All the best connections I’ve made in live have been the result of publishing in the open. – Craig Mod

Publishing in the open, like WordPress, is about building community, mutual connections, and putting power back into the hands of creators.

The Future of WordPress in Japan and Beyond

Featuring:

• Hajime Ogushi, mgn CEO
• Genki Taniguchi, SAKURA internet Inc. Senior Director
• Matt Mullenweg, WordPress Cofounder and Automattic CEO

The second discussion highlighted WordPress’s remarkable growth in Japan and its broader global impact. The discussion covered the drivers behind Japan’s adoption of WordPress, its thriving ecosystem of WordPress-based businesses, and emerging trends in web development.

Compared to other CMSs the WordPress Japanese is much easier to use. – Hajime Ogushi

The group discussed plugins such as Contact Form 7, the affordability of hosting WordPress, and local meetups and events

Closing

Thank you to all the guests who joined us on stage, those who ventured to Tokyo, and everyone who tuned in from around the world. Today’s event showcased how a free and infinitely flexible platform, an active global community, open innovation, and a commitment to a fully democratized web make us better at being who we are.

From Tokyo, Arigatou Gozaimashita!

For those interested in exploring past State of the Word keynotes, WordPress has curated a comprehensive YouTube playlist featuring keynotes from previous years. Watch them all here: State of the Word YouTube Playlist. Be sure to mark your calendars for major WordPress events in 2025: WordCamp Asia (Manila, Philippines), WordCamp Europe (Basel, Switzerland), and WordCamp US (Portland, Oregon, USA).