Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we dive into key vulnerabilities impacting widely used technologies. This installment highlights three significant incidents that pose unique challenges to third-party risk management (TPRM) teams. From Juniper Junos OS to Rsync and SimpleHelp, we explore how these vulnerabilities affect the security posture of vendors and their downstream supply chains. By examining these issues, we aim to provide actionable insights and strategies to help organizations mitigate risks and maintain robust third-party relationships.

Juniper Junos CVE-2025-21598

What is the Juniper Junos BGP Vulnerability (CVE-2025-21598)?

CVE-2025-21598 is an out-of-bounds read vulnerability in the routing protocol daemon (rpd) of Junos OS and Junos OS Evolved. When a device is configured with BGP packet receive trace options, an unauthenticated attacker can send malformed BGP packets that cause the rpd process to crash. This vulnerability has a CVSS score of 8.2, making it a high-severity issue. It was first disclosed on January 14, 2025, and there are currently no reports of active exploitation. CISA’s KEV catalog does not yet list this vulnerability. Proof-of-concept (POC) is not available.

CVE-2025-21599 is a critical vulnerability affecting specific versions of Junos OS Evolved. It requires IPv6 to be enabled and involves attackers sending malformed IPv6 packets persistently to exhaust memory. Exploitation does not require authentication but needs network access to the device. The affected versions are:

• From 22.4-EVO: before 22.4R3-S5-EVO
• From 23.2-EVO: before 23.2R2-S2-EVO
• From 23.4-EVO: before 23.4R2-S2-EVO
• From 24.2-EVO: before 24.2R1-S2-EVO, and 24.2R2-EVO.

Versions prior to 22.4R1-EVO are unaffected. This vulnerability was excluded from the FocusTag™ scope due to its limitation to EVO versions and no detection by external clients specific to EVO.

Why should TPRM professionals care about CVE-2025-21598?

This vulnerability impacts network infrastructure devices, which are critical to business operations. If left unpatched, it could result in significant service interruptions, loss of connectivity, and reduced reliability of the affected network environment. Organizations that rely on these devices could face disruptions in their supply chain communications and business operations, making it essential for TPRM professionals to assess the risk and ensure proper mitigation measures are in place.

What questions should TPRM professionals ask vendors about CVE-2025-21598?

1. Have you updated all instances of Junos OS and Junos OS Evolved to the fixed versions mentioned in the advisory to mitigate the risk of CVE-2025-21598?
2. Can you confirm if you have disabled BGP packet receive trace options on your Junos OS and Junos OS Evolved devices to prevent potential exploitation of CVE-2025-21598?
3. Are you regularly inspecting your system logs for any indications of malformed BGP update messages, which may suggest attempted exploitation of CVE-2025-21598?
4. For Junos OS Evolved, have you ensured that all versions from 22.4-EVO before 22.4R3-S5-EVO, from 23.2-EVO before 23.2R2-S2-EVO, from 23.4-EVO before 23.4R2-S2-EVO, from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO have been updated to mitigate the risk of CVE-2025-21599?

Remediation recommendations for vendors subject to this risk

• Upgrade all affected Junos OS and Junos OS Evolved devices to the patched versions.
• Disable BGP packets receive trace options if updating is not immediately possible.
• Implement continuous network monitoring to identify any indications of exploitation attempts.
• Maintain up-to-date logging configurations and review logs for signs of malformed BGP packets.

How can TPRM professionals leverage Black Kite for CVE-2025-21598?

Black Kite published this FocusTag™ to help organizations pinpoint the vendors affected by CVE-2025-21598. By providing detailed asset information—including relevant subdomains and vulnerable IPs—Black Kite enables TPRM professionals to rapidly identify which vendors need immediate attention. This targeted approach reduces time spent on outreach and allows more efficient mitigation efforts.

Rsync Vulnerabilities (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747)

What are the critical Rsync vulnerabilities?

Rsync, a widely-used file synchronization tool, has six significant vulnerabilities in versions 3.3.0 and earlier. These flaws pose risks such as arbitrary code execution, information leakage, and unauthorized system access, particularly for organizations relying on Rsync for backups.

Six vulnerabilities have been identified in Rsync, posing significant security risks. These include a heap-buffer overflow (CVE-2024-12084) in the Rsync daemon that allows attackers to execute code by controlling checksum lengths (s2length) and gaining server access. An information leak vulnerability (CVE-2024-12085) exposes uninitialized memory during file checksum comparisons. Additionally, malicious servers can exploit crafted checksums to extract arbitrary files from clients (CVE-2024-12086). Path traversal is possible due to improper symlink checks with the default –inc-recursive option (CVE-2024-12087), while a –safe-links bypass flaw (CVE-2024-12088) allows arbitrary file writes and further path traversal. Finally, a symbolic-link race condition (CVE-2024-12747) could lead to privilege escalation or data leakage by exploiting timing issues during file transfers. Exploitation of these vulnerabilities requires specific conditions, such as server access or manipulated configurations. 

Currently, no publicly available POC exists, and these vulnerabilities are not listed in CISA’s Known Exploited Vulnerabilities catalog. Affected versions include Rsync ≥3.2.7 and <3.4.0 for CVE-2024-12084, while other CVEs impact Rsync 3.3.0 and earlier. Organizations relying on Rsync for synchronization or backups should apply patches or mitigations promptly to mitigate risks of unauthorized access and data breaches.

Why should TPRM professionals care about Rsync vulnerabilities?

Many organizations rely on Rsync for critical backup operations. Unaddressed vulnerabilities could lead to severe disruptions, including unauthorized data exposure, system compromise, and operational downtime. These risks demand immediate attention from TPRM professionals to ensure that vendors and their supply chain partners have implemented the necessary remediations.

What questions should TPRM professionals ask vendors about the Rsync vulnerabilities?

1. Have you upgraded all instances of Rsync to version 3.4.0 or later to mitigate the risk of CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747?
2. Can you confirm if you have implemented the recommended mitigation measures such as restricting Rsync daemon access to trusted networks and authenticated users, and regularly reviewing and applying security best practices for system and network configurations?
3. Have you reviewed and updated any backup programs utilizing Rsync, such as Rclone, DeltaCopy, and ChronoSync, in response to these vulnerabilities?
4. Are you monitoring for any unusual activities that may indicate exploitation attempts related to these Rsync vulnerabilities, specifically those related to heap-buffer overflow, information leak, file leak, path traversal, safe-links bypass, and symbolic-link race condition?

Remediation recommendations for vendors subject to this risk

• Upgrade Rsync to version 3.4.0 or higher to eliminate known vulnerabilities.
• Disable unused options such as –inc-recursive and –safe-links to minimize exposure.
• Implement strict access controls, allowing only authenticated and trusted connections.
• Conduct regular security audits of your Rsync configuration and logs.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite’s FocusTag™ for Rsync, published in January 2025, helps TPRM professionals identify vendors at risk from these vulnerabilities. By providing detailed information on affected versions, associated IPs, and potentially vulnerable assets, Black Kite enables organizations to narrow their outreach to only those vendors requiring immediate action. This targeted approach not only streamlines risk management processes but also helps protect sensitive data and critical systems from emerging threats.

SimpleHelp Vulnerabilities (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726)

What are the critical SimpleHelp vulnerabilities?

Recent security assessments have uncovered critical vulnerabilities in SimpleHelp, a widely used remote support software.

CVE-2024-57726: A privilege escalation flaw that allows users with technician-level access to elevate their privileges to administrator due to missing backend authorization checks.  This vulnerability has a CVSS score of 8.2, making it a high-severity issue. This vulnerability has a CVSS score of 8.8, making it a high-severity issue.

CVE-2024-57727: A path traversal vulnerability allowing unauthenticated attackers to download arbitrary files, including sensitive configuration files. This vulnerability has a CVSS score of 7.5, making it a high-severity issue.

CVE-2024-57728: An arbitrary file upload vulnerability enabling attackers with administrative privileges to upload malicious files anywhere on the server, potentially leading to remote code execution. This vulnerability has a CVSS score of 8.8, making it a high-severity issue.

These vulnerabilities can be chained to compromise the entire server, leading to sensitive information disclosure and potential remote code execution. They affect SimpleHelp versions 5.5.7 and earlier. Currently, there are no reports of these vulnerabilities being exploited in the wild, no available PoC, and no listing in CISA’s Known Exploited Vulnerabilities catalog.

Why should TPRM professionals care about SimpleHelp vulnerabilities?

SimpleHelp is widely used for remote support, making these vulnerabilities particularly concerning. A compromised SimpleHelp server could expose sensitive client information, provide attackers with persistent remote access, and lead to unauthorized actions such as executing malicious scripts. TPRM professionals must ensure that vendors relying on SimpleHelp have patched their systems and implemented necessary security controls to avoid supply chain disruptions and data breaches.

What questions should TPRM professionals ask vendors about SimpleHelp vulnerabilities?

1. Have you updated all instances of SimpleHelp to versions 5.5.8, 5.4.10, or 5.3.9 to mitigate the risk of CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726?
2. Can you confirm if you have implemented IP access restrictions on your SimpleHelp server to accept technician and administrator logins only from trusted IP addresses, as recommended in the advisory?
3. Have you changed the administrator and technician account passwords after updating SimpleHelp to ensure any previously compromised credentials are invalidated?
4. Are you regularly reviewing your server logs for any unusual or unauthorized activities that may indicate attempted exploitation of these vulnerabilities in SimpleHelp?

Remediation recommendations for vendors subject to this risk

• Update SimpleHelp to the latest secure versions (5.5.8, 5.4.10, or 5.3.9) to address these vulnerabilities.
• Change Administrator Passwords. After updating, change the administrator password of the SimpleHelp server to ensure any previously compromised credentials are invalidated.
• Update Technician Account Passwords. Reset passwords for all technician accounts, especially those not utilizing third-party authentication services.
• Restrict IP Access. Configure the SimpleHelp server to accept technician and administrator logins only from trusted IP addresses to reduce unauthorized access risks.
• Monitor System Logs. Regularly review server logs for any unusual or unauthorized activities that may indicate attempted exploitation.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite provides a detailed FocusTag™ highlighting these vulnerabilities, including a list of affected versions and mitigation steps. By using Black Kite’s asset information—such as associated IP addresses and potentially vulnerable subdomains—TPRM professionals can quickly identify which vendors require immediate attention, streamlining the risk mitigation process.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

As the cyber threat landscape continues to evolve, maintaining a resilient Third-Party Risk Management (TPRM) framework is more crucial than ever. Black Kite’s FocusTags™ provide a unique advantage, allowing organizations to identify and respond to high-profile vulnerabilities quickly and effectively. By incorporating FocusTags into their TPRM processes, organizations gain:

Timely Vendor Risk Identification: Quickly determine which vendors are impacted by emerging threats, enabling prompt and strategic action.
Prioritized Risk Management: Focus on the most critical vulnerabilities and vendors, ensuring that resources are allocated where they’re needed most.
Enhanced Vendor Collaboration: Conduct more informed and productive discussions with vendors, addressing their specific exposure and improving overall security measures.
Broader Security Insight: Gain a comprehensive view of the current threat landscape, helping TPRM teams anticipate future risks and strengthen their cybersecurity defenses.

With Black Kite’s FocusTags™, TPRM professionals have the tools they need to transform complex threat data into actionable intelligence. This capability not only improves risk management efficiency but also helps ensure that organizations can confidently manage their third-party ecosystem in an increasingly unpredictable digital environment.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Juniper Junos: CVE-2025-21598, Out-of-bounds Read vulnerability in Juniper’s Junos.
• Rsync: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, Heap-Buffer-Overflow Vulnerability, Remote Code Execution Vulnerability, Information Leak Vulnerability, File Leak Vulnerability, Path Traversal Vulnerability, Race Condition Vulnerability, Privilege Escalation Vulnerability in Rsync.
• SimpleHelp: CVE-2024-57727, CVE-2024-57728, CVE-2024-57726, Unauthenticated Path Traversal Vulnerability, Arbitrary File Upload Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in SimpleHelp.
• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
• Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
• Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-21598

https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-When-BGP-traceoptions-are-configured-receipt-of-malformed-BGP-packets-causes-RPD-to-crash-CVE-2025-21598?language=en_US

https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos-OS-Evolved-Receipt-of-specifically-malformed-IPv6-packets-causes-kernel-memory-exhaustion-leading-to-Denial-of-Service-CVE-2025-21599?language=en_US

https://securityonline.info/unauthenticated-attackers-can-exploit-junos-vulnerabilities-cve-2025-21598-cve-2025-21599

https://nvd.nist.gov/vuln/detail/CVE-2024-12086

https://nvd.nist.gov/vuln/detail/CVE-2024-12087

https://nvd.nist.gov/vuln/detail/CVE-2024-12747

https://nvd.nist.gov/vuln/detail/CVE-2024-12084

https://nvd.nist.gov/vuln/detail/CVE-2024-12088

https://nvd.nist.gov/vuln/detail/CVE-2024-12085

https://www.openwall.com/lists/oss-security/2025/01/14/3

https://securityonline.info/cve-2024-12084-cvss-9-8-code-execution-risk-rsync-vulnerability-demands-immediate-patching

https://nvd.nist.gov/vuln/detail/CVE-2024-57726

https://nvd.nist.gov/vuln/detail/CVE-2024-57727

https://nvd.nist.gov/vuln/detail/CVE-2024-57728

https://simple-help.com/kb—security-vulnerabilities-01-2025#upgrading-to-v5-5-8

https://thehackernews.com/2025/01/critical-simplehelp-flaws-allow-file.html

https://securityonline.info/simplehelp-urgents-to-patch-critical-security-vulnerabilities

https://thehackernews.com/2023/04/iranian-hackers-using-simplehelp-remote.html

The post FOCUS FRIDAY: Third-Party Risks From Critical Juniper Junos, Rsync, and SimpleHelp Vulnerabilities appeared first on Black Kite.

Written by: Jason McLarney

You wake up one morning to a news alert: A new Zero-Day vulnerability is emerging, and it’s already being exploited in the wild. You race into the office and sit down at your computer to…write and send generic emails to each of your 1,000 vendors. “Have you been breached? If so, to what extent? Is our data exposed? What’s your plan to respond to it?” 

Radio silence. At best, you get a trickle of responses, but most of your emails go unanswered because your vendors are busy figuring out what happened and how to mitigate fallout. 

Organizations must immediately kick into high gear to mitigate damages or business disruptions when a Zero-Day event or other time-sensitive third-party threat occurs. A key step in this process is contacting vendors to communicate risk intelligence and ensure they take remedial action.

However, this process is easier said than done — especially when vendors are getting inundated by hundreds of frantic and panicked customers.

Most organizations make the mistake of sending vague “hunches” that a vendor is impacted by an incident, followed by a generic security questionnaire. In other words, they’re sharing no new information. In fact, it can come off as hostile policing. This is, obviously, not very motivating for a vendor and typically results in low, delayed, or nonexistent responses. This means risk is not being reduced, either for you or the vendor. 

We built the Black Kite Bridge™ with exactly these challenges in mind. It offers the first end-to-end vulnerability response tool for: 

• risk identification and scoping
• intelligence sharing
• vendor communications
• real-time reporting

Third-party risk management (TPRM) teams can now share trusted, vetted Black Kite intelligence directly with their vendors. This information is far more specific and actionable, leading to proven vendor engagement. 

4 Ways Black Kite Revolutionizes Vendor Collaboration

Since its inception, Black Kite has been focused on providing the most accurate, transparent, and timely risk intelligence on the market, empowering customers to take control of their third-party risk.

As a result, customers organically started sharing that intelligence and asking for more ways to give their vendorstm access to it to improve their own cyber risk postures. We heard their feedback, so we built the Black Kite Bridge™ to enable TPRM professionals to:

1. Confidently Narrow the Scope of the Outreach

One of the most significant challenges in responding to an emerging Zero-Day event is knowing which vendors are impacted and what type of data to share with them. 

Instead of casting the net wide and contacting vendors that may or may not pose a risk to your company, customers can leverage Black Kite to:

1. Identify those vendors that have a material impact on your business.
2. Narrow the scope of outreach into a manageable list based on known exposures or susceptibility to attacks.

We arm you with insights, such as:

• Tags highlighting known impacted vendors in your cyber ecosystem through FocusTags™, to give you confidence in your actual exposures.
• Real-time risk quantification for all vendors, enabling you to make decisions based on potential financial impact if a threat were to impact a particular vendor.
• Actionable, asset-level evidence and recommended remediation steps rooted in a common language, like MITRE and NIST. Rather than asking generic questions, we provide you with targeted evidence to share, so a vendor can take immediate and appropriate action.

When you can share this information directly with a vendor through the Black Kite Bridge™, it gives you both a clear way forward. Instead of saying, “We think you were affected by X event — tell us if you were and what you’re doing to remediate it,” you can approach the vendor with clear evidence of what happened and hard recommendations to fix it. 

2. Communicate and Remediate in a Central Location

Vendor communications about risk and the risk intelligence itself should live in the same location. 

Why? Organizations already struggle with the sheer volume of vendors they rely on. If they need to communicate with all of them through one-off channels like email and without embedded context, this can easily become too complex and error-prone to scale. 

Today, the relevant intelligence often lives in a separate tool from vendor communications (e.g., a GRC or VRM tool). Or worse yet, it lives in long email threads and offline spreadsheets. When TPRM is handled manually like this, progress becomes impossible to track, details slip through the cracks, and, ultimately, risk is not reduced.

A better way:

• Black Kite Bridge™ centralizes intelligence sharing and vendor communications in one location. 
• Now vendors can access and view the same findings our customers see through a self-serve portal. 
• As the vendor remediates issues, their risk ratings change in real time (versus the weeks it typically takes for traditional SRS solutions to update). 
• This gives the vendor confidence they are doing the right things. 
• The process becomes far smoother, and the vendor relationship becomes far more frictionless.

3. Report in Real Time

Since communications and intelligence live in one tool, reporting becomes a breeze. Your CISO wants a status update on that Zero-Day event? No problem.

With out-of-the-box reporting, you can immediately measure an incident’s initial exposure, vendor response rates, remediation progress, mean time to remediate (MTTR), and more across all vendors. Say goodbye to time-consuming, manual tracking in spreadsheets.

4. Achieve Higher Vendor Engagement & Partnership

The Black Kite Bridge™ lets customers share unprecedented, ungated access to the intelligence they trust and rely on with their third-party vendors. Our customers have seen huge improvements in response rates and better relationships as a result of the benefits their vendors receive:

1. Timely access to incident details, prioritized list of findings, and remediation steps.
2. Real-time updates to ratings for closing out risks.
3. Visibility into responses, which means less private messages, questionnaires, or emails to track, and more time back in your day (and your vendors’).

Bridge the Communication Gap with Black Kite

For large organizations with hundreds or thousands of suppliers, scaling vendor engagement processes and TPRM can feel impossible. With the Black Kite Bridge™, responding to emerging cyber incidents becomes a breeze. Learn more about the challenges and opportunities of vendor outreach in our latest ebook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. And learn more about Black Kite with a personalized demo.

The post How to Solve Vendor Outreach During Security Crisis Events appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday blog, where we analyze high-profile vulnerabilities and incidents from a Third-Party Risk Management (TPRM) perspective. As organizations grapple with the growing complexities of cybersecurity threats, identifying and addressing vendor-related risks becomes paramount. This week, we had a busy week focusing on vulnerabilities. In this week’s article, we examined critical vulnerabilities in widely used products, including SonicWall SonicOS, Ivanti Connect Secure, Progress WhatsUp Gold, and GoCD. These vulnerabilities underscore the importance of swift action and strategic prioritization in TPRM processes. Read on to explore actionable insights and strategies to mitigate these risks.

Critical Vulnerabilities in SonicWall SonicOS

What are the vulnerabilities affecting SonicWall SonicOS?

The SonicWall SonicOS platform has been found vulnerable to multiple issues that could severely impact network security. Below are the key vulnerabilities:

CVE-2024-40762: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in the SSLVPN authentication token generator. This flaw allows attackers to predict authentication tokens, potentially leading to authentication bypass. (CVSS Score: 7.1)

CVE-2024-53704: Authentication Bypass vulnerability in the SSLVPN mechanism that could enable remote attackers to gain unauthorized system access. (CVSS Score: 8.2)

CVE-2024-53706: Local Privilege Escalation vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions). This allows attackers to escalate privileges to root, potentially leading to arbitrary code execution. (CVSS Score: 7.8)

CVE-2024-53705: Server-Side Request Forgery (SSRF) vulnerability in the SSH management interface. Attackers could establish TCP connections to arbitrary IP addresses and ports, enabling further attacks. (CVSS Score: 6.5, EPSS Score: 0.04%)

These vulnerabilities were disclosed in SonicWall’s security advisory on January 7, 2025. While no active exploitation has been reported yet, similar vulnerabilities have been targeted by Chinese threat actors in the past, raising the likelihood of exploitation in future attack campaigns. As of now, these vulnerabilities are not listed in CISA’s KEV catalog.

Why should TPRM professionals care about these vulnerabilities?

The vulnerabilities in SonicWall SonicOS present significant risks for organizations that rely on these devices for network security:

• Authentication Bypass (CVE-2024-53704): Attackers gaining unauthorized access could compromise sensitive data, introduce malware, or disrupt critical services.
• Local Privilege Escalation (CVE-2024-53706): A successful attack could allow threat actors to execute arbitrary code, potentially leading to full control of the affected systems.
• SSRF (CVE-2024-53705): This could facilitate lateral movement or act as a pivot point for launching further attacks.
• PRNG Vulnerability (CVE-2024-40762): Weak token generation undermines the reliability of authentication mechanisms, posing a significant threat to systems reliant on SSLVPN.

These vulnerabilities directly affect SonicWall Gen6/6.5, Gen7, and TZ80 devices, often used by organizations as a critical part of their perimeter defense. Exploitation could result in compromised networks, data breaches, or service interruptions, which would affect operational and business continuity.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you updated all affected Gen6/6.5, Gen7, and TZ80 series devices to the recommended SonicOS versions (6.5.5.1-6n, 7.1.3-7015, 7.0.1-5165, and 8.0.0-8037 respectively) to mitigate the risk of CVE-2024-40762, CVE-2024-53704, CVE-2024-53705, and CVE-2024-53706?
2. Can you confirm if you have implemented measures to limit SSLVPN and SSH management access to trusted sources or disabled access from the internet entirely to reduce exposure to the vulnerabilities CVE-2024-40762 and CVE-2024-53704?
3. Have you enabled Multi-Factor Authentication (MFA) for all remote access to enhance security against the improper authentication issue in the SSLVPN mechanism (CVE-2024-53704)?
4. How are you monitoring your system logs and network traffic to detect any unusual activity that may indicate attempted exploitation of the server-side request forgery (SSRF) flaw in the SSH management interface (CVE-2024-53705) and the privilege escalation issue in the Gen7 SonicOS Cloud platform NSv (CVE-2024-53706)?

Remediation Recommendations for Vendors

To mitigate the risks associated with these vulnerabilities, vendors should:

1. Update Firmware: Ensure all impacted devices are updated to the fixed versions:
   • Gen6 Firewalls: SonicOS 6.5.5.1-6n or higher
   • Gen7 Firewalls: SonicOS 7.1.3-7015 or higher
   • Gen7 NSv: SonicOS 7.0.1-5165 or higher
   • TZ80 Series: SonicOS 8.0.0-8037 or higher
2. Restrict Access: Limit SSLVPN and SSH management access to trusted sources or disable access from the internet entirely.
3. Enable Multi-Factor Authentication (MFA): Strengthen authentication for all remote access to reduce attack surface.
4. Monitor and Log: Continuously review system logs and monitor network traffic for anomalies that may indicate exploitation attempts.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite published the FocusTag™ SonicWall SonicOS – Jan2025 on January 8, 2025 to help TPRM professionals quickly identify vendors at risk. The tag provides:

• A list of vendors using affected SonicWall devices and their associated assets, such as IP addresses or subdomains.
• Insight into which vulnerabilities may impact vendors’ systems.
• An updated status on exploitation activity or new advisories.

Using this tag, professionals can narrow the scope of their risk assessments, focus efforts on high-priority vendors, and expedite their response to these vulnerabilities.

CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure

What are the vulnerabilities affecting Ivanti Connect Secure?

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateway products are affected by two critical vulnerabilities:

CVE-2025-0282: A Critical Stack-Based Buffer Overflow Vulnerability that permits unauthenticated remote code execution. This vulnerability affects Ivanti Connect Secure versions 22.7R2 through 22.7R2.4, Policy Secure versions 22.7R1 through 22.7R1.2, and Neurons for ZTA Gateways versions 22.7R2 through 22.7R2.3. It has a CVSS score of 9.0, reflecting its high severity, and an EPSS score of 0.83%, indicating a notable likelihood of exploitation.

CVE-2025-0283: A High-Severity Stack-Based Buffer Overflow Vulnerability that enables local authenticated attackers to escalate their privileges. This issue impacts the same product versions as CVE-2025-0282. It has a CVSS score of 7.0 and an EPSS score of 0.04%, suggesting a moderate risk of exploitation.

Both vulnerabilities were disclosed on January 8, 2025. CVE-2025-0282 has been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025, and is being exploited in limited incidents, particularly targeting Connect Secure appliances. Mandiant has attributed these exploitations to UNC5337, a suspected subgroup of the China-based espionage group UNC5221. No exploitation of CVE-2025-0283 has been reported.

Why should TPRM professionals care about these vulnerabilities?

These vulnerabilities present significant risks to organizations using Ivanti products:

• CVE-2025-0282: The ability to achieve unauthenticated remote code execution could enable attackers to gain full control of affected systems, compromising network integrity and exposing sensitive data.
• CVE-2025-0283: Privilege escalation could allow an attacker with local access to execute actions reserved for administrators, further increasing the risk of insider threats or unauthorized system changes.

The active exploitation of CVE-2025-0282 highlights the urgency of addressing these vulnerabilities, particularly for organizations relying on these products for secure remote access and network security.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you identified any systems within your organization running vulnerable versions of Ivanti Connect Secure, Policy Secure, or Neurons for ZTA Gateways?
2. Have you applied the necessary patches for these vulnerabilities, and if so, when was the patching completed?
3. Are you actively monitoring systems for signs of exploitation, particularly regarding CVE-2025-0282?
4. Have you implemented Ivanti’s Integrity Checker Tool (ICT) to detect compromises, and what were the results?

Remediation Recommendations for Vendors

To mitigate the risks associated with these vulnerabilities, vendors should:

1. Apply Patches Immediately: Upgrade to the latest patched versions:
   • Ivanti Connect Secure: Version 22.7R2.5 or higher.
   • Policy Secure: Patched versions available by January 21, 2025.
   • Neurons for ZTA Gateways: Patched versions available by January 21, 2025.
2. Perform Integrity Checks: Use Ivanti’s Integrity Checker Tool (ICT) to detect any signs of compromise in both internal and external systems.
3. Restrict Internet Exposure: Ensure that Policy Secure appliances are not exposed to the internet, reducing the likelihood of exploitation.
4. Factory Reset Compromised Systems: If signs of compromise are detected, perform a factory reset before redeployment.
5. Monitor Activity: Continuously review system logs and network traffic for anomalies that may indicate exploitation attempts.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite’s FocusTag™ Ivanti Connect Secure – Jan2025 enables TPRM professionals to identify vendors at risk of exposure to these vulnerabilities. This tag provides:

• Insight into which vendors utilize affected Ivanti products and their associated assets, such as IP addresses and subdomains.
• Actionable intelligence to prioritize assessments and remediation efforts.
• Updates on exploitation activity and vendor patching status to guide decision-making.

The tag was published on January 9, 2025. Leveraging this tag can streamline risk management efforts and enhance the security posture of third-party ecosystems.

CVE-2024-12108, CVE-2024-12105, and CVE-2024-12106 Vulnerabilities in Progress WhatsUp Gold

What are the vulnerabilities affecting Progress WhatsUp Gold?

The Progress WhatsUp Gold network monitoring software has been identified as vulnerable to the following critical and medium-severity security issues:

The vulnerabilities affecting Progress WhatsUp Gold include the following:

CVE-2024-12108: An Authentication Bypass by Spoofing Vulnerability that allows attackers to gain complete control of the WhatsUp Gold server via the public API. This vulnerability has a CVSS score of 9.6 and an EPSS score of 0.07%, making it critical in severity.

CVE-2024-12106: A Missing Authentication for Critical Function Vulnerability that enables unauthenticated attackers to configure LDAP settings, potentially leading to unauthorized access and data breaches. While this vulnerability is rated Critical with a CVSS score of 9.4 by the CNA, the NIST CVSS score is 7.5. Its EPSS score is 0.05%.

CVE-2024-12105: A Path Traversal Vulnerability that allows authenticated users to extract sensitive information through specially crafted HTTP requests. This vulnerability is rated Medium with a CVSS score of 6.5 and an EPSS score of 0.05%.

These vulnerabilities affect WhatsUp Gold versions prior to 24.0.2. Progress issued a security bulletin on December 12, 2024, urging users to upgrade. While no evidence of active exploitation exists, similar vulnerabilities have historically attracted threat actors targeting network monitoring systems.

Why should TPRM professionals care about these vulnerabilities?

The WhatsUp Gold vulnerabilities present critical risks to network security due to the product’s integral role in monitoring and managing network devices. Exploitation of these vulnerabilities could result in:

• Full System Compromise: CVE-2024-12108 could allow attackers to control the WhatsUp Gold server, compromising all monitored devices and exposing sensitive configurations.
• Data Breaches: CVE-2024-12106 could enable attackers to tamper with LDAP settings, leading to unauthorized access to sensitive data or services.
• Sensitive Information Exposure: CVE-2024-12105 could facilitate information disclosure, which could be leveraged for subsequent attacks.

These risks make these vulnerabilities particularly concerning for third-party risk management (TPRM) professionals monitoring vendor ecosystems. The critical CVSS scores of CVE-2024-12108 and CVE-2024-12106 highlight the need for immediate action.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you identified any systems within your organization running vulnerable versions of WhatsUp Gold prior to 24.0.2?
2. Has your organization implemented the recommended update to version 24.0.2, and when was it completed?
3. Are access controls in place to restrict unauthorized changes to LDAP configurations and prevent exploitation?
4. How do you monitor and address unusual activity that could indicate exploitation attempts related to these vulnerabilities?

Remediation Recommendations for Vendors

To address these vulnerabilities, vendors should:

1. Upgrade Software: Immediately update to WhatsUp Gold version 24.0.2 to patch all identified vulnerabilities.
2. Restrict Access: Limit server access to authorized personnel only and ensure secure configuration of LDAP settings.
3. Monitor Logs: Regularly review server and network logs for anomalies indicative of exploitation attempts.
4. Enhance Security Measures: Implement firewalls, intrusion detection systems, and strong authentication mechanisms to mitigate potential risks.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite provides the FocusTag™ Progress WhatsUp Gold, published on January 2, 2025, to help TPRM professionals identify and address potential risks in their vendor ecosystems. This tag allows users to:

1. Determine which vendors utilize affected versions of WhatsUp Gold and the associated assets.
2. Access details on vulnerable IP addresses and subdomains to prioritize risk assessments.
3. Leverage actionable insights to communicate effectively with vendors and ensure timely remediation.

CVE-2024-56320 in GoCD

What is the GoCD Admin Privilege Escalation Vulnerability?

CVE-2024-56320 is a Critical Improper Authorization Vulnerability affecting GoCD versions prior to 24.5.0. This flaw enables authenticated users to persistently escalate their privileges to admin level, compromising the system’s integrity and security. The vulnerability arises from insufficient access controls in the admin “Configuration XML” UI feature and its associated API. The vulnerability has a CVSS score of 9.4 and an EPSS score of 0.05%, and it was published in January 2025.

This vulnerability cannot be exploited without prior authentication, requiring an attacker to have a valid GoCD user account. It poses a significant insider threat but does not currently have publicly available exploit code. As of now, it is not listed in CISA’s Known Exploited Vulnerabilities catalog.

Why should TPRM professionals care about this vulnerability?

The critical nature of CVE-2024-56320 makes it a significant concern for TPRM professionals. As GoCD is a continuous delivery server, its exploitation could:

• Compromise CI/CD Pipelines: Escalated admin privileges could allow attackers to alter build configurations, inject malicious code, or disrupt deployments.
• Sensitive Information Disclosure: Unauthorized access to admin-only data could expose credentials, API keys, and system configurations.
• Operational Risks: Persistent admin-level access increases the risk of prolonged exploitation and unauthorized system changes.

This vulnerability highlights the importance of securing insider accounts and CI/CD environments, both critical for maintaining operational and data security.

What questions should TPRM professionals ask vendors about this vulnerability?

1. Have you upgraded all instances of GoCD to version 24.5.0 or later to mitigate the risk of CVE-2024-56320?
2. Have you implemented the recommended workarounds such as using a reverse proxy or web application firewall (WAF) to block external access to paths with the /go/rails/ prefix, and limiting GoCD user base to trusted individuals?
3. Can you confirm if you have taken steps to review network logs regularly for any unusual or unauthorized activities that could indicate exploitation attempts related to CVE-2024-56320?
4. Have you considered temporarily disabling plugins like the guest-login-plugin that allow limited anonymous access to further secure your GoCD instances from potential exploitation of CVE-2024-56320?

Remediation Recommendations for Vendors

To mitigate the risks of CVE-2024-56320, vendors should:

1. Upgrade to GoCD Version 24.5.0: This version addresses the improper authorization flaw and prevents privilege escalation.
2. Restrict Access: Implement a reverse proxy or web application firewall (WAF) to block access to vulnerable paths with the /go/rails/ prefix. This can mitigate the risk without affecting functionality.
3. Limit User Base: Reduce GoCD access to a smaller group of trusted users. Temporarily disable plugins like the “guest-login-plugin” to prevent anonymous or unauthorized access.
4. Monitor Logs: Regularly review system and application logs for signs of privilege escalation or unauthorized access.

How can TPRM professionals leverage Black Kite for this vulnerability?

Black Kite’s FocusTag™ GoCD provides actionable intelligence to help TPRM professionals identify vendors potentially impacted by CVE-2024-56320. The tag enables users to:

• Pinpoint vendors utilize vulnerable GoCD versions and associated assets such as IP addresses or subdomains.
• Access insights into vendors’ patch management and security practices related to CI/CD environments.
• Expedite risk assessments by narrowing the scope to the most at-risk vendors.

This FocusTag™ was published on January 8, 2025. Black Kite users can operationalize this tag to prioritize remediation efforts and minimize exposure to insider threats.

Maximizing TPRM Effectiveness with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are indispensable tools for refining TPRM strategies in today’s dynamic cybersecurity landscape. This week’s vulnerabilities in SonicWall SonicOS, Ivanti Connect Secure, Progress WhatsUp Gold, and GoCD highlight the critical role of FocusTags™ in proactive risk management. Here’s how these tags empower TPRM professionals:

1. Real-Time Risk Identification: FocusTags™ enable immediate identification of vendors exposed to critical vulnerabilities, such as the authentication bypass issues in SonicWall or the privilege escalation risks in GoCD. This rapid insight ensures a timely response to emerging threats.
2. Strategic Risk Prioritization: By assessing both the severity of vulnerabilities and the importance of affected vendors, FocusTags™ helps allocate resources efficiently, addressing the most pressing risks first.
3. Enhanced Vendor Engagement: Armed with precise information, TPRM teams can initiate targeted discussions with vendors, emphasizing their exposure to vulnerabilities like the stack-based buffer overflow in Ivanti products or the API flaws in WhatsUp Gold.
4. Strengthened Cybersecurity Posture: With a comprehensive overview of the evolving threat landscape, FocusTags™ aid in fortifying an organization’s overall security defenses against vulnerabilities impacting critical vendor systems.

Black Kite’s FocusTags™ simplify the complexity of cybersecurity threats by translating intricate technical data into actionable intelligence. This capability is critical for managing third-party risks effectively and proactively, ensuring that organizations remain one step ahead in mitigating potential threats.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
• Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
• Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
• SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
• PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-40762

https://nvd.nist.gov/vuln/detail/CVE-2024-53704

https://nvd.nist.gov/vuln/detail/CVE-2024-53706

https://nvd.nist.gov/vuln/detail/CVE-2024-53705

https://www.sonicwall.com/support/notices/product-notice-sslvpn-and-ssh-vulnerability-in-sonicos/250107100311877

https://securityonline.info/sonicwall-issues-important-security-advisory-for-multiple-vulnerabilities-in-sonicos

https://nvd.nist.gov/vuln/detail/CVE-2025-0282

https://nvd.nist.gov/vuln/detail/CVE-2025-0283

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html

https://nvd.nist.gov/vuln/detail/CVE-2024-12108

https://nvd.nist.gov/vuln/detail/CVE-2024-12106

https://nvd.nist.gov/vuln/detail/CVE-2024-12105

https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2024

CVE-2024-12108 (CVSS 9.6) and Beyond: Progress Issues Critical Patch for WhatsUp GoldNetwork Monitoring Software

https://research.checkpoint.com/2025/6th-january-threat-intelligence-report

https://nvd.nist.gov/vuln/detail/CVE-2024-56320

https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j

https://securityonline.info/gocd-patches-critical-vulnerability-allowing-user-privilege-escalation

The post Focus Friday: Addressing Critical Vulnerabilities in SonicWall, Ivanti, Progress, and GoCD appeared first on Black Kite.

Written by: Jeffrey Wheatman, Senior Vice President, Cyber Risk Strategist

The traditional third-party risk management process often treats vendors with suspicion, mistrust, and skepticism, focusing on control rather than collaboration. This one-way “policing” mindset undermines what should be a productive and mutually beneficial partnership, creating an environment of contention and inefficiency.

Instead of working together to manage risks, organizations often overwhelm vendors with scattershot questions about vulnerability management, patching strategies, SOC 2 compliance, and more — usually without providing clear context or guidance. Vendors are left feeling frustrated and disconnected, expected to comply without fully understanding the purpose or value of their efforts. This approach feels more like an interrogation, turning what should be a partnership into more of a power struggle.

To strengthen defenses and improve the overall risk posture of their ecosystems, organizations need to move beyond this outdated approach of managing third-party risk. After all, cyberattackers don’t work in isolation — they share intelligence, coordinate strategies, and collaborate to exploit weaknesses. To combat this, organizations must adopt a similar mindset, shifting from control to collaboration. Lone wolves simply cannot prevail against well-coordinated efforts. 

Embracing partnership over policing, organizations can build trust and create a culture of shared responsibility — transforming third-party risk management into a proactive, collaborative strategy that benefits everyone involved. To understand why the current approach falls short, let’s examine the consequences of this policing mindset.

The Problem With Policing Vendors 

Policing vendors has long been a common approach in third-party risk management, but it usually creates more problems than it solves. Instead of building a collaborative, trust-based relationship, it positions vendors as adversaries under constant scrutiny. Vendors may feel like they are being targeted — not by cybercriminals, but by the very organizations they’re supposed to support.

This sense of distrust will lead to counterproductive outcomes. Rather than being transparent about potential risks or vulnerabilities, vendors may withhold critical information to avoid blame or punitive consequences, leaving organizations blind to potential risks.

The resulting lack of transparency can lead to delayed responses – or none at all – and missed opportunities for risk mitigation. After all, you can’t address risks you don’t know about. Distrust and resentment are partners in crime, and vendors may feel resentful that their time is being wasted by time-consuming questionnaires. As a result, vendors deprioritize or ignore these tasks and organizations waste valuable time chasing incomplete responses.

Beyond the operational inefficiencies, policing represents a major misstep in risk management. It doesn’t just sour relationships — it’s fundamentally shortsighted. Since it focuses narrowly on identifying and resolving immediate vulnerabilities, it misses the broader opportunity to build a shared, proactive, and long-term defense strategy. 

Why Partnering Creates a Better Third-Party Risk Management Process

Cyberattackers don’t work in a vacuum — they operate in networks, share intel and strategies, and collaborate on attack timings. In contrast, many organizations and their vendors remain stuck in reactive, adversarial relationships — pointing fingers, struggling with miscommunication, and ultimately, leaving critical risks untreated. 

A partnership-driven approach flips this dynamic, creating an environment where organizations and vendors collaborate, learn from each other, and pool their resources and expertise. Open communication also eliminates data silos and barriers, meaning it’s easier to act quickly during critical moments. When everyone in your supply chain sees the same accurate, actionable data, responses are faster and more effective. 

Vendors treated as integral allies rather than external risks are more likely to engage openly, prioritize security initiatives, and align with your goals. This approach strengthens relationships, closes security gaps more efficiently, and creates a continuous improvement cycle that benefits both parties.

How To Build Strong Vendor Partnerships

Modernizing your third-party risk management process starts with rethinking how you work with vendors. These tips will help you shift from a policing mindset to a more collaborative approach, building mutually beneficial partnerships that strengthen security:

1. Build a strong foundation from the outset

Partnerships start with transparency. During vendor onboarding, clearly communicate how you assess security posture and why it matters. This sets expectations and reinforces the mutual benefits of an open, collaborative approach.

For existing vendors, revisit your goals and outline plans to strengthen collaboration. Engage your vendors in these discussions — ask for their input on improving collaboration and listen actively to their feedback.

Using tools like Black Kite’s Ransomware Susceptibility Index® can provide insights into which companies in your ecosystem are most likely to be hit by a ransomware attack, so that you can work with your vendors proactively to reduce that risk.

2. Prioritize communication and engagement

Regular communication is essential for maintaining trust and efficiency. Establish direct, security-to-security communication channels to expedite responses during critical moments. Sharing trustworthy, actionable data also reduces the burden on vendors who may be working with hundreds or even thousands of customers — who are all expecting their attention.

Tools like Black Kite Bridge™ streamline this process by centralizing communication, automating outreach, and sharing real-time intelligence. With a tool that shares asset-level vulnerability intelligence and real-time ratings updates, vendors know exactly what they need to do to address your concerns. Vendors also appreciate such solutions as they help them scale efficiently — remediations to one client’s concerns are immediately visible to other clients, saving time.

3. Develop proactive incident detection and resolution processes

Security incidents are inevitable, making it essential to develop a proactive process for identifying and addressing them. Effective incident response depends on access to precise, actionable information shared transparently with vendors.

The traditional approach of inundating vendors with unstructured data leads to delays and confusion. Without clear guidance, vendors may struggle to prioritize their actions. A better option is to use a tool like Black Kite’s FocusTags™ to offer specific, actionable steps for addressing vulnerabilities. This makes it much easier for vendors to know what exactly needs to be done and why.

4. Collaborate on post-mortem incident reviews

When incidents occur, the response shouldn’t end with mitigation. Collaborating with your vendors to conduct post-mortem reviews is much more constructive than pointing fingers. It also shifts the focus to learning and improvement rather than fault-finding. By honestly evaluating what went wrong, it’s easier to take the necessary steps to improve your, and their, response in the future. 

Taking a team-oriented approach to post-incident reviews strengthens your collective defenses. These collaborative discussions show a commitment to mutual success and ongoing improvement, reinforcing your shared responsibility in maintaining a strong security posture.

The Power of Partnership 

Vendor partnerships aren’t just about managing risk — they’re about building relationships that deliver mutual value. Collaboration shifts the dynamic from adversarial into one rooted in trust, transparency, and shared objectives. Partnerships accelerate threat responses, streamline third-party risk management processes, and enable both organizations and vendors to strengthen their defenses. 

The real power of partnership lies in its ability to create a symbiotic cybersecurity ecosystem, where each party contributes to a stronger collective defense. Vendors become trusted allies, working alongside you to identify vulnerabilities, mitigate risks, and stay ahead of threats. In this unified ecosystem, the sum truly is greater than the parts.

The post From Policing to Partnering: Rethinking the Third-Party Risk Management Process appeared first on Black Kite.

Written by: Ferdi Gül

Welcome! We’ve come together for the last Focus Friday blog post of 2024. As we close out 2024, I wish everyone a safe, happy, and healthy new year. At the same time, we’ve completed another significant year in cybersecurity. This year, we witnessed important developments in the cybersecurity world and encountered many critical vulnerabilities. Throughout the year, we have explored numerous high-profile vulnerabilities to help organizations manage third-party risks. Today, in this final post of 2024, we will focus on critical security flaws in widely used services like Gogs Server, CrushFTP, and Apache Tomcat. In this post, we will explore what these vulnerabilities mean for Third-Party Risk Management (TPRM) professionals and how Black Kite’s FocusTags™ can provide a more effective approach to managing these risks.

Apache Tomcat Remote Code Execution Vulnerabilities (CVE-2024-50379, CVE-2024-56337)

What are the Apache Tomcat Remote Code Execution (RCE) Vulnerabilities?

Apache Tomcat has been identified with two critical RCE vulnerabilities: CVE-2024-50379 and CVE-2024-56337. These vulnerabilities arise from Time-of-Check to Time-of-Use (TOCTOU) race conditions, allowing attackers to execute unauthorized code on affected systems.

CVE-2024-50379 occurs during JavaServer Pages (JSP) compilation in Apache Tomcat, enabling RCE on case-insensitive file systems when the default servlet is configured with write functionality (non-default configuration). Similarly, CVE-2024-56337 results from the incomplete mitigation of CVE-2024-50379, affecting systems under the same configuration but requiring additional configuration depending on the Java version. Both vulnerabilities have a CVSS score of 9.8, indicating critical severity.

These vulnerabilities were first reported on December 17, 2024. While proof-of-concept (PoC) exploit code is available, no evidence of active exploitation has been reported. They have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and no advisory has been published by CISA.

Why should TPRM professionals care about these vulnerabilities?

Apache Tomcat is widely used to deploy Java-based web applications, making these vulnerabilities highly impactful. The risks associated with these vulnerabilities include:

• Unauthorized Access: Attackers exploiting these vulnerabilities could gain unauthorized access to systems and sensitive data.
• Service Disruption: Successful exploitation could lead to service disruption and potential data loss.
• Reputation Damage: Compromises may damage an organization’s reputation and erode customer trust.

What questions should TPRM professionals ask vendors about these vulnerabilities?

To assess the risk posed by these vulnerabilities, TPRM professionals can ask the following questions:

1. Have you updated all instances of Apache Tomcat to versions 11.0.2, 10.1.34, or 9.0.98 or later to mitigate the risk of CVE-2024-50379 and CVE-2024-56337?
2. Can you confirm that the default servlet’s write functionality has been disabled on your Apache Tomcat servers to prevent the occurrence of the TOCTOU race condition associated with CVE-2024-50379 and CVE-2024-56337?
3. Depending on your Java version, have you adjusted the sun.io.useCanonCaches system property as recommended to fully mitigate the risk of CVE-2024-50379 and CVE-2024-56337?
4. Are you regularly reviewing your system logs and network activity to detect any signs of exploitation attempts related to these Apache Tomcat vulnerabilities?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate these vulnerabilities:

• Upgrade Apache Tomcat: Update to the latest secure versions:
  • Apache Tomcat 11.0.2 or later
  • Apache Tomcat 10.1.34 or later
  • Apache Tomcat 9.0.98 or later
• Configure Java System Properties: Depending on the Java version in use:
  • For Java 8 or Java 11: Explicitly set the sun.io.useCanonCaches system property to false.
  • For Java 17: Ensure sun.io.useCanonCaches is set to false.
  • For Java 21 and later: No additional configuration is required as the property and related cache have been removed.
• Restrict Write Access: Ensure that the default servlet’s write functionality is disabled unless absolutely necessary.
• Regular Monitoring: Continuously review system logs and network activity for signs of exploitation attempts.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite offers a FocusTag titled “Apache Tomcat RCE” which provides the following benefits:

• Vendor Exposure Assessment: Identifies vendors potentially impacted by these vulnerabilities.
• Asset Information: Supplies details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
• Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to these vulnerabilities.

This FocusTag™ ensures efficient vendor management and proactive risk mitigation, empowering TPRM professionals to address critical vulnerabilities effectively.

CrushFTP Account Takeover Vulnerability (CVE-2024-53552)

What is the CrushFTP Account Takeover Vulnerability?

CrushFTP, a widely used file transfer server, has disclosed a critical vulnerability identified as CVE-2024-53552. This flaw affects versions prior to 10.8.3 in the 10.x series and prior to 11.2.3 in the 11.x series. The vulnerability arises from improper handling of password reset functionalities, enabling attackers to craft malicious password reset links. If a user clicks on such a link, their account can be compromised, granting unauthorized access to sensitive data and system controls. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. This issue was first reported on November 11, 2024. While PoC exploit code is not available, there is no evidence of active exploitation in the wild. The vulnerability has not been added to the CISA’s KEV catalog, and no advisory has been published by CISA. 

Why should TPRM professionals care about this vulnerability?

CrushFTP is widely used for secure file transfers in enterprise environments. This vulnerability poses significant risks, including:

• Unauthorized Access: Exploitation can lead to unauthorized access to sensitive data and systems.
• Service Disruption: Successful attacks can disrupt services, leading to downtime and potential data loss.
• Reputation Damage: Compromises can damage an organization’s reputation and erode customer trust.

What questions should TPRM professionals ask vendors about this vulnerability?

To assess the risk posed by this vulnerability, consider asking vendors the following questions:

1. Can you confirm if you have updated all instances of CrushFTP to version 10.8.3 or 11.2.3 to mitigate the risk of CVE-2024-53552?
2. Have you configured the Allowed Domains for Password Resets as recommended in the advisory to prevent unauthorized access through manipulated password reset links?
3. Can you confirm if you have taken measures to educate users about the legitimacy of password reset emails and the risks associated with clicking on malicious links?
4. Have you implemented any additional security measures to monitor and detect unusual activity that could indicate attempted exploitation of the CVE-2024-53552 vulnerability?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate this vulnerability:

• Upgrade CrushFTP: Update to the latest secure versions:
  • CrushFTP 10.8.3 or later
  • CrushFTP 11.2.3 or later
• Configure Allowed Domains for Password Resets:
  • For version 10.x: Navigate to Preferences > WebInterface > MiniURL, and specify a comma-separated list of allowed domains.
  • For version 11.x: Go to Preferences > WebInterface > Login Page, and set a domain pattern that is not a wildcard (‘*’), as wildcards are no longer permitted.
• User Awareness: Inform users to be cautious with password reset emails and to verify the legitimacy of such requests before clicking on any links.
• Regular Monitoring: Regularly review system logs for any unusual activity that could indicate attempted exploitation.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite offers a FocusTag titled “CrushFTP Account Takeover,” which provides:

• Vendor Exposure Assessment: Identifies vendors potentially impacted by this vulnerability.
• Asset Information: Supplies details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
• Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to this vulnerability.

Gogs Server Path Traversal Vulnerabilities (CVE-2024-55947, CVE-2024-54148)

What Are the Gogs Server Path Traversal Vulnerabilities?

Gogs, an open-source self-hosted Git service, has been identified with two critical path traversal vulnerabilities. CVE-2024-55947 is a vulnerability in the file update API of Gogs that allows authenticated users to write files to arbitrary paths on the server. Exploiting this flaw could enable an attacker to gain unauthorized SSH access, compromising the integrity of the server. Similarly, CVE-2024-54148 affects the file editing UI of Gogs, where authenticated users can commit and edit crafted symbolic link (symlink) files within a repository. This manipulation can lead to unauthorized SSH access to the server, posing significant security risks. Both vulnerabilities have a CVSS score of 8.7, indicating high severity, with an EPSS score of 0.05%, suggesting a low likelihood of exploitation. These vulnerabilities were first reported on December 23, 2024. While PoC exploit code is publicly available, there is no evidence of active exploitation in the wild, and the vulnerabilities have not yet been added to the CISA’s KEV catalog. No advisory has been published by CISA at this time.

Why should TPRM professionals care about these vulnerabilities?

Gogs is widely used for managing Git repositories, making it a critical component in many enterprise environments. These vulnerabilities can expose organizations to significant risks. Exploiting these flaws allows attackers to gain unauthorized SSH access to servers, which can lead to unauthorized access to sensitive data, server compromises, or even the manipulation of critical code repositories. Such breaches could lead to service disruption, data loss, and severe reputational damage. Given the high severity of these vulnerabilities and their potential impact on systems that rely on Gogs for version control and collaboration, TPRM professionals should prioritize assessing the exposure of their vendors.

What questions should TPRM professionals ask vendors about these vulnerabilities?

To assess the risk posed by these vulnerabilities, TPRM professionals should ask the following questions:

1. Have you upgraded all instances of Gogs to version 0.13.1 or later to mitigate the risk of CVE-2024-55947 and CVE-2024-54148?
2. Can you confirm if you have inspected your existing repositories for any suspicious symlink files or unauthorized modifications that could indicate exploitation attempts of CVE-2024-54148?
3. Have you restricted repository access to trusted users until the upgrade to Gogs version 0.13.1 or later was completed to mitigate potential exploitation of CVE-2024-55947?
4. Have you implemented regular inspections of server logs for unusual activities, particularly those related to file editing and commits, to detect potential intrusion attempts related to CVE-2024-54148 and CVE-2024-55947?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate the risks posed by these vulnerabilities:

• Upgrade Gogs: Immediately update to version 0.13.1 or later, where these vulnerabilities have been addressed.
• Restrict User Access: Until the upgrade is completed, limit repository access to trusted users only to mitigate potential exploitation.
• Review Repository Contents: Examine existing repositories for any suspicious symlink files or unauthorized modifications that could indicate exploitation attempts.
• Monitor Server Logs: Regularly inspect server logs for unusual activities, particularly those related to file editing and commits, to detect potential intrusion attempts.
• Implement Security Best Practices: Ensure that your Gogs instance follows security best practices, including proper configuration and regular updates, to prevent similar vulnerabilities in the future.

How TPRM professionals can leverage Black Kite for these vulnerabilities

Black Kite offers a FocusTag titled “Gogs Server,” which provides the following benefits:

• Vendor Exposure Assessment: Identifies vendors potentially impacted by these vulnerabilities.
• Asset Information: Provides details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
• Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to these vulnerabilities.

Enhancing TPRM Strategies With Black Kite’s FocusTags™

In the face of increasingly sophisticated cyber threats, Black Kite’s FocusTags™ stand as a beacon for proactive Third-Party Risk Management (TPRM). This week’s vulnerabilities highlight the pressing need for targeted, efficient, and informed risk management strategies. Here’s how FocusTags™ enhance TPRM practices:

• Real-Time Risk Identification: Instantly pinpoint vendors impacted by the latest vulnerabilities, enabling rapid responses that mitigate potential threats.
• Strategic Risk Prioritization: Evaluate risks based on the criticality of vendors and the severity of vulnerabilities, ensuring focused efforts where they matter most.
• Informed Vendor Conversations: Provide the intelligence necessary to engage vendors in detailed discussions about their exposure and response strategies, fostering transparency and collaboration.
• Strengthened Cybersecurity Ecosystems: Deliver a comprehensive view of the evolving threat landscape, empowering organizations to build resilient and adaptive security frameworks.

By transforming complex cybersecurity data into actionable insights, Black Kite’s FocusTags™ revolutionize TPRM, ensuring businesses can protect their supply chains and partners against even the most sophisticated cyber threats. As vulnerabilities continue to emerge, these tags provide the clarity and precision needed for proactive and effective risk management.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
• Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
• Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
• SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
• PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.
• PostgreSQL: CVE-2024-10979, Arbitrary Code Execution Vulnerability in PostgreSQL.
• Apache Airflow: CVE-2024-45784, Debug Messages Revealing Unnecessary Information in Apache Airflow.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-56337

https://nvd.nist.gov/vuln/detail/CVE-2024-50379

https://securityonline.info/cve-2024-56337-apache-tomcat-patches-critical-rce-vulnerability

https://securityonline.info/rce-and-dos-vulnerabilities-addressed-in-apache-tomcat-cve-2024-50379-and-cve-2024-54677

https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp

https://github.com/Alchemist3dot14/CVE-2024-50379

https://nvd.nist.gov/vuln/detail/CVE-2024-53552

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

https://securityonline.info/cve-2024-53552-cvss-9-8-crushftp-flaw-exposes-users-to-account-takeover

https://nvd.nist.gov/vuln/detail/CVE-2024-55947

https://nvd.nist.gov/vuln/detail/CVE-2024-54148

https://github.com/gogs/gogs/releases

The post Focus Friday: TPRM Insights on Apache Tomcat, CrushFTP, and Gogs Server Vulnerabilities appeared first on Black Kite.

Written by: Ferdi Gül

​​Welcome to this week’s Focus Friday, where we delve into high-profile vulnerabilities and provide actionable insights from a Third-Party Risk Management (TPRM) perspective. This edition explores critical vulnerabilities in Cleo File Transfer, BeyondTrust PRA RS, and Ivanti Cloud Services Application. These vulnerabilities, including remote code execution and command injection, could potentially compromise sensitive data and disrupt operations across industries. These vulnerabilities demand immediate attention from TPRM professionals to mitigate risks effectively. Let’s explore the risks, the recommended remediations, and how Black Kite’s FocusTags™ streamline the risk management process for these pressing concerns.

CVE-2024-55956 in Cleo File Transfer Software

What are the critical vulnerabilities in Cleo File Transfer software?

In our Focus Friday blog post last week, we discussed Cleo’s critical vulnerability, CVE-2024-50623. This week, we need to focus on CVE-2024-55956, which affects Cleo File Transfer products, and the systemic risks these vulnerabilities pose.

In our December 18 article titled “CL0P’s Exploitation of Cleo Directly Endangers the Supply Chain,” we detailed how the CL0P ransomware group has been exploiting vulnerabilities in Cleo’s software to threaten supply chains. 

Two critical vulnerabilities have been identified in Cleo Harmony®, Cleo VLTrader®, and Cleo LexiCom® products:

CVE-2024-55956 is the Remote Code Execution Vulnerability in Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.24, enabling unauthenticated users to execute arbitrary Bash or PowerShell commands by exploiting default settings in the Autorun directory. 

Both vulnerabilities have been actively exploited. CVE-2024-50623 was added to CISA’s Known Exploited Vulnerabilities catalog on December 13, 2024.  CISA  CVE-2024-55956 was added on December 17, 2024. Cleo has released patches to address these issues, and users are strongly advised to update to the latest versions to mitigate potential risks. 

Both vulnerabilities have public PoC exploit codes, and exploitation has been observed targeting industries like logistics and shipping. They enable unauthorized file uploads and remote execution of malicious commands.

Why should TPRM professionals care about these vulnerabilities?

These vulnerabilities represent significant risks for organizations relying on Cleo file transfer solutions:

1. Critical Operational Risk: Exploitation could lead to compromised file transfers, impacting supply chain and logistics operations.
2. Sensitive Data Exposure: Malicious actors could access and exfiltrate confidential business data.
3. Unauthorized Access: Successful exploitation provides attackers with system-level access, enabling further attacks on connected systems.

For organizations utilizing Cleo products, timely mitigation is essential to avoid disruption and ensure data security.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you updated all instances of Cleo Harmony, VLTrader, and LexiCom to version 5.8.0.24 or later to mitigate the risk of CVE-2024-50623 and CVE-2024-55956?
2. Have you reviewed and appropriately configured the Autorun directory’s default settings to prevent unauthorized command execution related to CVE-2024-55956?
3. Can you confirm if you have blocked the attacker IPs mentioned in the advisory shared last week, including 176[.]123[.]5[.]126, 5[.]149[.]249[.]226, 185[.]181[.]230[.]103, 209[.]127[.]12[.]38, 181[.]214[.]147[.]164, and 192[.]119[.]99[.]42, to prevent further exploitation of CVE-2024-50623 and CVE-2024-55956?
4. Have you disabled the Autorun functionality in the ‘Configure’ menu of LexiCom, Harmony, or VLTrader to stop processing autorun files and mitigate the risk of CVE-2024-55956?

Remediation recommendations for vendors subject to this risk

To address these vulnerabilities, vendors should:

1. Immediate Software Update: Upgrade all instances of Cleo Harmony, VLTrader, and LexiCom to version 5.8.0.24 or later to mitigate the vulnerability.
2. Review Autorun Directory Settings: Ensure that the Autorun directory’s default settings are appropriately configured to prevent unauthorized command execution.
3. Block Malicious IPs: Consider blocking attacker IPs, including 176.123.5.126, 5.149.249.226, 185.181.230.103, 209.127.12.38, 181.214.147.164, 192.119.99.42.
4. Monitor for Indicators of Compromise (IOCs): Check if suspicious files, such as main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml, healthchecktemplate.txt, or healthcheck.txt, contain encoded malicious commands. The attack also utilizes reconnaissance tools like nltest.exe for Active Directory enumeration.
5. Monitor Updates: Cleo is actively working on a new patch expected soon. Monitor updates from Cleo to ensure you apply the latest mitigations as they are released.
6. Reconfigure Software Settings: Disable the autorun feature by clearing the ‘Autorun Directory’ field in configuration settings to prevent automatic execution of malicious files.
7. Place Systems Behind a Firewall: Ensure internet-facing Cleo systems are placed behind a firewall to limit exposure to potential attacks.
8. Implement Strong Security Practices: Enforce strong, unique passwords and enable multi-factor authentication (MFA) to enhance security.
9. Disable Autorun Functionality: Access the “Configure” menu in LexiCom, Harmony, or VLTrader. Select “Options” and navigate to the “Other” pane. Delete the contents of the “Autorun Directory” field to stop processing autorun files.
10. Address Remaining Exposure: Note that this mitigates part of the attack but does not address the root cause of the vulnerability.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Cleo File Transfer FocusTag™ on December 13, 2024, providing actionable insights for TPRM professionals. This tag identifies vendors using affected versions and details exposed assets like subdomains and IP addresses.

With Black Kite, TPRM professionals can:

• Prioritize vendors requiring urgent remediation based on exposure.
• Streamline risk assessments using targeted questions and vendor-specific intelligence.
• Enhance oversight by monitoring identified vulnerable assets.

This FocusTag™ ensures efficient vendor management and proactive risk mitigation, empowering TPRM professionals to address critical vulnerabilities effectively.

CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773 in Ivanti Cloud Services Application

The Ivanti Cloud Services Appliance (CSA) is an internet-facing device that facilitates secure communication between remote endpoints and the central Ivanti Endpoint Manager core server. It enables organizations to manage devices outside their corporate network, ensuring that endpoints can receive updates, patches, and policies regardless of their location. The key features of the Ivanti Cloud Services Appliance (CSA) include: Secure Remote Management, Certificate-Based Authentication, Support for Multiple Appliances, and Virtual Appliance Option.

What are the critical vulnerabilities in Ivanti Cloud Services Application?

These vulnerabilities impact versions of Ivanti CSA prior to 5.0.3 and include the following:

CVE-2024-11639 is an authentication bypass vulnerability in the admin web console of Ivanti Cloud Services Appliance (CSA) versions before 5.0.3, allowing remote unauthenticated attackers to gain administrative access. 

CVE-2024-11772 is a command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3, enabling remote authenticated attackers with administrative privileges to execute arbitrary code on the server. 

CVE-2024-11773 is an SQL injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3, allowing remote authenticated attackers with administrative privileges to execute arbitrary SQL statements. 

All three vulnerabilities are critical, with CVE-2024-11639 having a CVSS score of 10.0, and both CVE-2024-11772 and CVE-2024-11773 each having a CVSS score of 9.1.

These vulnerabilities were first disclosed on December 10, 2024, with no current evidence of exploitation in the wild. However, considering the history of rapid exploitation of Ivanti vulnerabilities, immediate action is advised. They are not yet listed in CISA’s KEV catalog.

Why should TPRM professionals care about these vulnerabilities?

For TPRM professionals, these vulnerabilities in Ivanti CSA could lead to severe business risks:

• Compromised Administrative Access: Unauthorized access to the admin web console may result in full control of systems managing critical IT infrastructure.
• Arbitrary Code Execution: Attackers could deploy malicious software, escalating risks to other connected systems.
• SQL Injection Risks: Exploited vulnerabilities could enable attackers to manipulate databases, potentially exposing sensitive organizational data.

Organizations leveraging Ivanti CSA for IT management need to ensure their vendors have addressed these risks to prevent potential disruptions and data breaches.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you updated all instances of Ivanti CSA to version 5.0.3 or later to mitigate the risk of CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773?
2. Can you confirm if you have implemented continuous monitoring for unusual activities in the admin web console to detect potential exploitation of the authentication bypass, command injection, and SQL injection vulnerabilities?
3. Have you enforced strong, unique passwords and enabled multi-factor authentication for all administrative accounts to prevent unauthorized administrative access related to CVE-2024-11639?
4. Can you confirm if you have restricted administrative access to the CSA to only authorized personnel to prevent potential exploitation of CVE-2024-11772 and CVE-2024-11773?

Remediation recommendations for vendors subject to this risk

Vendors using Ivanti CSA should implement the following recommendations:

1. Upgrade to Ivanti CSA version 5.0.3: This update resolves these vulnerabilities and is available via the Ivanti download portal.
2. Restrict Administrative Access: Limit access to authorized personnel only and enforce MFA.
3. Monitor for Unusual Activity: Implement continuous monitoring for signs of exploitation in the admin web console.
4. Review Database Activity: Ensure SQL queries are logged and anomalous activity is flagged.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Ivanti Cloud Services Application FocusTag™ on December 13, 2024, providing actionable insights. This tag identifies vendors potentially exposed to these vulnerabilities, detailing the affected assets, including subdomains and IP addresses.

By leveraging these insights, TPRM professionals can:

• Narrow the scope to vendors with confirmed exposure to affected Ivanti CSA versions.
• Prioritize outreach to these vendors using the specific questions provided.
• Address potential risks more efficiently with the detailed intelligence provided.

Black Kite’s FocusTags™ eliminate the guesswork in identifying vulnerable vendors, streamlining the risk assessment process for TPRM professionals.

CVE-2024-12356 in BeyondTrust PRA and RS

What is the BeyondTrust PRA and RS Command Injection Vulnerability?

CVE-2024-12356 is a critical command injection vulnerability affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions. It allows unauthenticated remote attackers to execute operating system commands as the site user by sending malicious client requests. A vulnerability with a CVSS score of 9.8 has been identified, affecting PRA and RS software versions up to and including 24.3.1. Publicly disclosed on December 16, 2024, this vulnerability poses a significant security risk due to the availability of PoC exploit code, making it a high-priority target for attackers despite no reports of active exploitation thus far. The vulnerability’s critical nature has also led to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog on December 19, 2024. With an EPSS score of 0.05%, organizations using the affected versions are urged to address this issue promptly to mitigate potential risks.

The vulnerability stems from improper neutralization of special elements used in commands, making it exploitable via a low-complexity attack. BeyondTrust has released patches for all supported versions (22.1.x and above).

Why should TPRM professionals care about this vulnerability?

BeyondTrust’s PRA and RS solutions are widely used for privileged remote access and IT support, making them an attractive target for attackers. Exploitation of this vulnerability could:

1. Compromise Sensitive Systems: Grant unauthorized access to critical infrastructure and systems.
2. Enable Further Attacks: Attackers could escalate privileges, deploy malware, or steal sensitive information.
3. Disrupt Operations: Unauthorized access to IT management systems could lead to downtime or operational disruption.

Organizations using BeyondTrust products need to address this vulnerability urgently to protect against potential exploitation.

What questions should TPRM professionals ask vendors about this vulnerability?

1. Can you confirm if you have upgraded all instances of BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products to a version higher than 24.3.1 to mitigate the risk of CVE-2024-12356?
2. If you are operating on a version older than 22.1, have you upgraded to a supported version to access the patches for the command injection vulnerability identified as CVE-2024-12356?
3. Have you applied the appropriate patch (BT24-10-ONPREM1 or BT24-10-ONPREM2, depending on the version) via the /appliance interface to address the CVE-2024-12356 vulnerability in BeyondTrust’s PRA and RS products?
4. Have you implemented continuous monitoring systems to detect any unusual activity that may indicate attempted exploitation of the CVE-2024-12356 vulnerability in BeyondTrust’s PRA and RS products?

Remediation recommendations for vendors subject to this risk

To mitigate the risks associated with CVE-2024-12356, vendors should:

1. Apply the Patch: Install BT24-10-ONPREM1 or BT24-10-ONPREM2 for versions 22.1.x or above.
2. Upgrade Older Versions: For unsupported versions (older than 22.1), upgrade to a supported version before applying the patch.
3. Verify Patch Application: Ensure successful deployment of the patch, particularly for on-premise instances.
4. Monitor for Indicators: Regularly review logs for suspicious activity tied to command injection attempts.
5. Implement Security Best Practices: Enforce multi-factor authentication (MFA) and use strong, unique passwords to secure administrative accounts.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite released the BeyondTrust PRA RS FocusTag™ on December 19, 2024, offering detailed insights into vendors potentially impacted by CVE-2024-12356. The tag provides:

• Identification of affected vendors with PRA and RS deployments.
• Details on exposed assets, including IP addresses and subdomains.

TPRM professionals can use these insights to:

• Narrow down their scope to vendors with confirmed exposure.
• Prioritize outreach to affected vendors and provide actionable guidance.
• Leverage asset data to enhance risk assessments and address vulnerabilities proactively.

ENHANCING TPRM STRATEGIES WITH BLACK KITE’S FocusTags™

In the face of increasingly sophisticated cyber threats, Black Kite’s FocusTags™ stand as a beacon for proactive Third-Party Risk Management (TPRM). This week’s vulnerabilities—spanning critical systems like Cleo File Transfer, BeyondTrust PRA RS, and Ivanti Cloud Services Application—highlight the pressing need for targeted, efficient, and informed risk management strategies. Here’s how FocusTags™ enhance TPRM practices:

• Real-Time Risk Identification: Instantly pinpoint vendors impacted by the latest vulnerabilities, enabling rapid responses that mitigate potential threats.
• Strategic Risk Prioritization: Evaluate risks based on the criticality of vendors and the severity of vulnerabilities, ensuring focused efforts where they matter most.
• Informed Vendor Conversations: Provide the intelligence necessary to engage vendors in detailed discussions about their exposure and response strategies, fostering transparency and collaboration.
• Strengthened Cybersecurity Ecosystems: Deliver a comprehensive view of the evolving threat landscape, empowering organizations to build resilient and adaptive security frameworks.

By transforming complex cybersecurity data into actionable insights, Black Kite’s FocusTags™ revolutionize TPRM, ensuring businesses can protect their supply chains and partners against even the most sophisticated cyber threats. As vulnerabilities continue to emerge, these tags provide the clarity and precision needed for proactive and effective risk management.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
• Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
• Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
• SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
• PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.
• PostgreSQL: CVE-2024-10979, Arbitrary Code Execution Vulnerability in PostgreSQL.
• Apache Airflow: CVE-2024-45784, Debug Messages Revealing Unnecessary Information in Apache Airflow.
• Atlassian Jira: CVE-2021-26086, Path Traversal Vulnerability in Atlassian Jira Server and Data Center.
• Ivanti Connect Secure: CVE-2024-9420, CVE-2024-47906, CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-11007, CVE-2024-11006, CVE-2024-11005, and CVE-2024-11004, Use-After-Free, Stack-Based Buffer Overflow, Argument Injection, and Reflected XSS Vulnerabilities in Ivanti Connect Secure.

References

https://blackkite.com/blog/focus-friday-tprm-insights-on-qlik-sense-cleo-file-transfer-and-sap-netweaver-java-vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2024-55956

https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956

https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2024-11639

https://nvd.nist.gov/vuln/detail/CVE-2024-11772

https://nvd.nist.gov/vuln/detail/CVE-2024-11773

https://securityonline.info/cve-2024-11639-cvss-10-critical-flaw-in-ivanti-cloud-services-application-immediate-patch-recommended

https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

https://nvd.nist.gov/vuln/detail/CVE-2024-12356

https://www.helpnetsecurity.com/2024/12/18/beyondtrust-fixes-critical-vulnerability-in-remote-access-support-solutions-cve-2024-12356

https://securityonline.info/cve-2024-12356-cvss-9-8-critical-vulnerability-in-beyondtrust-pra-and-rs-enables-remote-code-execution

The post Focus Friday: TPRM Insights On Cleo File Transfer, BeyondTrust PRA and RS, and Ivanti Cloud Services Application Vulnerabilities appeared first on Black Kite.

Written by: Ferhat Dikbiyik
Contributor: Yavuz Han & Ekrem Celik

Cl0p is back—and this time, they’ve set their sights on Cleo, a critical tool for supply chain integration. By exploiting vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, Cl0p has reignited concerns of another large-scale ransomware campaign, echoing the chaos caused by their MOVEit, GoAnywhere, and Accelion attacks. With thousands of companies relying on Cleo for seamless data transfers and partner integrations, the risk isn’t just direct—it’s systemic.

Timeline of Events

October 2024: Discovery of Cleo Vulnerabilities

Cleo released patches addressing a critical vulnerability (CVE-2024-50623) in its Managed File Transfer (MFT) products, including Harmony, VLTrader, and LexiCom. The flaw allowed unrestricted file uploads, enabling unauthenticated remote code execution. Cleo urged customers to upgrade to version 5.8.0.21 to mitigate the risk.

November 2024: Blue Yonder Incident and Termite Ransomware Group

Weeks later, Blue Yonder, a major SaaS provider for supply chain management, fell victim to a ransomware attack. The Termite ransomware group claimed responsibility, leveraging vulnerabilities and credential exposure to compromise systems.

While Blue Yonder’s attack and the Termite group initially seemed isolated, Cleo systems emerged as Indicators of Compromise (IoCs) in Termite’s operations. This incident highlighted how supply chain integration tools could be weaponized to cause widespread operational disruption. For more details on Blue Yonder and Termite, refer to our previous analysis here.

December 2024: Cl0p’s Announcement and Growing Exploitation

In early December, signs of active exploitation began surfacing. Sophos X-Ops confirmed that attacks on Cleo products began on December 6, 2024, targeting 50+ unique hosts in North America, primarily in the retail sector. On December 13, the Cl0p ransomware group publicly claimed responsibility for exploiting Cleo’s vulnerabilities. Cl0p, known for its mass exploitation of Managed File Transfer products like MOVEit and GoAnywhere, followed their established playbook: exploit, exfiltrate, and pressure victims with double extortion. Their announcement signaled that victims were already under negotiation, and further disclosures were imminent.

December 13: CISA Confirms Active Exploitation

Also, on December 13, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of CVE-2024-50623 and added it to the Known Exploited Vulnerabilities (KEV) Catalog. CISA mandated that all U.S. federal agencies apply patches by January 3, 2025, highlighting the urgency of remediation.

December 15: Second Cleo Vulnerability Surfaces

A second critical vulnerability (CVE-2024-55956) was identified in Cleo’s MFT solutions, further escalating the threat. This zero-day flaw, combined with CVE-2024-50623, expands the attack surface for threat actors, allowing even broader exploitation. According to new findings, these vulnerabilities remain attractive due to Cleo’s widespread usage in supply chain integration, especially in the retail and logistics industries.

December 17: CISA Adds CVE-2024-55956 to its KEV Catalog.

December 18: First Victims announced

Cl0p ransomware groups announced two new victims on December 18. Based on their initial announcement on the 13th, it is very highly likely that these victims are part of the campaign of mass exploitation of Cleo vulnerabilities.

Current Status: Patches, Advisories, and Present Risks

As of mid-December, reports from Huntress and Arctic Wolf revealed that:

• Fully patched Cleo systems may still be misconfigured and vulnerable under certain conditions.
• Attackers are deploying ransomware payloads and stealing data using a combination of CVE-2024-50623 and CVE-2024-55956.

The interconnected risks continue to grow. Cleo systems have become central to ransomware groups’ strategies, echoing Cl0p’s MOVEit campaign in scale and complexity. The exploitation of Cleo vulnerabilities as a campaign is ongoing, and the number of victims is expected to rise over the coming weeks.

The ripple effects across the global supply chain—especially in retail, logistics, and other interconnected industries—demonstrate the systemic impact of vulnerabilities in widely adopted tools like Cleo.

Who is Cl0p? Understanding the Group and Their Methods

Cl0p is a ransomware group notorious for large-scale exploitation campaigns targeting Managed File Transfer (MFT) software. Their operations are characterized by a “hit-and-run” mentality, focusing on mass exploitation rather than continuous attacks. Unlike opportunistic ransomware groups, Cl0p carefully identifies vulnerabilities in widely adopted tools, weaponizes them, and exploits them at scale. Their operations combine technical precision with a clear strategy: maximize impact and leverage high-value data for extortion.

Cl0p’s History and Previous Attacks

Cl0p has been linked to several high-profile attacks:

• Accellion FTA Attack (2020): In December 2020, Cl0p exploited zero-day vulnerabilities in Accellion’s File Transfer Appliance (FTA), compromising up to 100 companies and stealing sensitive data. Unlike typical ransomware attacks, they did not deploy file-encrypting malware but instead focused on data theft and extortion.
• GoAnywhere MFT Attack (2023): In early 2023, Cl0p exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT, claiming to have breached over 130 organizations. They utilized similar tactics of data exfiltration followed by extortion.
• MOVEit Exploitation (2023): In June 2023, Cl0p targeted a vulnerability in Progress Software’s MOVEit Transfer, affecting numerous organizations. They exfiltrated data and used double extortion tactics, threatening to publish the stolen information. 

These incidents highlight Cl0p’s signature approach: they don’t operate year-round. Instead, they focus on mass exploitation campaigns—finding and exploiting critical vulnerabilities in widely used enterprise tools, launching large-scale attacks, and rapidly monetizing stolen data.

Cl0p’s Modus Operandi (MO): Targeting MFT Solutio

Cl0p’s tactics have a distinct pattern:

1. Identification of Zero-Day Vulnerabilities:
   Cl0p specifically targets MFT solutions, which are vital for secure data transfers between organizations and trading partners. These tools often handle sensitive data, making them prime targets for extortion.
2. Mass Exploitation:
   Once a vulnerability is identified, Cl0p moves quickly to exploit it. They leverage automated tools to scan for unpatched or exposed systems, often breaching hundreds of organizations simultaneously.
3. Data Exfiltration and Double Extortion:
   After gaining access, Cl0p exfiltrates large amounts of sensitive data before deploying ransomware. They then engage in double extortion, threatening to leak stolen data publicly if victims refuse to pay. Their dark web blog serves as the platform to pressure victims by announcing data leaks.
4. Timing and Scale:
   Cl0p strategically targets tools used by organizations with significant supply chain interdependencies, amplifying the impact of their campaigns. The MOVEit and GoAnywhere campaigns affected thousands of companies—directly and indirectly—demonstrating how they exploit systemic vulnerabilities in critical software.

Cl0p and Cleo: The Next MOVEit?

The exploitation of Cleo’s vulnerabilities mirrors Cl0p’s previous large-scale campaigns on Managed File Transfer (MFT) solutions like MOVEit and GoAnywhere. These campaigns targeted zero-day vulnerabilities, allowing Cl0p to breach organizations en masse and exfiltrate sensitive data for double extortion. In December 2024, Cl0p publicly claimed responsibility for exploiting Cleo’s MFT products, specifically CVE-2024-50623 and CVE-2024-55956, stating they already had “a lot of companies” under their fingertips. This public declaration strongly suggests that exploitation began weeks earlier, consistent with Cl0p’s strategy of quietly breaching systems, stealing data, and only later announcing their activities to intensify pressure on victims yet to pay.

Given Cleo’s widespread adoption—particularly in retail and logistics, where it facilitates end-to-end supply chain integration—the scale of potential disruption is significant. Cl0p’s focus on tools that connect organizations across ecosystems amplifies the risk far beyond a single company, creating a ripple effect throughout supply chains.

This pattern is not new. During the MOVEit exploitation campaign in 2023, Black Kite Research and Intelligence Team (BRITE) observed 600 MOVEit assets exposed to the internet at the time of discovery. Given Cl0p’s spray-and-exploit approach, we estimate most of those assets were attacked. In total, Cl0p’s MOVEit campaign impacted hundreds of direct victims and indirectly affected more than 2,700 organizations, including downstream third- and fourth-party dependencies.

Within three months, Cl0p announced 270 victims tied to MOVEit on their leak site. Other victims were listed afterward, though it remains unclear if these were MOVEit-related. Notably, Cl0p claimed to have deleted stolen data for some organizations, such as non-profits and public institutions, likely for reputational reasons.

While Cl0p currently dominates the headlines, it is worth noting that the Termite ransomware group has also been associated with Cleo-related Indicators of Compromise (IoCs). Though there is no confirmed link between Cl0p and Termite, this overlap highlights how critical tools like Cleo become prime targets for multiple ransomware operators seeking high-impact opportunities.

Cl0p’s resurgence with Cleo is yet another example of their ability to disrupt systems at scale. Their hit-and-run mentality—periodically focusing on MFT vulnerabilities for maximum effect—demonstrates their precision and understanding of how interconnected systems amplify ransomware risks. Organizations must respond decisively to such threats, as delayed action could leave critical data and operations exposed in the interconnected web of modern supply chains.

The Technical Breakdown: How Cleo Vulnerabilities Are Being Exploited

CVE-2024-50623: The Initial Vulnerability

The first critical vulnerability identified in Cleo’s MFT solutions—CVE-2024-50623—was disclosed in October 2024. This flaw allows for unauthenticated file uploads, enabling attackers to place malicious files directly onto targeted servers. Under certain conditions, this results in remote code execution (RCE), giving threat actors the ability to execute arbitrary commands.

The vulnerability impacts Cleo Harmony, VLTrader, and LexiCom products widely used for secure file transfers, partner onboarding, and supply chain automation. Organizations with internet-exposed Cleo systems running unpatched versions were immediately placed at risk.

CVE-2024-55956: A Second Critical Flaw

On December 15, 2024, a second vulnerability—CVE-2024-55956—surfaced, further exacerbating the risk. This zero-day flaw allows for unrestricted file downloads, enabling attackers to exfiltrate sensitive data without authentication. In combination with CVE-2024-50623, this creates a powerful attack vector where threat actors can both infiltrate and exfiltrate data, a hallmark of ransomware operations.

Researchers from Huntress have raised concerns that even fully patched systems remain vulnerable under specific misconfigurations or incomplete remediations. This complicates mitigation efforts, as organizations may incorrectly assume they are protected after applying initial patches.

Indicators of Compromise (IoCs)

Security researchers have published several Indicators of Compromise related to Cleo exploitation, including:

• File Names and Patterns:
  Malicious file uploads often mimic legitimate Cleo processes to evade detection. For example:
  • Randomly named .xml or .log files placed in unexpected directories.
• Unusual Network Activity:
  • Outbound connections to suspicious IP addresses.
  • Unexpected data transfers involving Cleo MFT servers.
• C2 (Command and Control) Servers:
  • Reported IP addresses identified as part of Cl0p campaigns.
    • Example: 176[.]123[.]5[.]126 and 5[.]149[.]249[.]226 (placeholder examples).

Organizations are urged to monitor for these IoCs and conduct thorough forensic reviews of Cleo servers to identify unauthorized file uploads or unusual system behavior.

The Compounding Risk of Misconfiguration

While Cleo released patches in October, real-world implementation has revealed challenges. Systems with incomplete configurations or unpatched instances remain vulnerable. Additionally, Huntress researchers have reported that fully updated Cleo environments could still be exploited under specific conditions, raising the risk for organizations that rely on Cleo for critical file transfer operations.

The combined exploitation of CVE-2024-50623 and CVE-2024-55956 highlights the evolving sophistication of ransomware groups like Cl0p. These vulnerabilities create a near-perfect opportunity for attackers to infiltrate systems, steal sensitive data, and leverage supply chain disruptions for maximum impact. Organizations must act decisively to identify exposure, patch systems, and monitor for signs of compromise before attackers escalate their campaigns further.

The Supply Chain Impact: Why This Matters

Cleo’s Role in Supply Chain Integration

Cleo’s Integration Cloud (CIC) and Managed File Transfer (MFT) solutions serve as critical infrastructure for businesses that rely on seamless data exchanges with trading partners, customers, and internal systems. These tools power API and EDI-based transactions, automate file transfers, and integrate with back-office applications, enabling operational efficiency across interconnected supply chains.

Direct vs. Indirect Risks

The exploitation of Cleo vulnerabilities poses direct and indirect risks to organizations, mirroring the cascading effects seen during the MOVEit and GoAnywhere campaigns:

1. Direct Impact:
   • Organizations using vulnerable Cleo solutions face immediate risk of data exfiltration and ransomware deployment. Cl0p’s exploitation tactics allow for unauthorized file uploads, system access, and data theft, disrupting operations and potentially leading to downtime or financial losses.
2. Indirect Impact:
   • Even companies that do not directly use Cleo can be impacted through their vendors, partners, or customers. If a critical supplier or trading partner is compromised, it can trigger delays, operational bottlenecks, and interruptions to business continuity.
   • These downstream impacts are especially critical in industries like retail and logistics, where delays during peak seasons—such as the holidays—can translate to significant revenue loss.

Sectors at Greatest Risk

Industries like retail, logistics, manufacturing, and healthcare depend heavily on Cleo to manage their supply chain workflows. From onboarding new partners to securely transferring sensitive business data, Cleo has become a central link in countless global operations. This widespread reliance creates an attractive target for ransomware groups like Cl0p, who aim to amplify the disruption by compromising a tool that connects thousands of organizations.

• Retail: Retailers depend on Cleo to integrate with suppliers, track shipments, and ensure inventory visibility. A disruption during peak seasons could delay deliveries, impact sales, and damage customer relationships.
• Logistics: Logistics providers rely on Cleo for partner onboarding, shipping automation, and real-time data exchanges. An attack could cause cascading delays across the supply chain.
• Manufacturing: Manufacturers using Cleo to exchange data with suppliers and partners could face production halts, delayed fulfillment, and financial loss.
• Healthcare: Sensitive healthcare data, often transferred through automated workflows, is particularly valuable to ransomware operators, posing both operational and regulatory risks.

Why This Matters for Supply Chain Resilience

The Cleo exploitation highlights a broader issue: the fragility of interconnected systems. Organizations often underestimate their reliance on third-party tools and partners until an incident like this occurs. A single vulnerability in a widely adopted platform can disrupt hundreds—or thousands—of interconnected businesses, amplifying risks across entire ecosystems.

For organizations prioritizing supply chain resilience, visibility is critical:

• Do you know which of your vendors, customers, or partners rely on Cleo?
• Can you assess their exposure and verify that mitigation steps are being taken?
• Are you prepared for disruptions caused by indirect dependencies?

Understanding these relationships and acting proactively can make the difference between business continuity and cascading failure.

How Black Kite Responded: Two FocusTags for Actionable Intelligence

Proactive Risk Identification and Customer Alerts

As the Cleo vulnerabilities began to surface and exploitation intensified, Black Kite acted swiftly to provide actionable intelligence for our customers. Understanding the layered risks posed by Cleo’s interconnected products, we released two distinct FocusTags:

1. Cleo File Transfer FocusTag
2. Cleo Integration – Ransomware Risk FocusTag

Both tags addressed critical aspects of the threat, helping customers identify exposure, prioritize outreach, and take decisive mitigation steps.

Cleo File Transfer FocusTag™: Identifying Vulnerable Systems

The Cleo File Transfer FocusTag™ focuses on the vulnerable software versions and internet-facing systems running Cleo Harmony®, VLTrader®, and LexiCom. This vulnerability-focused tag provides highly actionable intelligence for customers to address immediate technical risks.

Key details include:

• Identification of vulnerable Cleo products prior to version 5.8.0.21.
• IP addresses and hosted instances of Cleo MFT solutions exposed in the cloud.
• Indicators of Compromise (IoCs).
• Recommended mitigation actions, including patching, disabling autorun functionality, and isolating systems behind firewalls.

Customers used this tag to quickly identify their own exposure and initiate remediation efforts, including monitoring for signs of exploitation and implementing defensive controls.

Black Kite published this first tag on November 27, 2024 for CVE-2024-50623 and updated it since then frequently so that it includes the new developments and vulnerabilities (CVE-2024-55956).

Cleo Integration – Ransomware Risk FocusTag™: Cascading Supply Chain Risk

The Cleo Integration – Ransomware Risk FocusTag™ addresses a broader risk beyond the specific vulnerabilities. This tag highlights organizations connected to Cleo’s Integration Cloud (CIC) as application or trading partners, who may face direct or indirect risks of a ransomware attack.

• The Cl0p ransomware group is infamous for exploiting Managed File Transfer (MFT) vulnerabilities, and their campaigns often extend beyond initial targets. Cleo’s MFT solutions are deeply integrated with Cleo Integration Cloud (CIC), a platform central to critical business ecosystem integrations.
• Trading partners connected to CIC could become part of the attack path, exposing sensitive assets and data to potential compromise.

The Cleo Integration tag is based on a combination of:

• Public integration data (95%) published by Cleo.
• Certificate analysis for Cleo-related products.

Through discussions with trading partners and confirmation from our customers, we’ve learned that Cleo integrations often touch sensitive data and critical systems, amplifying the potential for cascading impacts across the supply chain.

This tag enables customers to:

1. Identify at-risk vendors and trading partners connected to Cleo.
2. Understand and prioritize indirect risks that could impact their operations.
3. Share actionable intelligence with vendors, raising awareness and driving remediation efforts.

Black Kite published this tag on December 16, 2024, right after Cl0p announced it on their dark web blog. Black Kite has become the first source of intel for many Black Kite customers.

Customers who were identified as trading partners on Cleo’s public website began internal investigations to assess their exposure. IoCs provided with the tag—such as suspicious file patterns and malicious IPs—were shared with SOC teams to ensure no compromise had occurred. Organizations verified where Cleo touched their sensitive assets or critical systems and prepared incident response protocols as a precaution.

Operationalizing Both FocusTags™: From Intelligence to Action

Black Kite customers leveraged these FocusTags to address both immediate risks and cascading vulnerabilities:

1. For Internal Mitigation (Cleo File Transfer FocusTag):
   • Patch all Cleo Harmony, VLTrader, and LexiCom systems to version 5.8.0.21 or later.
   • Place internet-facing systems behind a firewall and disable autorun functionality.
   • Monitor for Indicators of Compromise (IoCs) such as malicious file uploads and suspicious IPs.
2. For Vendor and Supply Chain Management (Cleo Integration FocusTag):
   • Use the Cleo Integration – Ransomware Risk FocusTag to identify trading partners at risk of cascading ransomware impacts.
   • Prioritize critical vendors and launch targeted outreach campaigns to raise awareness and request feedback.
   • Collaborate with vendors to confirm mitigations and reduce shared risk.
3. Leveraging Black Kite Bridge^TM:
   • Customers operationalized these tags further through Black Kite Bridge, streamlining vendor outreach and tracking remediation progress in real time. Instead of sending manual questionnaires, they shared actionable intelligence directly with vendors, allowing for faster, more efficient responses.

A Coordinated Effort to Protect Customers

The swift release of these two FocusTags reflects Black Kite’s commitment to delivering timely and actionable intelligence. The BRITE (Black Kite Research and Intelligence) team worked around the clock to analyze risks, while our Customer Success, Support, and Product teams ensured customers could operationalize this intelligence effectively.

By addressing both technical vulnerabilities and supply chain risks, we enabled organizations to act decisively—protecting their systems, understanding their vendor relationships, and mitigating the cascading impacts of ransomware.

What Organizations Need to Do Now

As the exploitation of Cleo vulnerabilities continues to unfold, organizations must move quickly to mitigate risks, both internally and across their supply chains. Given Cl0p’s history of targeting widely adopted Managed File Transfer (MFT) tools, delaying action could leave organizations exposed to ransomware deployment, data theft, and operational disruptions.

Immediate Steps for Direct Users of Cleo

If your organization uses Cleo Harmony®, VLTrader®, or LexiCom, immediate technical measures must be prioritized:

• Patch Vulnerable Systems: Ensure all Cleo MFT products are updated to version 5.8.0.21 or later. This step is critical to addressing CVE-2024-50623 and CVE-2024-55956.
• Disable Autorun Functionality:
  • Access the “Configure” menu, select “Options,” and clear the “Autorun Directory” field to prevent automatic execution of malicious files.
• Place Systems Behind a Firewall: Restrict internet-facing access to Cleo servers to minimize exposure. Where possible, disable external access entirely.
• Monitor for Indicators of Compromise (IoCs):
  • Watch for unusual network activity or file uploads, such as main.xml or encoded malicious payloads.
  • Block malicious IPs associated with Cl0p campaigns:
    • 176[.]123[.]5[.]126, 5[.]149[.]249[.]226, 185[.]181[.]230[.]103.
• Strengthen Security Controls: Enforce strong, unique passwords for Cleo systems, and enable multi-factor authentication (MFA) to reduce unauthorized access risks.

Understand and Mitigate Supply Chain Risks

Even if your organization does not use Cleo directly, there is significant indirect risk if your vendors, trading partners, or customers rely on Cleo systems. Cl0p’s attack campaigns historically spread across entire ecosystems, impacting organizations that were never direct targets.

Steps to address cascading risks include:

• Identify Affected Vendors:
  • Use the Cleo Integration – Ransomware Risk FocusTag to identify trading and application partners exposed to potential ransomware threats.
  • Review vendor dependencies to understand which of your critical suppliers or partners use Cleo’s Integration Cloud (CIC).
• Engage Vendors with Actionable Intelligence:
  • Share specific IoCs and mitigation steps to raise awareness among vendors. Black Kite customers have used Black Kite Bridge^TM to streamline outreach, allowing vendors to address vulnerabilities faster and confirm remediations.
• Prioritize Based on Criticality:
  • Focus efforts on vendors and partners critical to your operations. Map out supply chain dependencies to identify where disruptions would cause the most significant impact.
• Test Contingency and Response Plans:
  • Develop or review backup and disaster recovery plans to ensure operational continuity if a critical vendor is compromised.
  • Identify alternative suppliers or redundancies in workflows to minimize downtime.

Strengthen Long-Term Cyber Resilience

While the immediate priority is mitigating Cleo-related risks, this incident underscores the broader need for improved third-party risk management and supply chain resilience. In an interconnected world, risks like Cleo’s vulnerabilities don’t stay isolated—they ripple across entire ecosystems. Whether you’re a direct user of Cleo systems or part of a broader supply chain, visibility and decisive action are critical to minimizing ransomware risk.

Organizations should take steps to ensure they are prepared for future events:

• Enhance Visibility:
  • Continuously monitor vendor risk exposure, particularly for critical tools like MFT solutions that manage sensitive data and workflows.
  • Proactively identify vulnerable systems across your supply chain using external intelligence and risk assessments.
• Adopt Threat Intelligence Tools:
  • Leverage risk intelligence platforms to identify vulnerabilities, IoCs, and dark web chatter before incidents escalate. Tools like Black Kite’s FocusTags allow organizations to stay ahead of emerging threats and act decisively.
• Collaborate with Vendors:
  • Build stronger relationships with third-party vendors to ensure faster response times during incidents. Avoid overwhelming vendors with repetitive questionnaires and focus on sharing actionable intelligence they can act on.
• Conduct Regular Security Audits:
  • Evaluate the security posture of both internal systems and vendor environments, ensuring that vulnerabilities are identified and addressed before they can be exploited.

By addressing vulnerabilities internally, working proactively with vendors, and strengthening long-term cyber resilience, organizations can mitigate the cascading impacts of supply chain ransomware attacks.

Final Thoughts

The Cleo exploitation campaign is another stark example of how quickly ransomware groups like Cl0p can exploit critical vulnerabilities to disrupt organizations and their interconnected supply chains. By targeting tools that sit at the heart of business operations, Cl0p has shown once again that the impacts of these attacks are rarely limited to direct victims.

At Black Kite, we believe that speed, visibility, and actionable intelligence are key to minimizing risk in moments like these. The release of the Cleo File Transfer FocusTag™ and the Cleo Integration – Ransomware Risk FocusTag™ allowed our customers to take immediate action—internally patching vulnerabilities, identifying at-risk vendors, and prioritizing outreach campaigns.

These efforts are a testament to the collaborative work of the BRITE team, who identified and tracked this threat, and the Customer Success, Support, and Product and Development teams, who made this intelligence actionable for our customers.

While the Cleo vulnerabilities may dominate headlines today, the lesson for tomorrow is clear:
Know your vendors. Know their dependencies. And act decisively when risk emerges.

The next wave of ransomware will come—it always does. Organizations that prioritize visibility, operationalize risk intelligence, and strengthen supply chain resilience will be the ones who weather it best.

References

https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks

https://www.bleepingcomputer.com/news/security/cisa-confirms-critical-cleo-bug-exploitation-in-ransomware-attacks

https://www.cisa.gov/news-events/alerts/2024/12/13/cisa-adds-one-known-exploited-vulnerability-catalog

https://arcticwolf.com/resources/blog-uk/cleopatras-shadow-a-mass-exploitation-campaign-uk

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

https://infosec.exchange/@SophosXOps/113631363563332166

The post Cl0p’s Exploitation of Cleo Puts the Supply Chain at Immediate Risk appeared first on Black Kite.

Written by: Jason McLarney

Gone are the days of working with a handful of long-time, trusted vendors. Today, 60% of enterprises work with up to 1,000 vendors at a time, with 71% reporting that their third-party network has exponentially increased in just three years. That means more risk to evaluate and therefore more vendor assessments to parse through. 

The sheer volume of vendors in play and the length of traditional vendor risk assessments (often hundreds of questions) can make scaling this process feel impossible. 

Fortunately, with the right third-party risk tools and strategic vendor risk assessment processes, scaling is very achievable.

4 Steps to Help Organize Vendor Risk Assessments

Here are four practical steps organizations can take to get the data they need to make confident third-party risk decisions — quickly, efficiently, and accurately.

1. Prioritize

Traditionally, many organizations have evaluated all new vendors with the same level of scrutiny. Here’s the issue with this: Not all third-party relationships are the same. 

A third-party partner with no access to critical data (such as a catering provider) should not receive the same vendor risk assessment as one with extensive access to critical data (such as a payment processor). Due to the nature of the relationship — and what’s being shared — these two vendors pose a very different level of risk. This is a good thing because it means you don’t have to be equally thorough and meticulous with every vendor.

A Strategic Approach to Vendor Risk Assessments

Prioritize and tier vendors based on the unique risk they each pose to business-critical operations, environments, and data. Third-party risk pros can start by asking the following questions about their network of vendors:

• Does this vendor have access to sensitive datasets or internal networks? If so, which ones? What level of access?
• If this vendor experienced a breach, what material impact would it have on our business operations?
• Is a vendor assessment required by a regulatory body? (e.g., your payment processor must be PCI-DSS certified)
• What is the potential financial (and reputational) impact of a third-party breach through this vendor?

Based on those answers, organizations can start more effectively tiering their vendors into the following categories:

• Tier 1: Mission Critical
• Tier 2: High Risk
• Tier 3: Moderate Risk
• Tier 4: Low Risk

Think of it this way: If you were a 911 operator who answered two calls, one about a fender-bender and one about a 10-car pileup around the same time, you’d know where to send more resources.

Risk-based tiers are the basis that should dictate all engagement with that vendor — the risk thresholds you’re comfortable with, the compliance levels you require, how often you reassess them, and the level of communication you have with them. With vendors ranked in these risk-based tiers, teams can prioritize their efforts around the third-party partners most critical to their business — and the ones that raise the most red flags regarding potential impact.

That level of prioritization is exactly how organizations can go from treating 10,000 vendors exactly the same (and burning out the team, no matter how large) to using a streamlined team to focus on the riskiest vendors — without incurring unnecessary risk or feeling spread thin.

2. Get Data You Can Trust

In a market where scaling fast is the goal, risk professionals are starting to recognize they need to move away from solely relying on questionnaires. That’s because general questionnaires, which can sometimes have over 300 questions, often result in general (read: unhelpful) responses.

Effective communication with vendors relies instead on obtaining — and sharing — the right data, and only when necessary. Organizations need a source of intelligence they can trust to make better risk decisions, including whether they need to engage the vendor in the first place. For example, if a vendor meets all of your security and compliance requirements and is tiered as a “Moderate Risk” vendor, do you really need to issue them a questionnaire? It depends on your risk appetite, but likely not.

Organizations need a transparent, standards-based cyber ratings platform where they can see for themselves how findings and scores are assembled. That gives teams the reliable, concrete data they need to have meaningful conversations with vendors and collaborate effectively to remediate risk.

Security teams should also consider investing in a third-party risk management (TPRM) tool that provides:

• Reports on how to improve risk scores, step-by-step
• Identification of specific assets believed to be most at risk
• A space for transparent, two-way vendor communication

3. Save Time (and Money) With Automation

Baking in automation is the only way to scale your vendor risk assessment process. Manually sifting through questionnaires is not the solution; it only exhausts resource-constrained risk teams and introduces human error. 

Manual vendor risk assessments can take anywhere from two to eight weeks on average. For any other project, that timeframe might be acceptable. But digital threats evolve much faster than that. Within a few weeks, the risk landscape (either yours as an organization or the market’s at large) can undergo a seismic shift that rapidly changes priorities. Whether due to a geopolitical upheaval or a new business expansion strategy, risk doesn’t remain constant. 

With the right third-party risk automation tools, teams can reduce assessment cycles from weeks to hours. AI-driven engines can parse complex vendor documents (SOC2 reports, compliance policies, questionnaire responses, and more) and measure compliance with industry-wide frameworks such as NIST 800-53 R5, ISO27001, and more, giving you an immediate view into their risk.

That unlocks the ultimate key to scaling: Finding automated tools your teams can trust to work in the background while they handle more complex risk strategies.

4. Build Relationships with Critical Vendors

Regarding third-party risk, it can be easy for organizations to fall into the trap of only communicating with vendors during procurement and onboarding… and then only if and when an incident occurs. That’s not due to any personal failure but because it can be nearly impossible to effectively communicate with hundreds or thousands of vendors regularly.

With effective prioritization, risk teams can collaborate with vendors rather than having a reactive (and often unnecessarily tense) relationship. They can also minimize the total amount of vendor assessments they need to send — and shorten and focus the ones they do send — all the while better mitigating actual risk.

Double down on the vendors that matter most to your organization’s security, financial health, and business-critical processes. Check in with them on risk and security developments — and identify any shared risks or weaknesses that you might have with each other.

Move Away From the Unscalable

Effective scaling starts with moving away from one-size-fits-all, time-consuming, and manual methods and instead towards:

1. Upfront risk-based tiering and prioritization of vendors based on their materiality to business operations.
2. Relying on a trusted data set to inform prioritization and dictate when to engage.
3. Automation to reduce or eliminate manual questionnaire reviews and unnecessary vendor engagements.
4. Stronger vendor relationships based on clear, actionable improvement steps. 

These pillars make scaling possible and achievable, expanding your team’s reach and allowing you to double down on the value-adding tasks and relationships that matter most. However, all of these vendor risk mitigation strategies rely on one key factor: trustworthy, timely risk data. When organizations have data they can trust, they can prioritize, dial in their risk thresholds, and build out the third-party risk management structure they need to move ahead with confidence.

Scaling vendor risk assessments doesn’t have to feel impossible. With the right tools and processes, organizations can unlock efficiencies, strengthen their vendor relationships, and improve their overall risk posture. Black Kite Bridge™ makes collaboration easier by providing the trusted data and communication capabilities needed to drive faster, more meaningful vendor engagements.

If you’re ready to transform your approach to vendor engagement, don’t miss our eBook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. It’s packed with actionable insights to help you work more effectively with vendors during critical events — no download required. 

The post Vendor Risk Assessments: Why Scaling Feels Impossible (and What To Do About It) appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday blog! As the cybersecurity landscape evolves, organizations are tasked with managing an ever-growing array of threats, especially within their vendor ecosystems. Third-Party Risk Management (TPRM) professionals play a crucial role in safeguarding operations against vulnerabilities that could ripple through the supply chain. This week, we delve into three critical vulnerabilities affecting Qlik Sense Enterprise, Cleo File Transfer software, and SAP NetWeaver JAVA. Each of these incidents highlights the importance of proactive risk management and showcases how Black Kite’s FocusTags™ empower organizations to stay ahead of emerging threats.

CVE-2024-55579 and CVE-2024-55580: Critical Vulnerabilities in Qlik Sense Enterprise

What are the vulnerabilities in Qlik Sense Enterprise?

Qlik Sense Enterprise for Windows has been identified with two critical vulnerabilities:

CVE-2024-55579 vulnerability allows unprivileged users with network access to create connection objects that can trigger the execution of arbitrary executable files on the Qlik Sense server. It has a CVSS score of 8.8, indicating high severity. CVE-2024-55580: This flaw enables unprivileged users with network access to execute remote commands, potentially causing significant impacts on system availability, integrity, and confidentiality. It carries a CVSS score of 7.5.

Both vulnerabilities were publicly disclosed on December 8, 2024. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities catalog. Qlik has released security patches to address these issues and strongly advises immediate application to mitigate associated risks.

Why should TPRM professionals be concerned about these vulnerabilities?

Third-Party Risk Management (TPRM) professionals should be vigilant regarding these vulnerabilities due to the following reasons:

• Data Compromise: Exploitation could lead to unauthorized access and manipulation of sensitive data, undermining data integrity and confidentiality.
• Operational Disruption: Successful attacks may disrupt business intelligence operations, affecting decision-making processes and overall business performance.
• Supply Chain Risk: If vendors or partners utilize Qlik Sense Enterprise, their vulnerabilities could cascade, impacting your organization’s security posture.

What questions should TPRM professionals ask vendors regarding these vulnerabilities?

To assess and mitigate risks associated with these vulnerabilities, consider posing the following questions to your vendors:

1. Have you updated all instances of Qlik Sense Enterprise for Windows to the latest patched version to mitigate the risk of CVE-2024-55579 and CVE-2024-55580?
2. Can you confirm if you have implemented the workaround provided in Qlik’s advisory to ensure proper functionality of all extensions and visualizations post-update?
3. Have you restricted network access to trusted users to minimize unauthorized exploitation of the vulnerabilities CVE-2024-55579 and CVE-2024-55580?
4. Are you continuously monitoring your network traffic to detect unusual activity and mitigate potential exploitation attempts related to the vulnerabilities CVE-2024-55579 and CVE-2024-55580?

Remediation recommendations for vendors affected by these vulnerabilities

Vendors utilizing Qlik Sense Enterprise should implement the following remediation steps:

1. Immediate Patching: Apply the latest security patches released by Qlik for Qlik Sense Enterprise for Windows.
2. Access Control Review: Ensure that only authorized users have network access to Qlik Sense servers, adhering to the principle of least privilege.
3. Monitoring and Detection: Implement monitoring solutions to detect any anomalous activities indicative of exploitation attempts.
4. Incident Response Preparedness: Develop and test incident response plans specifically addressing potential exploitation of these vulnerabilities.

How can TPRM professionals leverage Black Kite’s FocusTags^TM regarding these vulnerabilities?

Black Kite has issued a FocusTag™ for Qlik Sense Enterprise, enabling TPRM professionals to:

• Identify At-Risk Vendors: Determine which vendors may be affected by these vulnerabilities.
• Access Vulnerable Asset Information: Obtain details about specific assets, such as IP addresses and subdomains, that could be compromised.
• Prioritize Risk Mitigation: Focus efforts on vendors with the highest risk exposure, streamlining the remediation process.

CVE-2024-50623: Remote Code Execution Vulnerability in Cleo File Transfer Software

What is the Remote Code Execution Vulnerability in Cleo File Transfer Software?

CVE-2024-50623 is a high-severity unrestricted file upload and download vulnerability affecting Cleo’s file transfer products: Harmony®, VLTrader®, and LexiCom®, in versions prior to 5.8.0.21. This flaw allows attackers to upload malicious files to the software’s autorun directory, which are then automatically executed, enabling remote code execution. The vulnerability has a CVSS score of 8.8. It was publicly disclosed on December 10, 2024. PoC exploit code is available, and active exploitation has been observed in the wild, notably by the Termite ransomware group targeting sectors such as logistics, shipping, and consumer products. As of now, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.

We published an article on December 11, 2024, stating that the Cleo vulnerability (CVE-2024-50623) was actively exploited by ransomware groups. You can find more details in the related blog post.

Why should TPRM professionals be concerned about this vulnerability?

Third-Party Risk Management (TPRM) professionals should be attentive to this vulnerability due to its potential impact on data integrity and operational continuity. Exploitation can lead to unauthorized access and control over systems, resulting in data breaches, service disruptions, and propagation of malware across networks. Given the widespread use of Cleo’s file transfer solutions among vendors and partners, this vulnerability poses a significant supply chain risk, potentially affecting interconnected systems and data exchanges.

What questions should TPRM professionals ask vendors regarding this vulnerability?

To assess and mitigate risks associated with CVE-2024-50623, TPRM professionals should inquire:

1. Have you identified any instances of CVE-2024-50623 within your systems?
2. Have you applied the security patches provided by Cleo to address this vulnerability?
3. What measures are in place to detect and prevent exploitation attempts related to this vulnerability?
4. How do you ensure that your use of Cleo’s file transfer software does not introduce security risks to our organization?

Remediation recommendations for vendors affected by this vulnerability

Vendors utilizing Cleo’s file transfer products should implement the following remediation steps:

1. Immediate Software Update: Upgrade all instances of Cleo Harmony®, VLTrader®, and LexiCom® to version 5.8.0.21 or later to mitigate the vulnerability.
2. Disable Autorun Functionality: Access the “Configure” menu in the software, select “Options,” navigate to the “Other” pane, and clear the contents of the “Autorun Directory” field to prevent automatic execution of files.
3. Place Systems Behind a Firewall: Ensure internet-facing Cleo systems are placed behind a firewall to limit exposure to potential attacks.
4. Monitor for Indicators of Compromise (IOCs): Check for suspicious IPs and suspicious files, such as main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml, which may contain encoded malicious commands.
5. Block Malicious IPs: Consider blocking attacker IPs, including 176[.]123[.]5[.]126, 5[.]149[.]249[.]226, 185[.]181[.]230[.]103, 209[.]127[.]12[.]38, 181[.]214[.]147[.]164, 192[.]119[.]99[.]42
6. Implement Strong Security Practices: Enforce strong, unique passwords and enable multi-factor authentication (MFA) to enhance security.

How can TPRM professionals leverage Black Kite’s FocusTags^TM regarding this vulnerability?

Black Kite has issued a FocusTag™ for Cleo File Transfer, enabling TPRM professionals to:

• Identify At-Risk Vendors: Determine which vendors may be affected by CVE-2024-50623.
• Access Vulnerable Asset Information: Obtain details about specific assets, such as IP addresses and subdomains, that could be compromised.
• Prioritize Risk Mitigation: Focus efforts on vendors with the highest risk exposure, streamlining the remediation process.

CVE-2024-47578: Server-Side Request Forgery Vulnerability in SAP NetWeaver AS for JAVA

What is the SAP NetWeaver AS for JAVA SSRF Vulnerability?

CVE-2024-47578 is a critical Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for JAVA, specifically within the Adobe Document Services component. An attacker with administrator privileges can exploit this flaw by sending crafted requests from a vulnerable web application, targeting internal systems behind firewalls that are typically inaccessible from external networks. Successful exploitation enables the attacker to read or modify any file and potentially render the entire system unavailable. It has a CVSS score of 9.1, indicating critical severity. SAP has released a security patch addressing this vulnerability and strongly recommends immediate application to mitigate associated risks.

Why should TPRM professionals be concerned about this vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2024-47578 due to its potential to compromise data confidentiality, integrity, and availability. Exploitation of this vulnerability can lead to unauthorized access to sensitive information and disruption of critical business operations. Given the widespread use of SAP NetWeaver AS for JAVA among vendors, this vulnerability poses a significant risk to the supply chain, potentially affecting interconnected systems and data exchanges.

What questions should TPRM professionals ask vendors regarding this vulnerability?

To assess and mitigate risks associated with CVE-2024-47578, TPRM professionals should inquire:

1. Have you updated all instances of SAP NetWeaver AS for JAVA (Adobe Document Services) to the latest version as per SAP Security Note 3536965 to mitigate the risk of CVE-2024-47578, CVE-2024-47579, and CVE-2024-47580?
2. Can you confirm if you have restricted administrative access to essential personnel only and enforced the principle of least privilege to prevent potential exploitation of the Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for JAVA?
3. What specific measures have you implemented to monitor network traffic and detect suspicious activities that could indicate an exploitation of the vulnerabilities CVE-2024-47579 and CVE-2024-47580, which allow access to sensitive server files through exposed web services?
4. Can you confirm if you have reviewed and updated your firewall configurations to ensure that internal systems are appropriately segmented and protected from unauthorized access, specifically in relation to the SSRF vulnerability CVE-2024-47578 in SAP NetWeaver AS for JAVA?

Remediation recommendations for vendors affected by this vulnerability

Vendors utilizing SAP NetWeaver AS for JAVA should implement the following remediation steps:

1. Immediate Software Update: Apply the security patch provided by SAP as per SAP Security Note 3536965 to address the vulnerability.
2. Restrict Administrative Access: Limit administrative privileges to essential personnel and enforce the principle of least privilege.
3. Monitor Network Traffic: Implement monitoring to detect and respond to suspicious activities promptly.
4. Review Firewall Configurations: Ensure that internal systems are appropriately segmented and protected from unauthorized access.

How can TPRM professionals leverage Black Kite’s FocusTags^TM regarding this vulnerability?

Black Kite has issued a FocusTag™ for SAP NetWeaver, enabling TPRM professionals to:

• Identify At-Risk Vendors: Determine which vendors may be affected by CVE-2024-47578.
• Access Vulnerable Asset Information: Obtain details about specific assets, such as IP addresses and subdomains, that could be compromised.
• Prioritize Risk Mitigation: Focus efforts on vendors with the highest risk exposure, streamlining the remediation process.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

In today’s dynamic cybersecurity environment, managing third-party risks requires precision and timely intelligence. Black Kite’s FocusTags™ are an indispensable tool for organizations navigating critical vulnerabilities like those in Qlik Sense Enterprise, Cleo File Transfer, and SAP NetWeaver JAVA. These tags are designed to provide:

• Real-Time Risk Insights: Quickly identify vendors impacted by specific vulnerabilities, enabling immediate action.
• Targeted Prioritization: Focus efforts on high-severity vulnerabilities and vendors most critical to your operations.
• Tailored Vendor Communication: Facilitate targeted discussions with vendors, addressing their specific security measures and vulnerabilities.
• Comprehensive Threat Visibility: Gain a holistic view of the threat landscape, empowering more strategic decision-making.

Black Kite’s FocusTags™ transform complex cybersecurity challenges into actionable intelligence, allowing TPRM professionals to mitigate risks efficiently and strengthen overall security. By leveraging these insights, organizations can proactively address vulnerabilities, ensuring resilience in an ever-evolving threat landscape.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
• Cleo File Transfer: Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
• PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.
• PostgreSQL: CVE-2024-10979, Arbitrary Code Execution Vulnerability in PostgreSQL.
• Apache Airflow: CVE-2024-45784, Debug Messages Revealing Unnecessary Information in Apache Airflow.
• Atlassian Jira: CVE-2021-26086, Path Traversal Vulnerability in Atlassian Jira Server and Data Center.
• Ivanti Connect Secure: CVE-2024-9420, CVE-2024-47906, CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-11007, CVE-2024-11006, CVE-2024-11005, and CVE-2024-11004, Use-After-Free, Stack-Based Buffer Overflow, Argument Injection, and Reflected XSS Vulnerabilities in Ivanti Connect Secure.
• Nostromo nhttpd: CVE-2019-16278, Path Traversal Vulnerability, RCE Vulnerability in Nostromo nhttpd.
• LiteSpeed Cache: CVE-2024-50550, Privilege Escalation Vulnerability iin LiteSpeed Cache plugin.
• RICOH Web Image Monitor: CVE-2024-47939, Buffer Overflow Vulnerability in RICOH Web Image Monitor.
• Squid Proxy: CVE-2024-45802, DoS Vulnerability in Squid Proxy Servers.
• XLight FTP: CVE-2024-46483, Integer Overflow and RCE Vulnerabilities in XLight FTP Servers.
• Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.

References

https://blackkite.com/blog/when-ransomware-ruins-the-supply-chain-lessons-from-blue-yonder-and-the-rise-of-termite-ransomware-group

https://nvd.nist.gov/vuln/detail/CVE-2024-55579

https://nvd.nist.gov/vuln/detail/CVE-2024-55580

https://community.qlik.com/t5/Official-Support-Articles/High-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows-CVEs/tac-p/2496004

https://securityonline.info/cve-2024-55579-cve-2024-55580-qlik-sense-users-face-serious-security-risk

https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-50623

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

https://securityonline.info/cve-2024-50623-critical-vulnerability-in-cleo-software-actively-exploited-in-the-wild

https://github.com/watchtowrlabs/CVE-2024-50623

https://nvd.nist.gov/vuln/detail/CVE-2024-47578

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2024.html

https://securityonline.info/cve-2024-47578-cvss-9-1-sap-issues-critical-patch-for-netweaver-as-for-java

The post Focus Friday: TPRM Insights on Qlik Sense, Cleo File Transfer, And SAP NetWeaver JAVA Vulnerabilities appeared first on Black Kite.

Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer at Black Kite

Has your vacation ever been interrupted by a ransomware incident? Mine was.

It was Thanksgiving week, and I had promised myself a break—a chance to recharge, disconnect, and enjoy time with my family in Florida. For once, I left my laptop behind. That plan didn’t last long. One morning, while watching the sunrise, messages started pouring in: Blue Yonder, a key supply chain provider for major retailers like Starbucks and Sainsbury’s, had been hit by a ransomware attack.

As a TPRM professional, I knew what this meant—ripples of disruption across countless interconnected businesses. Even on vacation, there’s no “off button” when it comes to managing third-party risks. I immediately reached out to the Black Kite Research and Intelligence Team (BRITE) that I lead. From my phone, I watched our team spring into action. Within hours, we had developed and delivered actionable insights, helping our clients assess their exposure and understand the downstream risks.

This incident drove home a critical truth:

In today’s hyperconnected world, supply chain risk isn’t something you can leave behind—even on vacation. It’s about more managing vendors; it’s about having the tools and intelligence to act quickly when cascading risks emerge.

In this blog, we’ll dive into the Blue Yonder ransomware attack, the rise of groups like Termite, and why new ransomware groups keep appearing. More importantly, we’ll explore how you can stay one step ahead in managing third-party and supply chain risks—so you don’t lose sleep, or your vacation, over the next big breach.

What Happened: The Blue Yonder Ransomware Incident

It started with an attack highlighting the growing risks in supply chain dependencies. On November 21, 2024, Blue Yonder—a key supply chain provider for global brands like Starbucks, Sainsbury’s, and Morrisons—fell victim to a ransomware attack. The impact rippled quickly, disrupting services many businesses relied on to manage employee schedules, warehouse operations, and supply chain logistics. For some, the fallout meant immediate operational delays; for others, it meant grappling with manual workarounds as they scrambled to keep shelves stocked and orders moving.

The group behind the attack, known as Termite, claimed responsibility a few days later, boasting about exfiltrating 680GB of data. Their dark web blog would later confirm the data breach, listing everything from internal emails to sensitive insurance documents. For Blue Yonder’s clients, this wasn’t just a vendor issue—it was a business continuity crisis. 

Meanwhile, our team at Black Kite moved quickly, leveraging our intelligence capabilities to identify impacted companies and guide them through their response.

Here’s how the incident unfolded:

• November 21, 2024: Blue Yonder detected a ransomware attack targeting its managed services, disrupting key supply chain operations.
• November 25, 2024: Media reports surfaced, revealing the widespread impact on businesses dependent on Blue Yonder.
• November 27, 2024: Black Kite issued a FocusTag, providing customers with actionable intelligence to assess risks and engage with their vendors.
• December 6, 2024: Termite published stolen data on their leak site, confirming the scale of the breach.
• December 10, 2024: A vulnerability in Cleo file transfer software (CVE-2024-50623), linked to the attack, was disclosed. Black Kite issued another FocusTag to address this emerging risk.

The incident wasn’t just about Blue Yonder. It exposed how a single breach in the supply chain can snowball, impacting industries, businesses, and consumers alike. For those of us in the third-party risk management (TPRM) community, it’s a stark reminder:

Understanding your vendor relationships isn’t enough. You need to understand how their vulnerabilities can become your vulnerabilities.

This brings us to the bigger question: what does this mean for the TPRM and supply chain risk management community?

Why This Matters for the TPRM Community

The Blue Yonder ransomware attack exposed a crucial challenge for the TPRM community: understanding not just your vendors, but your vendors’ vendors. The ripple effects of this incident weren’t limited to companies directly relying on Blue Yonder’s supply chain solutions. Any organization whose third parties depended on Blue Yonder faced disruptions, even if they didn’t realize the connection beforehand.

This interconnected nature of modern supply chains creates risks that are often hidden until a breach occurs. Many organizations struggle with mapping these dependencies, leaving critical gaps in their risk management strategies. The Blue Yonder incident illustrates why knowing who is at risk is as important as knowing how the risk manifests.

For the TPRM community, this event highlights a few key lessons:

1. Supply Chain Depth Matters: Risk doesn’t stop at your direct vendors. Businesses need to look deeper into their supply chains to identify dependencies and assess potential exposure.
2. Hidden Vulnerabilities Multiply Risks: A vendor may seem low-risk on the surface, but its reliance on another compromised provider can bring unexpected consequences. The cascading nature of the Blue Yonder attack demonstrates how quickly these vulnerabilities can escalate.
3. Targeting the Supply Chain: Ransomware groups are increasingly focused on supply chains because of the widespread impact they can achieve. The more connected an ecosystem is, the greater the potential for disruption.

Understanding these layers of risk is no longer optional. It’s essential for protecting operations and mitigating the fallout of third-party incidents. While assessing direct vendors is critical, a comprehensive approach to supply chain risk must go further, examining the relationships and dependencies that sit just below the surface.

The question for the TPRM community isn’t whether your organization is prepared to respond—it’s whether you know where to look before the next attack lands.

Understanding the risk is only part of the equation. To truly prepare, we need to understand the attackers themselves—who they are, how they operate, and why new ransomware groups seem to emerge every other week.

The Rise of Termite: A New Player in the Ransomware Ecosystem

Who is the Termite Ransomware Group?

Termite is a relatively new player in the ransomware ecosystem, but their operations suggest a group with significant capability and intent. They’ve already targeted industries spanning logistics, manufacturing, retail, and public services, with victims reported across North America, Europe, and Asia. Their choice of targets reflects a deliberate focus on high-impact sectors, particularly those integral to supply chains.

Interestingly, Termite has publicly announced only seven victims on their dark web leak site. However, the true number of organizations affected remains unknown. Ransomware groups often withhold some victims from public disclosure, either because negotiations are ongoing or because the victims have paid the ransom. This lack of transparency leaves a significant gap in understanding the full scale of Termite’s impact.

What sets Termite apart is their use of ransomware closely resembling the Babuk family. Babuk, infamous for its efficient encryption and focus on industrial and supply chain sectors, had its source code leaked in mid-2021. Elements of Babuk’s methodology have since surfaced in various ransomware operations, and Termite appears to have adopted and refined these techniques.

By leveraging Babuk’s leaked code, Termite has likely reduced their development overhead, allowing them to scale their operations more efficiently while avoiding significant technical pitfalls.

How They Operate: Insights into Termite’s Tactics

While Termite’s full operational methods remain under investigation, certain tactics have been observed or suggested by researchers:

• Critical Vulnerabilities:
  • Termite has exploited CVE-2024-50623, a vulnerability in Cleo Harmony, VLTrader, and LexiCom. This flaw allows remote code execution through unrestricted file uploads, enabling attackers to place malicious files in the autorun directory for automatic execution. This vulnerability has been observed in attacks targeting industries heavily reliant on file transfer systems.
• Indicators of Compromise (IoCs):
  • IoCs associated with Termite have been published on platforms like VirusTotal, highlighting suspicious files and network activity. These include patterns of encoded malicious payloads and reconnaissance tools used for privilege escalation and lateral movement.

Additionally, researchers have speculated about inaccessible or outdated Fortinet VPN servers playing a role in Termite’s targeting, but this remains unverified and should be interpreted cautiously.

By focusing on unpatched vulnerabilities in critical systems, Termite has shown a strategic approach to targeting organizations with exploitable weaknesses, amplifying their impact across supply chains and interconnected networks.

Analyzing the Victims: Patterns Behind the Targets

When we examined the organizations impacted by Termite, a clear pattern emerged. These weren’t random attacks—they were calculated, deliberate strikes against companies with visible weaknesses. While we can’t confirm the exact vulnerabilities exploited, the signs of trouble were there well before the ransomware hit.

What did we find? Three factors stood out:

1. Critical Vulnerabilities: ALL victims had critical vulnerabilities, including some listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. These are the kinds of vulnerabilities that make organizations stand out to attackers—visible, exploitable, and often overlooked.
2. Leaked Credentials: In almost every case, we found fresh credentials—leaked within the last 90 days—circulating on dark web forums. Attackers don’t need advanced tools when they can simply log in with exposed passwords.
3. Stealer Logs: Multiple victims were flagged in stealer logs, indicating malware infections that had already siphoned sensitive data like passwords, cookies, or session tokens. It’s like leaving the front door open in a neighborhood known for burglaries.

What this tells us is simple: these companies were sending the wrong signals to attackers. They didn’t just have vulnerabilities—they had vulnerabilities that attackers look for.

The Role of RSI: Turning Risk into Action

This is where the Ransomware Susceptibility Index (RSI) comes in. As one of the co-inventors of the methodology, I take great pride in how it helps organizations see what attackers see. RSI isn’t just a number—it’s a reflection of how attractive a company looks to a ransomware group.

Ransomware, in general, is a rare event. Fewer than 10,000 companies worldwide have ever experienced a successful ransomware attack. That’s a tiny fraction when you consider the millions of businesses out there.

But here’s the catch: for certain companies, the odds are much higher. A high-impact company in a highly regulated industry located in a wealthy country and with visible weaknesses—what I like to call a “juicy target”—isn’t operating in the same reality as a well-fortified business. RSI captures this difference.

When we talk to our customers, we emphasize that an RSI value of 0.4 is the critical threshold. Above that, the risk isn’t something you can ignore. It’s a warning sign, flashing like a beacon in the dark web where ransomware groups lurk looking for their next victim. In fact, nearly half of companies with an RSI above 0.8 become victims. In a world where ransomware is supposed to be rare, those numbers are staggering. They tell us that the risk isn’t random—it’s predictable. And the companies that don’t heed it? They’re the ones we often end up seeing in headlines.

This isn’t just a lesson for the companies impacted by Termite. It’s a lesson for anyone who thinks their risk ends at their firewalls. Understanding your vulnerabilities—and how they look to attackers—isn’t just smart; it’s necessary.

A Changing Ecosystem: The Proliferation of Ransomware Groups

One striking trend in the ransomware ecosystem is the rapid emergence of new groups. Every few weeks, a new group launches its dark web blog, often debuting with dozens of victims already listed. Termite is part of this wave.

This shift can be attributed to the collapse or rebranding of major groups like AlphV and LockBit. Some affiliates have pivoted to becoming operators themselves, while others may be remnants of older groups operating under new names. This churn creates instability in the ecosystem, but it also signals a growing sophistication among attackers. Groups like Termite are leveraging mature tactics—such as exploiting software vulnerabilities and maximizing supply chain impact—to establish themselves quickly.

Understanding this evolving ecosystem is critical for the TPRM community. It’s not just about tracking known ransomware groups—it’s about anticipating the next wave before it arrives.

How TPRM Professionals Should Respond

Events like the Blue Yonder ransomware attack highlight a key challenge in third-party risk management: the need for timely, actionable insights without overwhelming vendors. While asking questions is necessary, it’s equally important to recognize the burden vendors face when multiple clients demand answers during a crisis. A more proactive process using tools to identify potential risks and ransomware indicators and limit outreach to the most critical vendors help you to prioritize actions that will have the biggest impact.

Balancing the Need for Answers with Vendor Empathy

When incidents occur, vendors often receive identical questionnaires from several clients. This creates frustration, delays, and the potential for incomplete or rushed responses. To minimize this strain, TPRM professionals should focus on targeted, relevant questions and approach vendors with empathy. Acknowledging the challenges they face can lead to better collaboration and more accurate insights.

When reaching out to vendors, consider framing your questions with transparency and understanding:

“We understand you’re receiving inquiries from multiple clients during this challenging time. To help us assess any potential risks, could you share insights specific to your relationship with Blue Yonder?”

Key Questions to Ask

When reaching out to vendors, focus on gathering the most critical information to assess your exposure:

1. Have you used Blue Yonder’s services recently or currently? If so, which ones?
2. Have you experienced any disruptions related to Blue Yonder’s recent ransomware incident?
3. Have you conducted a review of your systems for Indicators of Compromise (IoCs) linked to the Blue Yonder attack?
4. What contingency measures are in place if Blue Yonder’s services are further disrupted?

Actions to Take When a Vendor Relies on Blue Yonder

If a vendor confirms reliance on Blue Yonder, consider the following steps:

• Open Communication: Request regular updates about the vendor’s remediation efforts and the potential impact on your operations.
• Collaborate on Mitigation: Work with the vendor to identify practical steps to reduce risks, such as reviewing affected systems or implementing additional controls.
• Review Agreements: Examine contracts and SLAs to understand the vendor’s obligations during service disruptions and how they’re addressing them.
• Encourage Contingency Planning: If not already in place, suggest backup plans or alternative solutions for services dependent on Blue Yonder.

Can We Be More Proactive?

Proactivity in TPRM is no longer a luxury; it’s a necessity. With tools like digital footprints, supply chain visibility maps, and third-party intelligence, TPRM professionals can identify potential risks before they become immediate threats.

For instance, instead of waiting for a vendor to disclose their relationship with Blue Yonder, professionals can use external intelligence to identify those connections proactively. By analyzing subdomains, IP address allocations, and other open-source data, you can create a clearer picture of your supply chain dependencies without relying solely on vendor responses.

Furthermore, proactive risk monitoring with methodologies like the Ransomware Susceptibility Index (RSI) can identify which vendors in your ecosystem are most at risk of ransomware attacks. This allows you to prioritize preemptive actions, such as targeted security reviews or recommending specific mitigations to vulnerable vendors.

In the end, visibility is key. You can’t secure what you can’t see, and understanding the web of relationships within your supply chain is essential for protecting your organization in a world where third-party incidents are becoming the norm.

Recognizing Questionnaire Fatigue

Proactive intelligence also reduces questionnaire fatigue on the vendor’s side. By knowing who is likely affected, you can limit outreach to only those vendors where risk is most apparent. This helps maintain trust and collaboration, ensuring that vendors don’t feel overwhelmed or undervalued.

The balance between asking questions and showing empathy is critical. Vendors are your partners in the supply chain, and their resilience is tied to yours. By taking a thoughtful, data-driven approach, TPRM professionals can build stronger relationships while protecting their organizations from cascading risks.

Operationalizing Intelligence: FocusTags for Blue Yonder and Cleo Vulnerability

Blue Yonder Client FocusTag™

When the Blue Yonder ransomware incident unfolded, the critical challenge for organizations was determining their exposure. Identifying whether vendors relied on Blue Yonder’s services—or were indirectly impacted—wasn’t always clear. To bridge this gap, we released the Blue Yonder Client FocusTag on November 27, just days after the incident entered the public domain.

How We Identified Blue Yonder Clients

To create the Blue Yonder FocusTag™, we relied on a comprehensive methodology rooted in publicly available information and open-source intelligence (OSINT). Our approach included:

1. Blue Yonder’s Own Website and Customer Testimonials:
   • We reviewed case studies, customer testimonials, and success stories published by Blue Yonder to identify companies explicitly listed as clients. These firsthand sources provided strong indicators of relationships with Blue Yonder’s services.
2. Cybersecurity News and Public Reports:
   • By analyzing industry-specific news and public reports about the Blue Yonder incident, we identified companies that were mentioned as impacted or associated with Blue Yonder’s services. Press releases and investigative journalism often provide critical clues in these scenarios.
3. Job Postings:
   • Job descriptions and postings from various companies mentioning Blue Yonder skills or systems were another valuable source. These postings often indicate active or recent use of Blue Yonder’s solutions.

Transparency Through Confidence Levels

We understand that no intelligence process is perfect, which is why transparency is at the heart of every FocusTag™. For the Blue Yonder Client FocusTag™, we provided a confidence level based on the strength and reliability of our sources:

• Very High confidence when derived from direct evidence such as Blue Yonder’s own materials or official testimonials.
• High confidence for cases where vendor relationships were inferred from multiple direct and indirect sources like news or job postings in high volume.
• Medium confidence for cases where vendor relationships were inferred from indirect sources like news or job postings.

This transparency allows our customers to prioritize their actions based on the reliability of the information. By knowing how we reached our conclusions, customers can better align their response strategies.

How Customers Operationalized the Blue Yonder FocusTag™

The FocusTag™ gave our customers a head start in managing risks related to the Blue Yonder incident. Here’s how they operationalized it:

• Targeted Vendor Outreach: By filtering monitored vendors tagged with the Blue Yonder FocusTag™, customers could prioritize outreach to those potentially impacted. The confidence level provided clarity, helping them decide where to focus their efforts first.
• Initiating Outreach Campaigns with Black Kite Bridge: Many customers used Black Kite Bridge™ to streamline their communication with vendors identified as susceptible to the Blue Yonder incident. Through Bridge, they launched outreach campaigns directly from the platform, requesting information or actions related to risk mitigation. This simplified the process, reducing time and effort while ensuring consistent communication.
• SOC Integration: Security Operations Centers (SOCs) used the FocusTag™ to identify potential risks in their networks, cross-referencing IoCs linked to the Blue Yonder attack.
• Investigating Concentration Risk with the Supply Chain Module: Customers leveraged the Black Kite Supply Chain module to assess their overall risk exposure, identifying the concentration of dependencies on Blue Yonder across their vendor ecosystem. This added layer of analysis helped them understand the broader implications of the incident and prepare for potential cascading effects.
• Risk Mitigation: Armed with evidence from the tag, customers engaged vendors to verify their exposure and implement mitigation measures.

Customer Feedback on the Blue Yonder FocusTag™

The response from customers was overwhelmingly positive. Many noted that the FocusTag™ provided actionable insights faster than the disclosures from Blue Yonder or the impacted vendors. One customer shared how the tag helped their SOC team discover potential risks in their network, while others appreciated the speed and clarity of the intelligence, allowing them to act with precision during a chaotic event.

The addition of tools like Black Kite Bridge^TM and the Supply Chain module further enhanced their ability to respond effectively. Bridge streamlined outreach, allowing customers to communicate with vendors quickly and consistently. The Supply Chain module provided critical insights into systemic risks, helping customers not just react but plan for similar incidents in the future.

The feedback reinforced the importance of timely, precise intelligence in third-party risk management, especially during fast-moving incidents like this one.

Cleo File Transfer FocusTag™

Another critical risk emerged after the Blue Yonder incident: the vulnerability in Cleo Harmony, VLTrader, and LexiCom (CVE-2024-50623). Cleo’s prominence in supply chain operations made this flaw a significant threat. Researchers have also suggested that Termite might be actively exploiting this vulnerability, further elevating its risk profile. To address it, we released the Cleo File Transfer FocusTag™ on December 10, providing actionable intelligence to our customers.

Identifying Risk from the Cleo Vulnerability

We used open-source intelligence (OSINT) and digital footprint analysis to pinpoint companies potentially exposed to this vulnerability. By analyzing public-facing IT asset details, we identified over 2,000 assets running vulnerable versions of Cleo products. This level of specificity—down to the exact IT asset and version—elevated the confidence level of this FocusTag to Very High.

The intelligence drew parallels to the infamous MOVEit vulnerability exploited by the Cl0p ransomware group in 2023. Like MOVEit, Cleo’s vulnerability allowed unauthorized file uploads and remote code execution, making it an attractive target for sophisticated threat actors.

How Customers Use the Cleo File Transfer FocusTag™

The Cleo FocusTag™ equipped our customers with actionable intelligence, eliminating the need for traditional vendor questionnaires. Instead of asking vendors if they used Cleo products, customers could share detailed risk intelligence, including:

• The specific IT assets and versions running Cleo software.
• Recommended actions for immediate remediation, such as patching to the latest version or disabling autorun functionality.

This intelligence was appreciated not only by customers but also by their vendors, who now had a clear understanding of the risk and steps to address it.

Tracking Remediations with Black Kite Bridge^TM

Black Kite Bridge™ further streamlined the remediation process. Customers used Bridge™ to:

• Share Intelligence: Instead of sending questionnaires, customers shared detailed FocusTag™ intelligence with vendors, saving time and reducing vendor fatigue.
• Monitor Progress: Bridge allowed customers to track remediation efforts, such as patching and configuration changes, without repeated follow-ups.

By removing the guesswork from vendor communications, Black Kite Bridge™ ensures a more efficient and collaborative approach to managing risks.

Behind the Scenes: Making Critical Intelligence Possible

As I reflect on the Blue Yonder incident and the subsequent Cleo vulnerability, I’m reminded of the incredible teamwork and dedication that went into delivering timely, actionable intelligence to our customers. This level of service—anticipating risks, providing precise insights, and enabling proactive measures—doesn’t happen by chance. It’s the result of a collective effort across multiple teams.

The Black Kite Research and Intelligence Team (BRITE) works tirelessly to analyze data, identify patterns, and craft FocusTags that offer clarity during uncertainty. Their expertise turns chaos into actionable insights.

But BRITE isn’t alone in this effort. Our Customer Success and Customer Support teams ensure that every customer has the guidance they need to operationalize this intelligence. Whether through Black Kite Bridge, the Supply Chain module, or one-on-one support, they help customers turn risk awareness into effective action.

The Black Kite Product and Development teams deserve equal credit. Their work makes tools like FocusTags, Bridge, and our digital footprint capabilities possible, allowing us to deliver intelligence with precision and confidence.

These incidents are a reminder of the complexity and interconnectedness of today’s supply chains. But they’re also a testament to what’s possible when we combine cutting-edge technology with human expertise. As ransomware groups evolve, so must we. And thanks to the efforts of everyone involved, our customers are better equipped to navigate these challenges and protect their businesses.

At Black Kite, we don’t just provide intelligence—we empower action. And in moments like these, I couldn’t be prouder of the team that makes it all possible.

References

https://blueyonder.com/customer-update

https://www.bleepingcomputer.com/news/security/blue-yonder-ransomware-attack-disrupts-grocery-store-supply-chain

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

https://cyble.com/blog/technical-look-at-termite-ransomware-blue-yonder

https://www.broadcom.com/support/security-center/protection-bulletin/termite-ransomware

https://therecord.media/blue-yonder-cyberattack-customer-systems-returning

https://twitter.com/valerymarchive/status/1858508329321931132?s=46&t=u19CbogN0TP7iqFc4MlyEQ

https://www.virustotal.com/gui/file/f0ec54b9dc2e64c214e92b521933cee172283ff5c942cf84fae4ec5b03abab55

The post When Ransomware Ruins the Supply Chain: Lessons from Blue Yonder and the Rise of Termite Ransomware Group appeared first on Black Kite.

Written by: Bob Maley

Effective risk reduction cannot and should not be a solo mission. But when vendors get inundated by an avalanche of security requests, that’s exactly what it can feel like.

In an ideal world, handling security requests should be teamwork between companies and vendors. In the real world, it can be an extremely awkward situation where each party does a lot of finger-pointing, and not much constructive collaboration happens. 

At Black Kite, we know how frustrating this type of situation can be. After all, we’re on both sides of this equation – both a user of vendors and a vendor ourselves. 

That’s (part of) why we’ve established a list of quick-hit security and compliance strategies vendors can implement to have more successful long-term relationships with their customers. 

4 key strategies to better manage customer security requests

1. Get involved in early sales conversations

Don’t let security assessments be the last checkbox before a deal closes. Because (as you know) it’s not as simple as checking a box — it is often time-consuming, frustrating, and slows down important decisions. Instead, vendor security teams can collaborate with sales teams to proactively open up security conversations.

To help sales feel equipped for these conversations, vendors can:

• Train their sales organization. It’s important that sales feels well-equipped to talk about security, at least at a high level, if they’re going to bring it up with leads. Guide them with educational sessions, info decks, or even a simple lunch and learn so they can speak to security conversations with a foundation of knowledge. They should know what compliance frameworks you follow or have certifications from, where your Trust Center lives (and what’s inside it), and how to answer basic questions about security, like “Do you use MFA?”
• Frame security as part of the product. Sales teams are naturally focused on selling your product. Emphasize that security processes and protocols are an essential part of your product, and you may see less friction down the line.

2. Guide security conversations with relevant intelligence

Few things are more frustrating than when security conversations happen in a recursive loop. Often, these circular conversations result from a lack of clear information about your risk status and security posture. 

Vendors can get ahead of this by guiding security conversations with evidence of their security postures. Sharing IT security plans, compliance reports, and external security assessments proactively can reduce the number of irrelevant or redundant questions coming your way. At the very least, being prepared this way will help you get through questionnaires quicker.

Vendor teams can lead security conversations best by:

• Bringing reliable, useful, and timely security data to the table
• Focusing on specific risk indicators, like Black Kite’s Ransomware Susceptibility Index®
• Providing context on how you address vulnerabilities and real-world threats
• Being transparent about your internal security practices

Ultimately, it’s about sharing information that demonstrates to the prospect or customer that you take security seriously.

3. Establish a source-of-truth status page

Incidents happen, and when they do, it can be very stressful for your team. What makes it even more stressful is combing through hundreds of emails from customers asking you about a situation that you’re already dealing with.

Vendors need a streamlined way to communicate with customers while focusing on incident remediation. Here’s a nimble approach: Build out a status page.

Vendors know that they have an obligation to share information on incidents when they happen. However, the number one goal during every event is to prevent losses, recover assets, and contain the threat. That means it’s neither productive nor possible to issue post-mortems on incidents while they’re still actively happening. 

A well-maintained and updated status page can go a long way. Instead of directly responding to thousands of customers during an incident, vendors can simply redirect customers to the information they need in a centralized, organized place. 

That frees up time and resources to tackle the most pressing priorities: Containing and remediating the incident.

4. Share critical insights on a trust center

Ultimately, the more proactive vendors can be about their security and compliance status, the smoother security conversations with prospects and customers will go, leading to fewer unnecessary security requests and better collaboration.

Vendors can be clearly and publicly vocal about their dedication to security by building a digital trust center. This centralized resource ideally hosts critical security and privacy documents, ready to download and view with just a few clicks. It can also be a convenient location for artifacts customers typically ask for during assessments and security requests.

A robust trust center should include:

• Materials often requested in assessments (e.g., descriptions of information security processes)
• Summaries of pen tests and audit results
• Public versions of compliance documents (e.g., SOC 2, ISO 27001)
• A display of real-time compliance monitoring for key controls
• Proactive answers to common assessment questions

A centralized hub of resources helps vendors build trust with customers and save time and resources. When security requests come in, vendors can refer to trust centers to determine which inquiries require more in-depth conversations and which can be answered with a quick link. 

Trust: It’s an ongoing conversation

Ultimately, reducing the burnout and frustration caused by customer and prospect security requests comes down to building two-way trust. With proactive strategies, focused conversations, and mutual access to risk information, vendors can instill confidence in their security posture.

Vendors should approach security as an ongoing dialogue. When that mindset permeates beyond the security team, organizations can position themselves as trusted partners rather than potential risks — and make security requests more manageable while they’re at it.

Keep customer trust a top priority with stronger security practices. Avoid these three mistakes when defending against breaches.

For organizations managing third-party risks, collaboration with vendors is at the heart of effective security practices. Our eBook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events, provides actionable insights into how customers and vendors can work more effectively together during critical events. Check it out now to explore collaborative strategies for navigating today’s cyber risk landscape (no download required).

The post The Vendor’s Dilemma: How to Manage Customer Security Requests Without Losing Your Mind appeared first on Black Kite.

Written by: Jeffrey Wheatman, Senior Vice President, Cyber Risk Strategist

In every part of the world, security teams are at war. And they’re on the losing side. Cyber attackers are becoming increasingly sophisticated, working together to amplify their efforts. Adversaries are actively collaborating — sharing intelligence and tactics to optimize their attacks.

On the other side of the trenches — despite doing business with hundreds or even thousands of third parties — companies are fighting their security battles alone. Corporations tend to defend their assets like lone wolves, with security and threat intelligence siloed within each link of the supply chain. While some know how to shore up their defenses, others are left open to attack. This lack of unity often leads to infighting and companies clashing with their own third parties — all while attackers coordinate their attacks to exploit weaknesses.

We know ransomware groups and bad actors are working together because the data shows an increasing prevalence of repeat victims — often in rapid succession. According to the Black Kite State of Ransomware 2024 report, in 2023, 104 companies fell victim to two attacks by different ransomware groups, with a clear downward trend in the amount of time between each attack. This indicates that ransomware groups are communicating and strategizing together, monitoring other attacks so they can strike while a victim is still unprotected.

While attackers benefit from shared intelligence, organizations fail to collaborate on defense strategies, opening themselves — and their supply chains — to significant security risks. Going alone is a losing strategy.

This lack of coordination heightens exposures and the likelihood of successful attacks, as even the most robust cybersecurity defenses have their limits. After all, each company only has so many resources.

But there is a better way.

Strengthening Defenses With Collaborative Cyber Threat Intelligence

To paraphrase my industry colleague Richard Stiennon, Chief Research Analyst at IT-Harvest, who was featured in an episode of our Risk & Reels podcast, companies are currently defending themselves as best they can. Those that know how to strengthen their defenses are faring better, while the rest are engaged in a losing battle. It’s time for us to be proactive, reach out, and work together. 

Consider the impact of just 10 companies pooling their resources and working together to combat cyber threats. This means companies can gain access to the kinds of best practices and tools that others are already using to successfully defend themselves against cyber attacks. Now imagine 100 or even 1,000 companies coming together to share tactics, best practices, and practical defense strategies.

While this may seem like an ambitious goal, intelligence-sharing entities like ISACs (Information Sharing and Analysis Centers) and the NSA Cybersecurity Collaboration Center

are already turning this vision into a reality — and proving the power of collective action.

A prime example is the Northeast Ohio CyberConsortium (NEOCC), established in 2018. This ISAC actively promotes collaborative cyber threat intelligence across the region through industry-led efforts and public-private partnerships. By fostering an environment of shared knowledge and practices, NEOCC members have built a culture of collaborative defense, achieving significant improvements in cybersecurity resilience and incident response.

If Collaboration Is So Great, Why Isn’t It Happening?

There’s a strong case for collaboration, but to get there, there are a few issues with the current approach to vendor risk assessment and remediation to resolve first: 

• Lack of clear ownership for risk assessment: When everyone thinks risk assessment is another team’s priority, nothing gets done. By making it clear who’s in charge, everyone knows which team is responsible for taking action. 
• Identifying issues is time-consuming: Following a high-profile incident, companies often struggle to pinpoint issues and respond effectively across their entire third-party ecosystem. Without visibility into vendors’ platforms, organizations often resort to sending shotgun blast emails, which isn’t effective or scalable. 

• Security is on the sidelines: Business goals and objectives often overshadow security requirements — until a breach occurs. Security is frequently sidelined compared to focusing on delivering products to market or meeting revenue targets, leaving critical risks unaddressed until it’s too late.
• Inadequate security-to-security communication: When security teams identify a vulnerability in a partner or vendor, they often face challenges in finding the right point of contact. Instead of directly interfacing with the vendor’s security team, they’re passed through account managers, customer success teams, and other intermediaries, resulting in a slow and inefficient game of telephone. Sometimes, the message never even reaches the security team, leading to no action being taken at all.
• Fear of reputational damage or repercussions: Many organizations hesitate to share information about vulnerabilities or security gaps due to concerns about how it may reflect on their capabilities. They may feel embarrassed, fear being perceived as less competent, or worry about potential consequences if the shared intelligence reveals a significant oversight or weakness. This apprehension often discourages open collaboration and creates an environment where security teams remain isolated instead of leveraging collective intelligence to address threats.

Overcoming these challenges and working toward collaborative cyber threat intelligence might seem like a pipe dream — but it’s certainly possible. After all, the cyber attackers have already worked out how it’s done.

Strategies To Improve Vendor Collaboration

Organizations can improve vendor collaboration and security across the entire supply chain by adopting real-time risk assessments, providing clear remediation guidance, and closing communication gaps. Here’s how:

1. Continuously monitor supply chain risk and security vulnerabilities

Risk assessment must evolve from being an infrequent periodic task to an ongoing process. Some companies only reassess their vendors every three years — and that’s nowhere near enough. Point-in-time evaluations serve a limited purpose but must be augmented with real-time data collection and continuous monitoring. This shift allows organizations to identify and mitigate risks before they become crises. 

This responsibility also needs to extend across the entire supply chain. Rather than considering security as the responsibility of the individual CISO at each company, it’s essential to work together to create a collaborative bubble of security that encompasses the entire ecosystem.

2. Provide vendors with accurate and trustworthy data — and specific, actionable remediation steps

When a vulnerability is identified, most companies still rely on outdated methods like manual surveys to gather information from vendors. But without knowing which company uses which software, you might need to ask hundreds or thousands of questions to uncover potential issues.

A better approach is to leverage real-time data-sharing platforms that allow vendors to receive actionable remediation steps based on actual risk exposure. Legacy tools often lack the necessary granularity, but newer solutions can fill this gap. 

For example, Black Kite’s FocusTags™ can be used to uncover issues, automatically flagging vendors when they’re exposed to a data breach or attack — sometimes before they even realize it. Black Kite Bridge™ then helps automate and streamline the process of getting the issue addressed and sharing any relevant information with identified vendors, enabling risk collaboration across the entire supply chain.

3. Close the security communication gap

Effective collaboration relies on a direct connection between security teams across organizations. Too often, multiple calls and emails between departments waste critical time when addressing issues. Establishing direct communication channels between security teams ensures that the right people, those closest to the problem, can respond immediately.

This approach also helps solve the issue of false positives. Sending vendors irrelevant risk information can lead to vendor fatigue, creating a “boy/girl who cried wolf” scenario and diluting their response to actual threats. Black Kite Bridge helps by filtering out unnecessary alerts, ensuring only affected vendors are contacted. Compliance scores, risk indicators, and FocusTags allow security teams to communicate precisely and efficiently, reducing delays in remediation.

By closing these communication gaps and providing actionable intelligence directly to those who need to know, Black Kite Bridge helps improve response rates — with early customers already seeing response rates as high as 90%.

Collaboration: The Key to Successful Cyber Defense

Looking towards a future filled with increasingly frequent and sophisticated cyber attacks might feel bleak. But there is a path forward — one that hinges on collaboration.

To win the cybersecurity war, organizations must move away from isolated defense efforts toward a unified approach that prioritizes collective intelligence and collaboration at all levels. This shift requires enhanced transparency, open communication, and shared accountability throughout the supply chain.

Achieving this collaboration necessitates the adoption of the right technologies and frameworks. Historically, many organizations have struggled to establish robust cybersecurity practices, often focusing on reactive measures rather than addressing foundational issues. This oversight has left them exposed to threats, frequently entangled in longstanding vulnerabilities that should have been resolved years ago.

Now, Black Kite has a solution designed to address those fundamental issues. Enabling real-time risk assessments, actionable remediation intelligence, and enhanced communication between vendors and security teams, Black Kite Bridge^TM gives organizations the tools they need to collaborate and effectively respond to threats.

For a deeper dive into how you can transform your third-party risk response and build a more collaborative, efficient approach to remediation, check out our eBook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. This guide takes you through a before-and-after journey of improving vendor collaboration, streamlining outreach, and ensuring risks are remediated faster and more effectively.

The post Collaboration to Win the War on Cyber Threats appeared first on Black Kite.

Written by: Ferdi Gül

This week’s Focus Friday blog delves into critical vulnerabilities affecting widely used systems: PAN-OS, Apache Airflow, and PostgreSQL. These vulnerabilities, ranging from authentication bypass and privilege escalation to sensitive data exposure and arbitrary code execution, highlight the evolving threat landscape faced by organizations worldwide. From a Third-Party Risk Management (TPRM) perspective, understanding these vulnerabilities and their implications is vital for maintaining a robust security posture across the supply chain. In this blog, we explore the technical details, potential impacts, and how Black Kite’s FocusTags™ empower organizations to respond effectively to these threats.

CVE-2024-0012 and CVE-2024-9474: PAN-OS Authentication Bypass and Privilege Escalation Vulnerabilities

What Are the PAN-OS Authentication Bypass and Privilege Escalation Vulnerabilities?

CVE-2024-0012 is a critical authentication bypass vulnerability in PAN-OS, published on November 18, 2024. This flaw allows unauthenticated attackers with network access to the management web interface to gain administrative privileges. Exploitation enables tampering with configurations, executing administrative actions, and leveraging other vulnerabilities such as CVE-2024-9474. The vulnerability has a CVSS score of 9.3 and is actively exploited.

CVE-2024-9474 is a medium-severity privilege escalation vulnerability in PAN-OS, also published on November 18, 2024. This flaw enables attackers with administrative access to escalate their privileges to root level, leading to complete system compromise. It has a CVSS score of 6.9 and is actively exploited in the wild.

Both vulnerabilities have been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog on November 18, 2024.

Why Should TPRM Professionals Be Concerned About CVE-2024-0012 and CVE-2024-9474?

PAN-OS is a critical component of enterprise network security. Exploitation of these vulnerabilities poses severe risks, including:

• Compromised administrative control: Attackers can bypass authentication and escalate privileges to root level, allowing full control over firewalls and related systems.
• Data breaches: Sensitive data and configurations may be accessed or modified.
• Lateral movement: Attackers can use compromised systems to launch further attacks, threatening the entire network.

For TPRM professionals, vendors utilizing PAN-OS could become entry points for malicious activity, necessitating immediate evaluation and action.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-0012 and CVE-2024-9474?

To assess the vendor’s mitigation efforts for these vulnerabilities, ask:

1. Have you upgraded all PAN-OS devices to patched versions (10.2.12-h2, 11.0.6-h1, 11.1.5-h1, or 11.2.4-h1 or later)?
2. Have you restricted management interface access to trusted internal IP addresses and avoided exposing it to the internet as a precaution against the exploitation of CVE-2024-0012 and CVE-2024-9474?
3. Are you using Palo Alto Networks Threat Prevention capabilities to block attack signatures for these vulnerabilities including Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763?
4. Can you confirm if you have implemented the recommended actions such as continuously monitoring network traffic for unusual activity and securing management access with a jump box or other hardened mechanisms to prevent exploitation of CVE-2024-0012 and CVE-2024-9474?

Remediation Recommendations for Vendors Affected by CVE-2024-0012 and CVE-2024-9474

Vendors should take the following actions to mitigate these vulnerabilities:

• Upgrade PAN-OS: Install versions 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, or 11.2.4-h1 or later.
• Restrict Access: Limit management web interface access to trusted internal IPs and avoid exposing it to the internet.
• Enable Threat Prevention: Use Palo Alto Networks Threat IDs (e.g., 95746, 95747) to block known attack vectors.
• Monitor Activity: Regularly review logs for unusual administrative actions or traffic patterns.
• Implement Role-Based Controls: Restrict root-level access to essential administrative users only.

How Can TPRM Professionals Leverage Black Kite for CVE-2024-0012 and CVE-2024-9474?

Black Kite’s FocusTag™ for these vulnerabilities, published on November 19, 2024 (with updates on November 20, 2024), provides TPRM professionals with critical insights, including:

• Identification of affected vendors: Black Kite helps pinpoint vendors with potential exposure to these vulnerabilities.
• Detailed asset information: This includes IP addresses and subdomains associated with the vulnerabilities.
• Streamlined prioritization: Professionals can focus their efforts on vendors with the highest risk exposure, ensuring efficient remediation.

CVE-2024-10979: PostgreSQL Arbitrary Code Execution Vulnerability

What is the PostgreSQL Arbitrary Code Execution Vulnerability?

CVE-2024-10979 is a high-severity vulnerability in PostgreSQL’s PL/Perl procedural language, identified on November 14, 2024. This flaw allows unprivileged database users to manipulate environment variables, such as PATH, potentially leading to arbitrary code execution. The vulnerability has a CVSS score of 8.8. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Why Should TPRM Professionals Be Concerned About CVE-2024-10979?

PostgreSQL is a widely used relational database management system across various industries. A vulnerability that permits arbitrary code execution poses significant risks, including unauthorized access to sensitive data, system compromise, and potential lateral movement within an organization’s network. For Third-Party Risk Management (TPRM) professionals, this vulnerability is particularly concerning when vendors utilize PostgreSQL in their operations, as it could lead to compromised data integrity and confidentiality.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-10979?

To assess the impact of this vulnerability on your vendors, consider asking the following questions:

1. Have you identified any instances where unprivileged users have manipulated environment variables in your PostgreSQL deployments?
2. What measures have you implemented to prevent unauthorized access to environment variables within your PostgreSQL databases?
3. Have you applied the necessary patches or updates to address CVE-2024-10979 in your PostgreSQL installations?
4. What steps have you taken to monitor and detect potential exploitation attempts related to this vulnerability?

Remediation Recommendations for Vendors Affected by CVE-2024-10979

Vendors should take the following actions to mitigate the risks associated with this vulnerability:

• Upgrade PostgreSQL: Update to the latest fixed versions: 17.1, 16.5, 15.9, 14.14, 13.17, or 12.21.
• Restrict Environment Variable Access: Limit unprivileged users’ ability to interact with environment variables in the database.
• Implement Strong Access Controls: Enforce strict privilege management policies to minimize risks from unauthorized access.
• Monitor for Exploitation Indicators: Review logs and monitor system activity for unusual database queries or environment variable changes.

How Can TPRM Professionals Leverage Black Kite for CVE-2024-10979?

Black Kite published the FocusTag™ for CVE-2024-10979 on November 19, 2024. TPRM professionals can utilize this FocusTag to identify vendors potentially affected by this vulnerability. Black Kite’s platform offers detailed insights, including the specific assets (IP addresses and subdomains) associated with the vulnerable versions of PostgreSQL within a vendor’s infrastructure. This information enables organizations to prioritize their risk assessments and remediation efforts effectively. By leveraging Black Kite’s intelligence, TPRM professionals can streamline their processes, reduce the scope of vendor inquiries, and focus on those most at risk, thereby enhancing the overall security posture of their supply chain.

CVE-2024-45784: Apache Airflow Vulnerability Exposes Sensitive Data in Logs

What is the Apache Airflow Vulnerability CVE-2024-45784?

CVE-2024-45784 is a high-severity vulnerability in Apache Airflow versions prior to 2.10.3, with a CVSS score of 7.5. Discovered on November 16, 2024, this flaw arises from the platform’s failure to mask sensitive configuration values in task logs. This oversight allows Directed Acyclic Graph (DAG) authors to inadvertently or deliberately log sensitive information, such as API keys and database credentials. If unauthorized individuals access these logs, they could exploit the exposed data to compromise the security of the Airflow deployment. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Why Should TPRM Professionals Be Concerned About CVE-2024-45784?

Apache Airflow is widely used for orchestrating complex workflows across various industries. A vulnerability that exposes sensitive configuration data poses significant risks, including unauthorized access to critical systems, data breaches, and potential lateral movement within an organization’s network. For Third-Party Risk Management (TPRM) professionals, this vulnerability is particularly concerning when vendors utilize Airflow in their operations, as it could lead to compromised data integrity and confidentiality.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-45784?

To assess the impact of this vulnerability on your vendors, consider asking the following questions:

1. Have you identified any instances where sensitive configuration variables were logged in your Airflow task logs?
2. What measures have you implemented to prevent unauthorized access to Airflow logs? Have you implemented strict access controls for logs and enabled role-based access to sensitive Airflow components as recommended to address the vulnerability?
3. Have you rotated any credentials or secrets that were potentially exposed due to this vulnerability?
4. Have you educated your Directed Acyclic Graph (DAG) authors to avoid logging sensitive information in workflows, and have you rotated any credentials or secrets found in logs as part of your response to the Apache Airflow vulnerability?

Remediation Recommendations for Vendors Affected by CVE-2024-45784

Vendors should take the following actions to mitigate the risks associated with this vulnerability:

• Upgrade Airflow: Update to version 2.10.3 or the latest release to ensure sensitive configuration variables are masked in task logs.
• Audit Logs: Review existing task logs for any exposed secrets and update them as necessary.
• Credential Rotation: Rotate any credentials or secrets identified in logs to prevent unauthorized access.
• Access Controls: Enforce strict access controls for logs and implement role-based access for sensitive Airflow components.
• DAG Author Education: Provide guidelines and training to DAG authors to minimize the logging of sensitive information in workflows.

How Can TPRM Professionals Leverage Black Kite for CVE-2024-45784?

Black Kite published the FocusTag™ for CVE-2024-45784 on November 18, 2024. TPRM professionals can utilize this FocusTag to identify vendors potentially affected by this vulnerability. Black Kite’s platform offers detailed insights, including the specific assets (IP addresses and subdomains) associated with the vulnerable versions of Apache Airflow within a vendor’s infrastructure. This information enables organizations to prioritize their risk assessments and remediation efforts effectively. By leveraging Black Kite’s intelligence, TPRM professionals can streamline their processes, reduce the scope of vendor inquiries, and focus on those most at risk, thereby enhancing the overall security posture of their supply chain.

Maximizing TPRM Efficiency with Black Kite’s FocusTags™

Black Kite’s FocusTags™ redefine how organizations approach Third-Party Risk Management (TPRM) by providing actionable insights into the latest vulnerabilities, such as those affecting PAN-OS, PostgreSQL, and Apache Airflow. Here’s how these innovative tools can enhance TPRM strategies:

• Real-Time Threat Identification: FocusTags™ allow organizations to quickly pinpoint vendors impacted by critical vulnerabilities, enabling immediate action to mitigate risks.
• Strategic Risk Management: By combining vulnerability severity and vendor criticality, these tags help prioritize efforts where they are needed most.
• Enhanced Vendor Communication: FocusTags™ facilitates targeted and informed discussions with vendors, addressing their specific security challenges and exposures.
• Comprehensive Risk Visibility: Providing a panoramic view of the threat landscape, FocusTags™ enable TPRM teams to build stronger and more adaptive security ecosystems.

In an era of increasing cyber threats, Black Kite’s FocusTags™ offer an indispensable resource for managing third-party risks effectively and proactively. By transforming complex cyber threat data into clear, actionable intelligence, they empower organizations to safeguard their supply chains with confidence.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.
• PostgreSQL: CVE-2024-10979, Arbitrary Code Execution Vulnerability in PostgreSQL.
• Apache Airflow: CVE-2024-45784, Debug Messages Revealing Unnecessary Information in Apache Airflow.
• Atlassian Jira: CVE-2021-26086, Path Traversal Vulnerability in Atlassian Jira Server and Data Center.
• Ivanti Connect Secure: CVE-2024-9420, CVE-2024-47906, CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-11007, CVE-2024-11006, CVE-2024-11005, and CVE-2024-11004, Use-After-Free, Stack-Based Buffer Overflow, Argument Injection, and Reflected XSS Vulnerabilities in Ivanti Connect Secure.
• Nostromo nhttpd: CVE-2019-16278, Path Traversal Vulnerability, RCE Vulnerability in Nostromo nhttpd.
• LiteSpeed Cache: CVE-2024-50550, Privilege Escalation Vulnerability iin LiteSpeed Cache plugin.
• RICOH Web Image Monitor: CVE-2024-47939, Buffer Overflow Vulnerability in RICOH Web Image Monitor.
• Squid Proxy: CVE-2024-45802, DoS Vulnerability in Squid Proxy Servers.
• XLight FTP: CVE-2024-46483, Integer Overflow and RCE Vulnerabilities in XLight FTP Servers.
• Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.
• FortiManager: CVE-2024-47575, Missing Authentication Vulnerability in FortiManager.
• Grafana: CVE-2024-9264, Remote Code Execution Vulnerability  in Grafana.
• Roundcube Webmail: CVE-2024-37383, Cross-Site Scripting (XSS) Vulnerability in Roundcube Webmail.
• Cisco FMC: CVE-2024-20424, Command Injection Vulnerability in Cisco Secure Firewall Management Center.
• Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
• GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0012

https://nvd.nist.gov/vuln/detail/CVE-2024-9474

https://security.paloaltonetworks.com/CVE-2024-0012

https://security.paloaltonetworks.com/CVE-2024-9474

https://nvd.nist.gov/vuln/detail/CVE-2024-10979

https://www.postgresql.org/support/security/CVE-2024-10979

https://github.com/apache/airflow/pull/43040

https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h

https://securityonline.info/cve-2024-45784-apache-airflow-vulnerability-exposes-sensitive-data-in-logs/

The post Focus Friday: TPRM Insights On PAN-OS, PostgreSQL, and Apache Airflow Vulnerabilities appeared first on Black Kite.

Written by: Gulsum Budakoglu & Gokcen Tapkan

Today, Third-Party Risk Management (TPRM) is more critical than ever for organizations striving to maintain security and compliance. As external partnerships multiply, the complexities and risks associated with managing risks also increase. Large Language Models (LLMs) bring advanced natural language processing capabilities that can revolutionize tasks like information extraction, report analysis, contract evaluation, and compliance monitoring. To truly harness the power of LLMs in TPRM, it’s essential to fine-tune and adjust hyperparameters such as:

• Temperature
• Top-p
• Token length
• Max tokens 
• Stop tokens

As well as deciding on the context (cashing) and output format.

LLM Parameters and Configurations in Action

LLMs are powered by an array of parameters that dictate the model’s behavior and output. If appropriately fine-tuned, they can boost productivity and accuracy in TPRM processes. Let’s see how adjusting certain parameters will improve the performance of LLM in TPRM.

1. Temperature: Controlling Output Randomness

Temperature is a hyperparameter that controls the randomness of the model’s output. In Third-Party Risk Management (TPRM), you often need deterministic and reliable responses—such as when detecting compliance risks or analyzing contracts. Setting a lower temperature, between 0.2 and 0.5, yields conservative and predictable results, making it ideal for factual tasks like verifying if a requirement is met based on provided evidence. On the other hand, a higher temperature, such as 0.8 to 1.0, can be helpful for creative or scenario-based risk assessments, where more variability and imaginative responses are valuable.

Lesson 1: Set the temperature to align model output with your specific business requirements.

2. Top-p (Nucleus Sampling): Enhancing Result Diversity

Top-p, also known as nucleus sampling, is a hyperparameter that determines how the model selects words based on their probability distribution. By setting a Top-p value—for example, 0.9—you instruct the model to consider only the most probable words whose cumulative probability adds up to 90%. This means the model focuses on a subset of the vocabulary that is most relevant to the context, ensuring the output remains on track while introducing a healthy variety.

For instance, when analyzing the risk profiles of third parties, using top-p sampling allows the model to suggest plausible risks by filtering out less likely outcomes. This is particularly valuable in assessments involving complex vendor relationships with many factors to consider. By concentrating on the most probable words, the model provides insights that are both diverse and pertinent, enhancing the quality of risk evaluations.

Lesson 2: Use Top-p to balance relevance and diversity in model outputs.

3. Token Length: Balancing Context and Efficiency

Token length is the number of words or characters in a sequence that the model processes. Within the context of TPRM, it is both input and output lengths** that matters. For the input, you may consider augmenting LLM with compliance evidence, certification, test reports, etc. While a short input may not contain enough context for meaningful risk predictions, a long input can be overwhelming for the model and yield irrelevant results. It’s all about finding the right balance.

This will ensure that while making complex contract reviews or due diligence checks, among others, the input provides enough context without overloading the model. This is where adjusting the token length comes into play in building efficient prompts that get the LLM to focus on relevant information.

Lesson 3: Find the token length sweet spot to balance rich context with efficient processing.

4. Max Tokens: Managing Complexity

Max tokens are the maximum number of tokens the model generates. In TPRM, this takes on particular significance when doing more complex analyses that require coherent and well-structured output. Setting a longer max token allows for more in-depth analysis, for example, when the model is evaluating the compliance track record of a particular vendor. However, when doing quick, high-level summaries or initial risk flags, shorter max token may be advisable since it balances speed with resource use.

This saves computational costs by efficiently managing the max setting to provide insightful and actionable outputs from the model without getting bogged down in unnecessary detail.

Lesson 4: Use max tokens to control complexity—letting your model dive deep into details or keep it concise when brevity is key.

5. Stop Tokens: Fine-tuning Output Length

The stop token defines where the model stops, and that can be manipulated depending on how long or short one wants the response to be. In TPRM, setting appropriate stop tokens means that LLM will give responses which are concise and actionable, avoiding verbosity.

Setting stop tokens for one sentence, for example, may be helpful when you need a quick verdict on risk, while setting them to full paragraph output may be needed with in-depth analyses of contracts.

Lesson 5: Master stop tokens to control your model’s voice—choosing when to be succinct or when to explore topics in depth.

6. Context Window: Expanding Possibilities with Larger Memory

LLM models now come with context windows ranging from 8K to even up to 2 million tokens as of this writing. This expanded capacity allows the models to process and “remember” larger amounts of text within a single interaction. In the realm of TPRM (Third-Party Risk Management), this means you can feed extensive documents—like compliance evidence, certifications, and detailed test reports—directly into the model for analysis. With advanced context caching, uploading large documents for information extraction becomes feasible, enabling the LLM to consider a multitude of factors simultaneously. This is particularly beneficial when dealing with complex vendor relationships that require comprehensive due diligence.

Lesson 6: Harness expansive context windows to empower your model with a richer memory for deeper insights.

7. Frequency Penalty: Keeping Language Fresh and Human

Frequency penalty, as the name suggests, is a parameter that penalizes the model for repeating the same words in generated text. By setting a higher frequency penalty, you reduce the likelihood of the model overusing certain words or phrases. When the generated text repeats the same words over and over, it can come across as robotic and dull, causing readers to lose interest and potentially miss important information. Applying an appropriate frequency penalty helps the model produce more varied and engaging language, making the content feel more human and less like AI-generated text.

Lesson 7: Apply frequency penalties to ensure your model speaks like a human—not a robot.

Practical LLM Tips in TPRM

These different parameters help tune LLMs for streamlined Third-Party Risk Management (TPRM) tasks, which include but are not limited to the following:

Vendor Risk Assessments through Evidence: This scenario focuses on extracting evidence from compliance documents such as questionnaires, surveys, compliance reports, audits, and information security policies. Given the volume of documents involved, tuning parameters like temperature and top-up allows LLMs to make comprehensive assessments of third-party vendors, considering a variety of factors that could pose    risks—including compliance history, financial stability, and more.

Contract Analysis is a critical process that involves a thorough examination of vendor agreements to identify terms and clauses that might pose risks or lead to non-compliance with legal and regulatory standards.  By leveraging AI-powered LLMs, vast amounts of textual data can be analyzed highlighting critical clauses and flagging potential risks that might be overlooked by human reviewers. By optimizing token length, you ensure that the model captures the necessary context within each segment of the contract. This is crucial for understanding complex clauses that span multiple sentences or paragraphs. The optimum Max Token can allow the LLM to generate comprehensive analyses without cutting off important information or generating excessively long outputs that are hard to parse.

Compliance Monitoring: Fine-tuned LLMs enable organizations to continuously scan for regulatory changes and security threats. This ensures that third-party partnerships operate within legal guidelines and adhere to ethical standards. A lower temperature reduces randomness, ensuring that the model provides consistent and reliable summaries of regulatory changes.  Implementing suitable stop tokens ensures the model’s responses are concise and end appropriately. This prevents the generation of redundant or off-topic information.

Supply Chain Threat Intelligence: LLMs can provide timely and organized information about vendor-related security incidents or other intelligence, helping organizations respond swiftly and appropriately. Intelligence feeds can be sourced from social media or other online platforms. It’s crucial to choose the right model for this task; since accuracy is paramount, keeping the temperature setting low is advisable to ensure precise and reliable outputs.

Unlocking New Possibilities in TPRM with Large Language Models

Integrating Large Language Models (LLMs) into Third-Party Risk Management (TPRM) processes offers substantial benefits—especially when the models are fine-tuned to suit specific tasks. By carefully adjusting hyperparameters like temperature, top-p, token length, max tokens, and stop tokens, organizations can leverage LLMs to enhance third-party risk assessments, contract analysis, compliance monitoring, and more.

In a world where third-party risks are continually evolving, efficiently utilizing LLMs can make all the difference in staying one step ahead. By harnessing the power of these advanced tools, organizations can proactively manage risks, ensure compliance, and maintain a competitive edge in an ever-changing landscape.

Ready to dive deeper into how AI can transform your TPRM strategy? Download our latest whitepaper, Artificial Intelligence in TPRM: The NLP Engineer’s Guide to Building a Domain-Aware AI, to discover cutting-edge insights and practical applications of LLMs in risk management.

The post Lessons and Useful Tips From 3 Years of LLM Fine-Tuning and Optimization appeared first on Black Kite.

Written by: Laurie Asmus, Content Marketing Lead at Black Kite

At financial services companies, Mondays signify the beginning of the trading week with a flurry of activity. On the other hand, Fridays tend to be the quietest day of the week. But when Michelle Scwhab, Chief Compliance Officer (CCO) at financial services firm Ellsworth Advisors first heard about the CrowdStrike outage via an early-morning phone call, she knew this wouldn’t be any ordinary Friday at work. 

Schwab had no idea how this incident would affect her company and team, but she knew she’d need to dig in and get to the bottom of it fast. Although it wasn’t immediately clear if the outage was directly affecting Ellsworth, it was certainly disrupting their business partners and Schwab struggled to identify specific impacts or pinpoint affected areas. She had read the news but the flood of unactionable information did not apply specifically to her business or point her in the right direction to ensure her company was secure.

Noise vs. Signal: Getting to Actionable Information

This was a classic case of too much noise and not enough signal — something security and compliance professionals often struggle with, especially when it comes to unexpected business interruptions.

Then Schwab got an email from Black Kite:

CrowdStrike, a prominent cybersecurity firm, caused the Blue Screen of Death (BSOD) on thousands of Windows machines, leading to widespread and global operational disruptions across many sectors including airlines, financial institutions, healthcare services, and more. The issue stems from a faulty software update rather than a cyberattack.

Identify potentially impacted vendors by using filtering on the CrowdStrike FocusTag™ from your Companies List

Read more about CrowdStrike FocusTag™.

This gave her the first real piece of information that she could act on.

With the FocusTags^TM report in hand, Schwab was able to:

1. Quickly identify which vendors were impacted

2. Prioritize assessment of vendors handling sensitive client data

3. Document findings for compliance and future reference

4. Make informed decisions about necessary follow-up actions

Of course, Schwab’s number one priority was determining which of their impacted vendors handle personally identifiable information (PII) and other sensitive customer data. With Black Kite FocusTags™, she could quickly see that none had been compromised. This was a huge relief.

Schwab then began putting together a file about the incident, using FocusTags™ to fill in key details that could be used down the road to address any potential fallout. This made her job far easier than if she’d had to call up each of Ellsworth’s vendors to ask how they’d been affected.

Later, Schwab sent us this email about the CrowdStrike FocusTag™ notification:

“Thank you! This was the most useful piece of information I got on Friday about this issue.” 

– Michelle Schwab, Chief Compliance Officer at Ellsworth Advisors

With the confidence that the outage didn’t pose the risk of exposing sensitive customer information, Schwab was able to file her report on the incident. It was a rare, beautiful summer day in Ohio, so Schwab left work early once she’d completed her duties. Despite the day’s hectic beginning, her mind was at ease knowing Ellsworth’s customer data was safe and sound.

Many other security and compliance professionals could not say the same that Friday.

Finding Focus to Respond Faster

Complicating matters further, recent cyber disclosure regulations have become more stringent recently, especially regarding breach notification. The SEC requires finserv companies today to notify those materially impacted by a breach or incident within 72 hours. 

But a lot can happen in the span of four days. When Zero-Day events or unexpected outages occur, security teams must rapidly identify the impact on their environment, prioritize remediation efforts, and communicate clearly with affected stakeholders. Given the complexity of digital supply chains today, it’s often tough to dig up the right information and piece it together promptly.

This is exactly why we created FocusTags™ – to enable organizations of all sizes to have the most pertinent information about high-profile cyber events at their fingertips as quickly as possible.

Complex Supply Chains Complicate Risks

While the CrowdStrike incident received a lot of attention, the main takeaway from that day is not about this specific outage. Rather, the incident highlights just how interconnected modern organizations are: The sprawl of software, vendors, contractors, and other third parties means that a single incident can have far-reaching consequences. 

Illustrating this trend, Black Kite’s 2024 Third-Party Breach Report found 81 third-party breaches in 2023, impacting 251 companies as the consequences rippled out.

Supply chains will only grow more complex over time, so organizations need to have a plan in place to not just observe and protect their own systems and infrastructure but to have visibility into their supply chains and potential risks that may arise from them.

How FocusTags™ Work to Identify Critical Events Fast

Black Kite’s FocusTags™ offer users a simple and effective way to track major cyber incidents. They allow companies to assess their supply chains for risk and understand which vendors are affected by an incident, breach, or outage. They are automatically applied to any high-profile incident, but can also be leveraged to organize information about your supply chain. 

Within hours of an event, FocusTags™ will automatically identify and flag any third parties that have been affected by:

• Data breaches
• Ransomware
• Geopolitical events
• Software vulnerabilities

This ensures that security and compliance professionals like Schwab can quickly access the information they need to address time-sensitive issues and mitigate overall risk to their organizations. FocusTags™ isolate signals from noise and provide peace of mind, as well as strengthened security and compliance postures.

To learn more about how FocusTags™ can help you the way they helped Ellsworth Advisors during the CrowdStrike incident, request a demo of our platform today.

---

---

A huge thank-you to Michelle Schwab and the Ellsworth Advisors team for allowing us to share their story with our audience.

For further reading, check out our other blogs related to the CrowdStrike incident:

By Jeffrey Wheatman, Senior Vice President, Cyber Risk Strategist:

• TPRM Wake-up Call: Are You One Cybersecurity Incident Away From Chaos?
• Focus Friday: Lessons from the CrowdStrike Update Outage on Global IT Resilience

By Ferhat Dikbiyik, Chief Research & Intelligence Officer:

• CrowdStrike Outage: Lessons on Fragility and Resilience
• Top Concerns for Cybersecurity Leaders and Strategies to Build Resilience

The post How FocusTags™ Gave One Customer Peace of Mind During the Unexpected CrowdStrike Outage appeared first on Black Kite.

Written by: Jeffrey Wheatman, Senior Vice President, Cyber Risk Strategist at Black Kite

I recently started a conversation on LinkedIn with a simple challenge: 

Let’s play a game. Churchill famously said, “You cannot reason with a tiger when your head is in its mouth.” How can we apply this to cybersecurity? Best answer wins a cool prize. – LinkedIn post November 5, 2024

The quote, “You cannot reason with a tiger when your head is in its mouth” by Winston Churchill captures a critical truth for our field: Once a cyber threat is inside an organization, responding can be both difficult and costly. 

The tiger in this analogy isn’t just about external threats—it also represents internal complacency, outdated strategies, and assumptions that can weaken our defenses. So, in a cybersecurity context, the goal is to keep our heads out of the tiger’s mouth in the first place through proactive planning and smart strategy.

The comments came pouring in, each with a unique perspective on how Churchill’s words apply to cybersecurity. Here’s my take on the common threads.

Takeaways on Proactive Cybersecurity Measures

Digital Walls and Rocket Ships

Many folks pointed out that cybersecurity teams often fall into a reactive approach, focusing on building digital ‘walls’ rather than proactively identifying and mitigating risks. The consensus was that a more effective approach requires preparation: comprehensive training, detailed Incident Response (IR) plans, and adopting a Zero Trust model, which means verifying every user and device, inside or outside the network. This proactive mindset—almost like thinking with a predator’s mentality—helps teams anticipate and counteract threats before they strike. 

One commenter nailed it, saying that if we stick to outdated thinking, it’s like building walls while hackers are coming at us with ‘rocket ships.’ It’s a losing game.

Decision Hygiene

The need for “decision hygiene” is another prominent theme. Just like you wouldn’t want to find yourself reasoning with a tiger after it’s already clamped down, you don’t want to be making high-stakes cybersecurity decisions in the heat of a crisis. By practicing decision hygiene—maintaining clear, structured, and data-driven processes—we avoid scrambling in the moment and can address threats calmly, with a clear head. 

In other words, it’s about having those strong processes in place beforehand, so we’re not forced into reactive decision-making when a serious threat strikes. In essence, decision hygiene keeps our heads out of the tiger’s mouth by ensuring we’re prepared and focused on the right priorities from the start.

This way, we don’t end up over-committing resources to minor issues while leaving high-impact threats under-addressed. With good decision hygiene, organizations can stay focused on what actually matters, avoid knee-jerk responses, and act quickly and effectively when it counts.

Pop Culture Defenders

A few responses took a creative turn, comparing cybersecurity defenses to iconic pop culture characters and tools. For example, some likened proactive defenses to the constant force fields in Star Wars, always activated to fend off incoming threats. Another comparison was to Inspector Gadget’s arsenal—using least-privilege access and multi-factor authentication like versatile gadgets to contain breaches and stop threats from spreading.

These analogies reinforce the idea that, just like you wouldn’t wait until the tiger’s jaws are closing, effective cyber defenses are already in place, always at the ready, actively preventing unauthorized access. With these proactive measures, we don’t have to negotiate or respond reactively in the heat of a crisis; instead, we’ve fortified our defenses well in advance, keeping us a step ahead of potential threats.

People, Process, and Tools

Many contributors noted that a strong cybersecurity strategy isn’t just about having the right technology—it also relies heavily on people and processes. While technology is essential, the human element can make or break our defenses. To keep our heads out of the tiger’s mouth, we need ongoing training to build a ‘security-first’ mindset across the organization, combined with continuous improvement in our response strategies.

Some responses mentioned the importance of tabletop exercises and realistic simulations, which help teams rehearse for real-world threats so that response pathways are second nature. This preparation ensures that, if a crisis does strike, we’re not caught off guard and scrambling for a plan—we’re ready to act decisively and effectively. One contributor even suggested keeping ‘breath mints’ handy, a lighthearted reminder that sometimes quick thinking and creativity are key to defusing unexpected threats. 

In the end, it’s the blend of people, process, and tools that keeps us well-prepared, so we’re never forced into that vulnerable, “head-in-the-tiger’s-mouth” situation.

Zero Trust

A strong theme that emerged was the call for a Zero Trust approach, which many argue is essential in today’s digital landscape. Zero Trust operates on the principle that trust is a vulnerability that hackers are quick to exploit. Instead of assuming any user or device is safe, Zero Trust requires verification at every access point, minimizing the chances of a threat slipping through.

Zero Trust is about never letting our guard down, even for internal users, because each unchecked access point could be the one that opens us up to a threat (and gets us in the tiger’s mouth). Contributors also emphasized that, along with Zero Trust, practices like decision hygiene, unbiased judgment, and systematic evaluation help keep cybersecurity strategies robust and ready for anything, keeping the ‘tiger’ at bay through vigilance and careful control.

Resilience is Key

Resilience came up as a central theme, with many contributors stressing the importance of an Incident Response (IR) plan that goes beyond basic defenses. An effective IR plan isn’t just about defense—it’s about being ready to respond swiftly and limit damage if a breach occurs, preventing the tiger from “closing its mouth.” In other words, resilience means planning and preparation so thorough that, even if a threat gets through, we can regain control quickly.

This approach to resilience includes everything from off-site backups and disaster recovery plans to training teams on threat recognition and response. When IR plans are tested and team members know exactly what to do, they’re prepared to act effectively under pressure. With resilience as a core principle, we’re not just avoiding the tiger’s mouth—we’re positioning ourselves to bounce back stronger if a crisis does arise.

Maturity in Cybersecurity Practices

A recurring theme in the responses was the importance of leaders embracing maturity in cybersecurity strategies. True maturity means treating preparation as an ongoing cycle of improvement, because without preparation, leaders may find themselves negotiating with attackers or regulators from a position of weakness, limited by their lack of preparedness. One response highlights that maturity in cybersecurity leadership is about positioning an organization so it never has to negotiate from a vulnerable state.

Prior Preparation Prevents Poor Performance – Don’t Let the Tiger Catch You

If there’s one lesson to take away from the discussion, it’s the five P’s: 

• Prior 
• Preparation 
• Prevents 
• Poor
• Performance

In cybersecurity, proactive, preventive measures are worth far more than the costs of being caught off guard. The tiger metaphor drives this home: Once an attack is underway, there’s no time to negotiate or reason. Instead, preparation, constant vigilance, and real-time adaptability keep the tiger’s jaws from ever closing.

Ultimately, the conversation highlights the value of a proactive, vigilant mindset in cybersecurity. By focusing on decision hygiene, Zero Trust, and proactive planning, organizations can protect themselves from the sharp teeth of cyber threats before they ever get close. As Churchill’s analogy suggests, success in cybersecurity isn’t about reasoning with the threat—it’s about ensuring it never gets the chance to strike.

For those looking to dive deeper into shifting from reactive to proactive cyber risk management, check out our ebook, From Reactive to Proactive: Transforming Cyber Risk Management. It offers strategies and insights to help organizations strengthen their defenses and stay one step ahead of threats.

The post Keeping Your Head Out of the Tiger’s Mouth with Proactive Cybersecurity appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we delve into high-profile vulnerabilities impacting third-party software and explore their implications for Third-Party Risk Management (TPRM). This edition examines two notable vulnerabilities: the path traversal vulnerabilities in Atlassian Jira, Ivanti Connect Secure, and Nostromo nhttpd. With each vulnerability carrying the potential for severe exploitation, our insights aim to equip TPRM professionals with the knowledge and tools necessary to understand the impact of these risks on their organizations and address them proactively. By leveraging Black Kite’s FocusTags^TM, we enable TPRM teams to respond swiftly and strategically to evolving cyber threats, mitigating the cascading effects of third-party vulnerabilities on enterprise security.

CVE-2021-26086: Path Traversal Vulnerability in Atlassian Jira

What is the Path Traversal Vulnerability in Atlassian Jira (CVE-2021-26086)?

CVE-2021-26086 is a path traversal vulnerability in Atlassian Jira Server and Data Center versions prior to 8.5.14, between 8.6.0 and 8.13.6, and between 8.14.0 and 8.16.1. This vulnerability allows remote attackers to read specific files via a crafted request to the /WEB-INF/web.xml endpoint. The vulnerability has a CVSS score of 5.3, indicating a medium severity level, and an EPSS score of 97.11%, suggesting a high likelihood of exploitation. 

PoC exploit code is available. It was first disclosed in August 2021 and has been actively exploited in the wild, with CISA adding it to their Known Exploited Vulnerabilities (KEV) catalog on November 12, 2024. The threat actor group Androxgh0st has been identified as exploiting this vulnerability.

You can access the workaround details shared on Atlassian’s official site here. However, upgrading to the latest version will help enhance your resilience against current and future vulnerabilities.

Why Should TPRM Professionals Be Concerned About CVE-2021-26086?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2021-26086 because it allows unauthorized access to sensitive files on vulnerable Jira instances. If a vendor’s Jira system is compromised, attackers could gain access to internal project information, user data, and other confidential materials, potentially leading to data breaches and further exploitation within the organization’s network.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2021-26086?

• Have you identified any instances of Atlassian Jira Server or Data Center within your infrastructure?
• If so, have these instances been updated to versions 8.5.14, 8.13.6, 8.16.1, or later to address CVE-2021-26086?
• What measures have you implemented to detect and prevent unauthorized access attempts exploiting this vulnerability?
• Can you provide details on any monitoring or logging mechanisms in place to identify potential exploitation of this vulnerability?

Remediation Recommendations for Vendors

• Upgrade Jira Instances: Update all Atlassian Jira Server and Data Center instances to the latest fixed versions (8.5.14, 8.13.6, 8.16.1, or later) to mitigate the vulnerability. Atlassian provides the latest versions (9.12.15) on their support site, ensuring protection against this and other known vulnerabilities.
• Implement Access Controls: Restrict access to Jira instances through secure methods such as VPNs and enforce strong authentication mechanisms.
• Apply Workarounds if Immediate Upgrade Isn’t Possible:
  • Reverse Proxy/Load Balancer Configuration: Configure reverse proxies or load balancers to block path traversal attempts by denying requests containing traversal sequences.
  • URL Rewrite Rules: Modify Jira’s urlrewrite.xml to redirect suspicious requests containing path traversal characters to safe URLs.
• Monitor Systems: Regularly review access logs and network traffic for unusual activities that may indicate exploitation attempts.

How Can TPRM Professionals Leverage Black Kite for CVE-2021-26086?

Black Kite’s FocusTag™ for Atlassian Jira, published on November 13, 2024, enables TPRM professionals to identify vendors potentially affected by CVE-2021-26086. By providing detailed information on vulnerable assets, such as specific IP addresses and subdomains, Black Kite allows organizations to prioritize assessments and remediation efforts effectively. This targeted approach helps reduce the scope of vendor inquiries, minimizing questionnaire fatigue and streamlining the risk management process.

Critical Ivanti Connect Secure Vulnerabilities

What Are the RCE and Privilege Escalation Vulnerabilities in Ivanti Connect Secure?

After creating our FocusTag™ for Ivanti Connect Secure, specifically for CVE-2024-37404 on October 9, 2024, we mentioned this FocusTag™ in our Focus Friday post on October 11, 2024. This week, Ivanti’s Security Advisory page published an update with 25 CVEs, and 14 of these, selected based on their criticality, are discussed below. You can find the other vulnerabilities here.

The vulnerabilities identified in Ivanti Connect Secure and Policy Secure include a total of 14 critical issues, such as use-after-free (CVE-2024-9420, CVE-2024-47906), stack-based buffer overflow (CVE-2024-47907), argument injection (CVE-2024-38655, CVE-2024-38656, CVE-2024-39710), command injection (CVE-2024-11007, CVE-2024-11006, CVE-2024-11005), and reflected XSS (CVE-2024-11004). These vulnerabilities enable attackers to escalate privileges, execute arbitrary commands, and in some cases, cause denial of service. Specifically:

• CVE-2024-9420: A use-after-free vulnerability in Ivanti Connect Secure versions prior to 22.7R2.3, allowing remote authenticated attackers to achieve remote code execution.
• CVE-2024-47906: Another use-after-free issue that allows local attackers to escalate privileges.
• CVE-2024-47907: A stack-based buffer overflow in the IPsec module of Ivanti Connect Secure, potentially causing a denial of service attack by unauthenticated remote attackers.
• CVE-2024-37400: An out-of-bounds read vulnerability leading to infinite loop and potential denial of service.
• CVE-2024-38655, CVE-2024-38656: Argument injection vulnerabilities that allow remote code execution with admin privileges.
• CVE-2024-39709: Incorrect file permissions, which could allow local attackers to escalate their privileges.
• CVE-2024-39710, CVE-2024-39711, CVE-2024-39712: Argument injection vulnerabilities enabling remote code execution.
• CVE-2024-11007, CVE-2024-11006, CVE-2024-11005: Command injection vulnerabilities allowing admin-level code execution.
• CVE-2024-11004: A reflected XSS vulnerability allowing privilege escalation through user interaction.

While these vulnerabilities are not yet reported to be exploited in the wild, the widespread use of Ivanti products in enterprise environments increases the potential risk. The Ivanti Connect Secure tag was updated on November 14, 2024, to reflect the latest risk assessment.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

These vulnerabilities could enable unauthorized actors to access Ivanti systems, move laterally within a network, access sensitive information, or disrupt critical services. Given Ivanti Connect Secure’s role in VPN and access management, the exploitation of these vulnerabilities could lead to significant security and operational impacts for enterprises.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

• Have you applied the latest patches (e.g., Ivanti Connect Secure 22.7R2.3) to mitigate these vulnerabilities?
• Can you confirm if you have implemented the recommended mitigation steps provided by Ivanti, such as restricting admin access to the management interface, strengthening password policies and MFA protections, and disabling remote access where possible?
• Have you taken measures to monitor network traffic for any unusual activities, specifically in relation to the potential exploitation of the use-after-free, stack-based buffer overflow, argument injection, command injection, and reflected cross-site scripting (XSS) vulnerabilities identified in the Ivanti products?
• What additional precautions are in place to prevent privilege escalation or command injection attacks? Can you confirm if you have addressed the privilege escalation vulnerability (CVE-2024-39709) in Ivanti Connect Secure & Policy Secure by regularly auditing permissions, particularly for admin-level accounts?

Remediation Recommendations for Vendors

To mitigate these risks, vendors should:

• Upgrade to the latest versions—Ivanti Connect Secure 22.7R2.3, and Ivanti Policy Secure 22.7R1.2.
• Enable admin access only on the management interface, ensuring it is isolated from the internet by a firewall or jump-host.
• Implement strong passwords, regular password rotation, credential vaults, and multi-factor authentication (MFA) to further limit exposure.
• Regularly audit permissions, particularly for admin-level accounts, to prevent privilege escalation risks.
• For those unable to apply the update immediately, Ivanti provides mitigation steps, including restricting admin access to the management interface and strengthening password policies and MFA protections.
• Disable remote access where possible, and if remote access is essential, secure it via a VPN.
• Monitor network traffic for any unusual activities.

How Can TPRM Professionals Leverage Black Kite for These Vulnerabilities?

Black Kite’s updated FocusTag™ as of November 14, 2024, provides critical insights, including vulnerable IPs and subdomains, enabling TPRM professionals to focus on vendors directly impacted by these vulnerabilities. Black Kite’s detailed approach helps streamline the TPRM process by reducing questionnaire fatigue while enabling proactive risk management.

CVE-2019-16278 Nostromo nhttpd Path Traversal Vulnerability

What is the Nostromo nhttpd Path Traversal and Remote Code Execution Vulnerability?

CVE-2019-16278 is a critical path traversal vulnerability in the Nostromo nhttpd web server, which can enable remote code execution (RCE). Rated with a CVSS score of 9.8 and an EPSS score of 97.46%, this vulnerability exists in the http_verify function of Nostromo nhttpd versions up to 1.9.6. 

Attackers can exploit this flaw by sending a specially crafted HTTP POST request with directory traversal sequences to gain access to restricted directories and invoke commands on the target system. The vulnerability can lead to complete system compromise, allowing unauthorized code execution with root privileges, potentially stealing sensitive data, disrupting services, or deploying additional malicious software.

Discovered in 2019, this vulnerability remains actively exploited. Recently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on November 7, 2024, this vulnerability has been observed in real-world attack campaigns.

Why Should TPRM Professionals Care About Nostromo nhttpd Vulnerabilities?

For TPRM professionals, vulnerabilities in the Nostromo nhttpd web server present significant third-party risks due to the severity of potential impacts. An attacker exploiting this vulnerability can execute code with high-level privileges, enabling unauthorized access to critical data, systems, and even broader network infiltration. Organizations relying on third-party vendors using Nostromo nhttpd could face exposure to breaches involving sensitive information, service interruptions, and reputational damage. This vulnerability’s presence in publicly accessible servers magnifies the risk for organizations across various sectors.

What Questions Should TPRM Professionals Ask Vendors About Nostromo nhttpd Vulnerabilities?

To assess risk mitigation, TPRM professionals should ask vendors the following questions:

1. Have you upgraded Nostromo nhttpd to a version beyond 1.9.6 that addresses CVE-2019-16278? If updating Nostromo nhttpd was not feasible, have you restricted access to the web server and used application-layer firewalls to filter malicious HTTP requests as recommended in the advisory?
2. What measures are in place to restrict web server access and monitor HTTP requests for directory traversal patterns?
3. How do you regularly assess server configurations and permissions for vulnerabilities?
4. Are there any incident response procedures for detecting and responding to suspected exploits of this vulnerability?

Remediation Recommendations for Vendors Subject to this Risk

Vendors using Nostromo nhttpd should consider these recommended actions:

• Upgrade to a version of Nostromo nhttpd that addresses CVE-2019-16278 to eliminate the vulnerability.
• If immediate upgrade is not feasible, implement workarounds, such as:
  • Restricting server access to trusted IP ranges.
  • Using application-layer firewalls to block malicious HTTP requests targeting directory traversal sequences.
• Implement continuous monitoring for suspicious activities related to HTTP requests containing directory traversal sequences.
• Regularly review server configurations and access permissions.
• Enable strict access controls and limit remote access to critical services.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite helps TPRM professionals identify vendors affected by CVE-2019-16278 through a comprehensive FocusTag™, released on November 8, 2024. With detailed asset information, including IP addresses and subdomains, Black Kite empowers TPRM professionals to operationalize the risk, enabling early intervention. For TPRM teams, this capability enhances monitoring and response to vendor security issues, adding a valuable layer of defense against potential exploitation.

Enhancing TPRM Strategies With Black Kite’s FocusTags™

In today’s fast-paced cyber threat landscape, staying ahead of vulnerabilities is essential for a robust Third-Party Risk Management (TPRM) approach. Black Kite’s FocusTags™ are designed to provide critical insights that enhance these strategies, transforming complex threat information into actionable intelligence. Here’s how these tags help TPRM professionals respond effectively to vulnerabilities like those recently highlighted in Atlassian Jira, Ivanti Connect Secure and Nostromo nhttpd:

• Real-Time Vulnerability Tracking: Black Kite’s FocusTags™ immediately identify vendors affected by emerging vulnerabilities, enabling TPRM teams to implement responses promptly and accurately.
• Strategic Risk Prioritization: FocusTags™ help prioritize risks by combining vendor criticality with vulnerability severity, allowing organizations to allocate resources to the most pressing risks.
• Enhanced Vendor Communication: By offering vendor-specific insights, FocusTags™ facilitate productive conversations with vendors about their exposure and response to particular vulnerabilities.
• Comprehensive Threat Landscape Overview: Black Kite’s FocusTags™ provide a broad view of the cybersecurity landscape, supporting the development of more resilient defenses against evolving threats.

Through Black Kite’s FocusTags™, TPRM professionals gain an invaluable tool for managing third-party cyber risks in a constantly changing environment, ensuring that vulnerabilities are managed proactively to protect enterprise security.

But having these vulnerability insights is only one step in the process. You need to work with your vendors to remediate these risks effectively and efficiently. For a comprehensive guide on transforming vendor collaboration in times of urgency, check out our latest interactive guide, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. Learn how to streamline communication, prioritize vendor actions, and implement scalable workflows that keep your third-party risk response strong when every second counts.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• Atlassian Jira: CVE-2021-26086, Path Traversal Vulnerability in Atlassian Jira Server and Data Center.
• Ivanti Connect Secure: 
• Nostromo nhttpd: CVE-2019-16278, Path Traversal Vulnerability, RCE Vulnerability in Nostromo nhttpd.
• LiteSpeed Cache: CVE-2024-50550, Privilege Escalation Vulnerability iin LiteSpeed Cache plugin.
• RICOH Web Image Monitor: CVE-2024-47939, Buffer Overflow Vulnerability in RICOH Web Image Monitor.
• Squid Proxy: CVE-2024-45802, DoS Vulnerability in Squid Proxy Servers.
• XLight FTP: CVE-2024-46483, Integer Overflow and RCE Vulnerabilities in XLight FTP Servers.
• Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.
• FortiManager: CVE-2024-47575, Missing Authentication Vulnerability in FortiManager.
• Grafana: CVE-2024-9264, Remote Code Execution Vulnerability  in Grafana.
• Roundcube Webmail: CVE-2024-37383, Cross-Site Scripting (XSS) Vulnerability in Roundcube Webmail.
• Cisco FMC: CVE-2024-20424, Command Injection Vulnerability in Cisco Secure Firewall Management Center.
• Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
• GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.

References

https://nvd.nist.gov/vuln/detail/cve-2021-26086#range-13344932

https://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html

https://jira.atlassian.com/browse/JRASERVER-72695

https://confluence.atlassian.com/jirakb/workaround-for-cve-2019-15004-979416164.html

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2024-11004

https://nvd.nist.gov/vuln/detail/CVE-2024-9420

https://nvd.nist.gov/vuln/detail/CVE-2024-47906

https://nvd.nist.gov/vuln/detail/CVE-2024-47907

https://nvd.nist.gov/vuln/detail/CVE-2024-37400

https://nvd.nist.gov/vuln/detail/CVE-2024-38655

https://nvd.nist.gov/vuln/detail/CVE-2024-38656

https://nvd.nist.gov/vuln/detail/CVE-2024-39709

https://nvd.nist.gov/vuln/detail/CVE-2024-39710

https://nvd.nist.gov/vuln/detail/CVE-2024-39711

https://nvd.nist.gov/vuln/detail/CVE-2024-39712

https://nvd.nist.gov/vuln/detail/CVE-2024-11007

https://nvd.nist.gov/vuln/detail/CVE-2024-11006

https://nvd.nist.gov/vuln/detail/CVE-2024-11005

https://blackkite.com/blog/focus-friday-insights-into-third-party-risks-in-fortinet-core-products-cisco-rv-routers-and-ivanti-connect-secure-vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2019-16278#range-13412787

https://www.exploit-db.com/exploits/47837

https://www.nazgul.ch/dev/nostromo_man.html

The post Focus Friday: Third-Party Risk Insights Into Atlassian Jira, Ivanti Connect Secure, and Nostromo nhttpd Vulnerabilities With Black Kite’s FocusTags™ appeared first on Black Kite.

Written by: Bob Maley

Imagine your company is evaluated by a potential client, only to discover that the intelligence they rely on is riddled with inaccuracies. That’s exactly what happened to us at Black Kite recently.

We were being evaluated as a vendor by a prospective customer who at the time was using a competing third-party risk management (TPRM) solution. They used that solution to pull a report on Black Kite, but the “intelligence” they shared with us was way off. The report found a lot of assets in our digital footprint that frankly didn’t exist. Because they were adamant they trusted the data, we investigated further. Turns out, those assets were showing up as a result of shadow IT and weren’t really in our environment at all. The fact that their solution failed to provide accurate data while ours did closed the deal.

That’s how important accurate data is in TPRM. You need to know what exactly is happening with your vendors to assess the risk they pose to your business, and you need to be able to share accurate data with your vendors to take action. On many occasions, we’ve seen Black Kite customers share data with their third parties that those third parties wouldn’t have had access to otherwise, down to the asset impacted with step-by-step remediation guidance. This helps vendors address issues faster and more accurately, boosting trust and collaboration.

This is why good data is the key to unlocking vendor engagement for collaborative risk remediation and reduction. It gets their attention because it’s accurate, detailed, and in many cases, completely new to them. 

The More Connected We Are, the More We Need Accurate Data

Companies are more connected than ever, sharing data, processes, tools, and platforms with an expanding network of third parties to operate and grow their businesses. According to one report, 182 vendors connect to the average enterprise’s systems weekly. 

But fast-paced IT growth can lead to increased gaps and vulnerabilities that attackers are looking to exploit. Third-party breaches and other security incidents can significantly harm a company’s ability to maintain operational continuity and safeguard its reputation. So having a third-party risk management program to identify, quantify, prioritize, and mitigate these cybersecurity risks is critical.

However, traditional episodic risk assessments impose a heavy burden on TPRM teams and vendors alike, as they often use manual processes, spending hundreds of hours pulling and analyzing data. It takes most (92% of) companies an average of 31 days to complete a control assessment, while 40% require up to 61 days. Understandably, this dynamic can cause a lot of friction between companies and their vendors. Risk conversations can be challenging and adversarial.

But there’s a better way forward. With the right technology and processes, your company can create a robust, agile risk management program powered by continuous and accurate risk data. 

So, how can your organization leverage accurate data to build these essential relationships?

Use Good Data to Get Your Vendor’s Full Attention

By consistently providing accurate, actionable risk data, companies not only enhance their own security posture but also build trust and cooperation with their vendors, laying the groundwork for a more resilient, collaborative risk management ecosystem.

Here are a few best practices you can adopt to create reliable risk data and share it with partners:

1. Collect comprehensive data:

Engage with a cyber risk intelligence provider to access up-to-date, high-quality risk data, including information about third and fourth+ parties that can be used to make critical business, operational, and security decisions. However, remember that not all risk intelligence vendors are created equal — choose one that offers standards-based ratings to gain a single version of truth.

2. Focus on the right alerts:

When high-profile cyber events occur, it’s crucial to have immediate visibility into which vendors are at risk to notify them to take action. For example, you should know whether they’re affected by a data breach, ransomware, or known exploitable vulnerabilities – as well as the context on how it might affect your business, enabling TPRM teams to separate serious threats from noise. Importantly, this information can be communicated to vendors to guide their response.

3. Create a robust and agile risk assessment program:

Instead of executing episodic assessments that capture static data, you can build a continuous risk assessment program that monitors and improves the company’s risk posture and that of vendors.

4. Dynamically assess the latest risks:

Grade vendors’ cybersecurity postures, identify vulnerabilities, forecast the likelihood of attack patterns such as ransomware impacting them, and calculate the potential financial impact of certain third-party breaches. Then, use these insights to prioritize risks and create a risk response plan.

5. Elevate the ecosystem:

Provide data-backed intelligence on risks to vendors, suppliers, and partners so they can mitigate risks proactively. Build stronger relationships by helping vendors avoid harm to their businesses. Warning a vendor that it’s vulnerable to a ransomware attack can help them make proactive improvements to avoid it, saving them from operational paralysis, customer harm, ransoms, lawsuits, and fines.

6. Work with the best:

Use the data and insights from a risk intelligence provider to rate potential vendors, select the more security-forward partners, and weed out low performers.

Build Trust and Cooperation with Vendors to Improve Engagement

Accurate, reliable risk data is the foundation of effective third-party risk management. It empowers companies to engage their vendors with confidence, enables proactive risk mitigation, and fosters stronger partnerships built on trust and transparency. By leveraging solutions like Black Kite Bridge™, organizations can share precise, actionable intelligence that encourages vendors to take immediate, targeted actions—leading to faster risk reduction and a more secure ecosystem for everyone involved. In fact, early users of Black Kite Bridge™ have experienced more than 200% increase in vendor responses, resulting in considerable reduction in third-party risk.

Looking for step-by-step guidance to elevate your vendor collaboration efforts? Get a before-and-after look at how to transform third-party outreach and collaboration in our interactive ebook Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events (no download required).

The post How Reliable Risk Data Unlocks Vendor Engagement appeared first on Black Kite.

Written by: Jeffrey Wheatman

I recently had the opportunity to speak with a group of cybersecurity and risk leaders at an event where we discussed challenges around managing third-party cyber risk management (TPCRM).The big takeaway: when it comes to managing third-party cyber risk, cyber leaders are feeling spread thin. 

I empathize with the frustration. With the expansion in size and complexity of cyber ecosystems we’ve seen over the last decade, it’s really no surprise. After all, most enterprises must assess risk for anywhere from 1,000 to 10,000+ partners now, often in the same amount of time and without much more budget than they had when they were assessing under 100 vendors.

Top 3 Struggles with Third-Party Risk Management (TPRM)

From my point of view, struggles with third-party risk management (TPRM) come down to these three major challenges:

• Resource strain
• Limited access to reliable data
• Lack of clarity about who owns what, both within the company (Who owns third-party risk management?)

3 Strategies TPRM Leaders Can Use to Alleviate These Challenges

1. Improve With Processes, Not People

Let’s be real. Throwing more people at TPRM problems doesn’t solve them. The key to tackling third-party risk is revising the processes organizations use to evaluate security postures — not just adding more humans to the mix. We covered this in a recent RiskBusters™ episode, where we tackled the myth that you need a larger team to effectively manage third-party risk. 

As organizations grow their cyber ecosystems, it’s become increasingly more difficult for them to effectively manage cyber risk exposure in their supply chains. It might seem intuitive to add more security people when you add more third parties, but here’s the main issue: If you don’t have the right processes in place, then any size team will get stuck spinning its wheels. 

I heard several security leaders mention that they keep adding people, training them, and processing ever more security questionnaires—without moving the needle on decreasing third-party risk. When it comes to TPCRM, more (people) is not always better. It’s about the quality of the TPCRM processes and protocols you follow. You need streamlined standard operating procedures (SOPs) backed by the right technology to reduce noise and ensure quality data hits your desks. 

Ultimately, all TPCRM processes should have one goal: Gaining reliable data to make better risk decisions.

2. Source Data You Can Trust

Decisions are only as good as the data used to make them. But here’s the issue: Security leaders still struggle to find threat and risk data they can trust — and that’s because there’s both too much data and not enough of the right data hitting their desks.

Vendor assessments are a major source of that rapid influx of unnecessary data. Those assessments — aka security questionnaires — can be as long as 500+ questions. However, more questions doesn’t equal less risk. 

Defaulting to asking every vendor hundreds of questions only increases the work your teams have to do to parse through potentially irrelevant, sometimes even inaccurate data. (And it annoys your vendors to no end.) There’s not much value to adding people to a team if they’re spending time doing tasks that don’t increase insight into real risks or decrease their potential impact on the organization.

Instead, organizations must identify what vendors are most critical to their business processes as well as which vulnerabilities could have the greatest potential impact to their business. This greatly narrows down what your team needs to focus on to only the vulnerabilities that are actual risks, and not the giant mountain of risks that probably exist in your cyber ecosystem.

To prioritize vulnerabilities based on their level of risk to the organization, security teams can ask the following questions:

• What’s our exposure if this vendor does experience a breach?
• Does this vendor have access to our sensitive and valuable data?
• How can we keep tabs on new vulnerabilities this vendor might be exposed to?
• What processes can I automate to save time and resources?

When organizations gain clarity on those critical questions, they can better manage third-party cyber risk by sending over specific, relevant questions instead of going total buckshot.

3. Make TPRM A Group Effort

Ownership is another common issue in the TPRM space. At one company, the CISO could own all of TPRM. At another, there could be a dedicated third-party risk person or team — or even a supply chain risk-focused group. There’s no standardized approach today for deciding who owns what tasks, processes, and decisions related to third-party risk.

It’s critical for organizations to identify what works best for them. However, TPRM should always be a group effort. Leadership across the organization should understand how third-party risk is managed and why it’s so important. 

Why? Cyber risks often have a cascading and outsized impact. For example, a hacked vulnerability in Kaseya’s VSA software led to a massive ransomware attack affecting up to 1,500 companies worldwide and disrupting operations for days. While CISOs and Chief Risk Officers have a responsibility to captain the ship when it comes to TPRM, it’s also critical that organizations start with a strong cultural foundation that emphasizes the importance of security.

Additionally, organizations need tools that enable clarity, communication, and collaboration. These tools should help:

• Prioritize vendors based on potential business impact and Cyber Risk Quantification (CRQ)
• Collect and surface relevant data on attacks, threats, and vulnerabilities
• Use AI to parse important security documents and map data to appropriate compliance and security frameworks
• Connect to your vendors’ security teams to share risk intelligence and collaboratively remediate it

When TPRM teams have a platform to manage those critical tasks, they can work together to mitigate risk more effectively.

The Black Kite Difference

At Black Kite, we built our platform from the ground up to address these growing challenges in the TPRM space.

Automated Processes

We leverage automated parsing technology that can sift through extensive security resources (like questionnaires) and identify what’s important vs. what’s irrelevant. That way, your teams can get the data they need to identify risks with greater speed, efficiency, and accuracy.

We also created Black Kite Bridge™ to streamline vendor communications, making it easier for organizations and their third parties to connect, share information, and strategize together after a high-profile cyber event. Simply invite vendors to our portal, where you can direct their attention to your most pressing concerns, share actionable asset-level vulnerability intelligence, and provide real-time ratings updates to simplify vendor engagement.

You’ll maximize time and value without adding unnecessary overhead.

Trustworthy Data

We know trustworthy data starts with trustworthy sources. Our platform aggregates hundreds of data streams from open-source intelligence (OSINT) across the web, including hacker forums, social networks, and leaked database dumps.

By providing consistently trustworthy data, we give our clients the risk intelligence they need to make smart choices. That reduces false positives and bolsters third-party risk management. 

H3: Reliable Cyber Risk Quantification

Our data is always reliable — which means CISOs can trust that we have the viable cyber risk quantification (CRQ) they need to collaborate with business leaders on TPRM strategies and responses. 

We vet the data we collect against reputable standards, including:

• MITRE ATT&CK frameworks
• Open FAIR™
• MITRE CTSA

That’s how we map out CRQ. No magic tricks. No black boxes. Just facts. Industry analyst firm Forrester even highlighted our dedication to ratings integrity with the following assessment:

“[Black Kite is] the only vendor in this evaluation whose customers were unanimously satisfied with its rating accuracy.”
Plus, we distinctly map out cyber risk in financial terms. By putting an actual dollar value to risk, CISOs can better collaborate with business leaders and illustrate the practical impact of risk. That leads to better communication, better decisions, and better results.

It’s About Quality, Not Quantity

More isn’t always better. Quantity (i.e., adding more people or questionnaires) won’t make third-party cyber risk easier to handle. Quality processes, with purpose-built tools and accurate data, will.

We built Black Kite with exactly that purpose in mind. Our features help streamline processes with automation, deliver reliable data, and enable collaboration. Your teams will be empowered to make confident and informed risk decisions no matter the challenge—and finally feel like they’re doing TPCRM right.

Don’t just take my word for it. See Black Kite in action. Get a free cyber assessment. 

The post Why TPCRM Teams Feel Spread Thin and 3 Coverage Strategies appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s edition of FOCUS FRIDAY, where we delve into high-profile cybersecurity incidents from a Third-Party Risk Management (TPRM) perspective. In this installment, we examine critical vulnerabilities affecting widely-used products such as LiteSpeed Cache, RICOH Web Image Monitor, Squid Proxy, and Xlight FTP. By leveraging Black Kite’s proprietary FocusTags™, we provide actionable insights and strategic recommendations to help organizations effectively manage and mitigate the risks associated with these vulnerabilities. Join us as we explore the details of each incident and outline best practices for enhancing your TPRM strategies.

CVE-2024-50550: LiteSpeed Cache Privilege Escalation Vulnerability

What is the LiteSpeed Cache Privilege Escalation Vulnerability (CVE-2024-50550)?

CVE-2024-50550 is a high-severity privilege escalation vulnerability identified in the LiteSpeed Cache plugin for WordPress. With a CVSS score of 8.1, this vulnerability allows unauthorized users to gain administrator-level access to affected WordPress sites. Discovered and published on November 1, 2024, the flaw resides in the is_role_simulation() function within the plugin’s Crawler feature. By exploiting inadequate hashing mechanisms, attackers can bypass security checks, enabling them to upload and activate malicious plugins, potentially leading to full site takeover. POC exploit code is not available and the vulnerability has not yet been added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerabilities can be exploited by threat actors. Once an attacker circumvents the hash check, they could gain full control over the site, leading to the installation of malware, data theft, and even disruptions to website operations.

Why Should TPRM Professionals Care About CVE-2024-50550?

From a Third-Party Risk Management (TPRM) perspective, CVE-2024-50550 poses significant risks to organizations relying on WordPress sites that utilize the LiteSpeed Cache plugin. A successful exploitation can compromise site integrity, leading to unauthorized data access, malware distribution, and operational disruptions. Given the plugin’s widespread use—over six million active installations—TPRM professionals must assess the potential impact on their vendor ecosystems to prevent cascading security breaches.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-50550?

To effectively evaluate the risk associated with CVE-2024-50550, TPRM professionals should engage vendors with the following targeted questions:

1. Have you updated all instances of LiteSpeed Cache to version 6.5.2 or later to mitigate the risk of CVE-2024-50550?
2. Can you confirm if you have deactivated the Crawler feature in LiteSpeed Cache to limit potential exploit vectors related to the privilege escalation vulnerability?
3. Are you regularly monitoring server logs and website activity, specifically for unusual behavior around plugin installation and activation, to detect potential exploitation of the CVE-2024-50550 vulnerability?
4. Have you enabled virtual patching through security platforms like Patchstack until the LiteSpeed Cache plugin is updated to address the CVE-2024-50550 vulnerability?

Remediation Recommendations for Vendors Subject to CVE-2024-50550

Vendors should adopt the following remediation strategies to address CVE-2024-50550 effectively:

• Upgrade the LiteSpeed Cache Plugin: Immediately update to LiteSpeed Cache version 6.5.2 or newer to patch the identified vulnerability.
• Implement Virtual Patching: Utilize security platforms like Patchstack to apply virtual patches until the plugin update is completed.
• Restrict Access: Limit access to site settings and other sensitive areas to minimize potential exploitation vectors.
• Monitor Activity: Regularly review server logs and website activities for any signs of unusual behavior, particularly related to plugin installations and activations.
• Optimize Plugin Usage: Ensure that only essential plugins are active and disable the Crawler feature if it is not required for your operations.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-50550

Black Kite’s FocusTag™ for CVE-2024-50550 was published on November 1, 2024, providing TPRM professionals with precise intelligence to identify vendors at risk. By utilizing Black Kite’s platform, organizations can efficiently filter and focus on vendors that specifically use the vulnerable LiteSpeed Cache plugin, thereby streamlining their risk assessment processes. Additionally, Black Kite offers detailed asset information, including affected IP addresses and subdomains, enabling targeted remediation efforts and reducing the overhead associated with broad-based vendor questionnaires.

CVE-2024-47939: RICOH Web Image Monitor Buffer Overflow Vulnerability

What is the RICOH Web Image Monitor Buffer Overflow Vulnerability (CVE-2024-47939)?

CVE-2024-47939 is a critical stack-based buffer overflow vulnerability identified in Ricoh’s Web Image Monitor, a component utilized in numerous Ricoh laser printers and Multi-Function Printers (MFPs). With a CVSS score of 9.8 and an EPSS score of 0.05%, this vulnerability allows attackers to execute arbitrary code remotely or cause a denial of service (DoS) by sending specially crafted HTTP requests to affected devices. Discovered and published on November 4, 2024, the flaw arises from improper handling of HTTP requests within the Web Image Monitor, enabling malicious actors to manipulate device settings, install malware, or disrupt printing services. Currently, there is no PoC exploit available, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. However, the potential for exploitation remains high given the nature of the vulnerability.

Affected Products: Ricoh’s security advisory lists specific MFP and printer models. MP 501SPF, MP 601SPF, IM 550F, IM 600F, IM 600SRF, SP 5300DN, SP 5310DN, P 800, P 801, IM 2702, MP C8003, MP C6503, IM C6500, IM C8000, IM 350F, IM 350, IM 430F, IM 430Fb, P 501, P 502, IM 2500, IM 3000, IM 3500, IM 4000, IM 5000, IM 6000, MP 2555, MP 3055, MP 3555, MP 4055, MP 5055, MP 6055, SP 8400DN, SP 6430DN, IM C530F, IM C530FB, MP 402SPF, IM C400F, IM C400SRF, IM C300F, IM C300, P C600, Aficio MP 2001, Aficio MP 2501, MP 6503, MP 7503, MP 9003, IM 7000, IM 8000, IM 9000, MP C3003, MP C3503, MP C4503, MP C5503, MP C6003, MP C2003, MP C2503, MP C3004ex, MP C3504ex, MP C2004ex, MP C2504ex, MP C4504ex, MP C5504ex, MP C6004ex, MP C3004, MP C3504, MP C2004, MP C2504, MP C4504, MP C5504, MP C6004, IM C3000, IM C3500, IM C2000, IM C2500, IM C4500, IM C5500, IM C6000, SP C842DN, SP C340DN, SP C342DN, MP C501SP, IM CW2200, IP CW2200, Aficio MP 301, SP C360SNw, SP C360SFNw, SP C361SFNw, SP C352DN, SP C360DNw, SP C435DN, SP C440DN, MP C3003, MP C3503, MP C4503, MP C5503, MP C6003, MP C2003, MP C2503, MP C6502, MP 2554, MP 3054, MP 3554, MP 4054, MP 5054, MP 6054, MP C306, MP C406, Pro 8300S, Pro 8310S, Pro 8320S, Pro 8310, Pro 8320, Pro C5200S, Pro C5210S, Pro C5300S, Pro C5310S, Pro C5300SL, Pro C7200S, Pro C7210S, Pro C7200SX, Pro C7210SX, Pro C7200SL, Pro C7200, Pro C7210, Pro C7200X, Pro C7210X, Pro C7200e, Pro C9100, Pro 9110, Pro C7100S, Pro C7110S, Pro C7100SX, Pro C7110SX, Pro C7100, Pro C7110, Pro C7100X, Pro C7110X, Pro C9200, Pro C9210.

Why Should TPRM Professionals Care About CVE-2024-47939?

From a Third-Party Risk Management (TPRM) perspective, CVE-2024-47939 poses significant threats to organizations that rely on Ricoh printers and MFPs within their operational infrastructure. Exploitation of this vulnerability can lead to unauthorized access to sensitive documents, disruption of essential printing services, and potential pivot points for broader network compromises. Given the extensive range of affected Ricoh devices, organizations must assess the impact on their vendor ecosystems to mitigate risks associated with data breaches, operational downtime, and compromised network integrity.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-47939?

To effectively evaluate the risk associated with CVE-2024-47939, TPRM professionals should engage vendors with the following targeted questions:

1. Have you updated the firmware for all affected Ricoh printers and MFPs as advised by Ricoh to mitigate the vulnerability of CVE-2024-47939?
2. Have you implemented strong network segmentation and isolated printing devices from other critical network segments to reduce the impact of a potential compromise due to CVE-2024-47939?
3. Are you monitoring network traffic to identify any unusual behavior from Ricoh devices that could indicate an exploitation of the buffer overflow vulnerability CVE-2024-47939?
4. Have you configured firewall rules to block unauthorized IPs from accessing the device and limited access to the Web Image Monitor to trusted networks only to prevent potential exploitation of CVE-2024-47939?

Remediation Recommendations for Vendors Subject to CVE-2024-47939

Vendors should adopt the following remediation strategies to effectively address CVE-2024-47939:

• Update the firmware for all affected Ricoh printers and MFPs as advised by Ricoh to mitigate the vulnerability.
• Limit access to the Web Image Monitor to trusted networks only. Configure firewall rules to block unauthorized IPs from accessing the device.
• Monitor network traffic to identify any unusual behavior from Ricoh devices. Enable logging features where possible to track access and detect potential intrusions.
• Implement Strong Network Segmentation. Isolate printing devices from other critical network segments to reduce the impact of a potential compromise.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-47939

Black Kite’s FocusTag™ for CVE-2024-47939 was published on November 4, 2024, equipping TPRM professionals with actionable intelligence to identify and assess vendors utilizing vulnerable Ricoh printers and MFPs. By leveraging Black Kite’s platform, organizations can precisely filter and target vendors that operate affected Ricoh devices, thereby streamlining their risk assessment and mitigation processes. Additionally, Black Kite provides detailed asset information, including specific IP addresses and subdomains associated with the vulnerable systems, enabling targeted remediation efforts and minimizing the resources spent on broad-based vendor evaluations.

CVE-2024-45802: Squid Proxy DoS Vulnerability

What is the Squid Proxy Denial-of-Service Vulnerability (CVE-2024-45802)?

CVE-2024-45802 is a high-severity Denial-of-Service (DoS) vulnerability identified in the Squid caching proxy server when the Edge Side Includes (ESI) feature is enabled. With a CVSS score of 7.5 and an EPSS score of 0.12%, this vulnerability allows trusted servers to disrupt services by exploiting flaws in input validation, premature release of resources, and missing release of resources. Disclosed on October 30, 2024, the vulnerability affects Squid versions 3.0 through 6.9 configured with ESI, as well as Squid 6.10 and newer if ESI is manually re-enabled. There is currently no proof-of-concept (PoC) exploit available, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Additionally, there are no indications of active exploitation campaigns or specific threat actors targeting this vulnerability.

Why Should TPRM Professionals Care About CVE-2024-45802?

From a Third-Party Risk Management (TPRM) standpoint, CVE-2024-45802 poses substantial risks to organizations that utilize Squid Proxy servers within their infrastructure. Exploitation of this vulnerability can lead to significant service disruptions, affecting all clients reliant on the Squid proxy. In environments where Squid is deployed as a reverse proxy, such disruptions can impede critical business operations, compromise the availability of web services, and potentially serve as a pivot point for further network attacks. Given the widespread use of Squid in various network architectures, TPRM professionals must evaluate the potential impact on their vendor networks to ensure continuity and maintain robust security postures.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-45802?

To thoroughly assess the risk associated with CVE-2024-45802, TPRM professionals should pose the following specific inquiries to their vendors:

1. Can you confirm if you have updated all instances of Squid Proxy Server to version 6.10 or later, ensuring that the Edge Side Includes (ESI) feature is disabled by default, to mitigate the risk of CVE-2024-45802?
2. Have you run the command ‘squid -v’ to verify the build parameters and confirm that ESI is disabled in your Squid Proxy Server configuration? If ‘–enable-esi’ appears, have you rebuilt Squid with ‘–disable-esi’?
3. Have you restricted proxy server access to trusted networks only to reduce exposure to potential exploitation sources, as recommended in the advisory for CVE-2024-45802?
4. Are you monitoring network traffic for unusual or sustained requests, which may indicate attempted exploitation of the DoS vulnerability in Squid Proxy Server?

Remediation Recommendations for Vendors Subject to CVE-2024-45802

Vendors should implement the following remediation measures to effectively mitigate the risks posed by CVE-2024-45802:

• Upgrade Squid Proxy: Immediately update all Squid Proxy servers to version 6.10 or newer, ensuring that the ESI feature is disabled by default to eliminate the vulnerability.
• Verify Configuration: Execute squid -v to confirm that the –disable-esi flag is present in your Squid Proxy build parameters. If the –enable-esi option is enabled, rebuild Squid with the –disable-esi configuration.
• Implement Network Monitoring: Continuously monitor network traffic for any unusual or sustained request patterns that may suggest attempts to exploit the DoS vulnerability.
• Restrict Access: Limit access to Squid Proxy servers by configuring firewall rules to allow connections only from trusted networks and authorized IP addresses.
• Temporary Mitigation: For environments where immediate upgrading is not feasible, rebuild Squid Proxy with the –disable-esi flag as a temporary measure to prevent exploitation.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-45802

Black Kite’s FocusTag™ for CVE-2024-45802 was published on October 30, 2024, providing TPRM professionals with precise intelligence to identify vendors utilizing vulnerable Squid Proxy servers. By leveraging Black Kite’s platform, organizations can efficiently filter and concentrate on vendors that operate affected Squid Proxy versions, streamlining their risk assessment and mitigation processes. Additionally, Black Kite offers detailed asset information, including specific IP addresses and subdomains associated with the vulnerable systems, enabling targeted remediation efforts and reducing the resources required for broad-based vendor evaluations.

CVE-2024-46483: Xlight FTP Critical Vulnerability

What is the Xlight FTP Remote Code Execution Vulnerability (CVE-2024-46483)?

CVE-2024-46483 is a critical heap overflow vulnerability identified in Xlight SFTP Server, a widely-used FTP and SFTP solution for Windows. With a CVSS score of 9.8, this vulnerability allows unauthenticated attackers to execute remote code or initiate denial-of-service (DoS) attacks. Disclosed on October 31, 2024, the flaw originates from inadequate validation in the SFTP protocol’s packet parsing, specifically in handling client-sent strings. By manipulating a four-byte string length prefix, attackers can craft malicious packets that trigger out-of-bounds memory operations, potentially leading to complete system compromise. While PoC exploit code is publicly available on GitHub, the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and there are no current reports of active exploitation by threat actors.

Why Should TPRM Professionals Care About CVE-2024-46483?

From a Third-Party Risk Management (TPRM) perspective, CVE-2024-46483 poses significant threats to organizations utilizing Xlight SFTP Server for secure file transfers. Exploitation of this vulnerability can result in unauthorized system access, allowing attackers to execute arbitrary commands, install malware, or disrupt critical services through DoS attacks. Given the widespread deployment of Xlight SFTP Server in various industries, including finance, healthcare, and technology, the potential impact on vendor ecosystems is substantial. TPRM professionals must assess the presence of vulnerable Xlight instances within their supply chains to prevent cascading security breaches and ensure the integrity of sensitive data exchanges.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-46483?

To effectively evaluate the risk associated with CVE-2024-46483, TPRM professionals should engage vendors with the following targeted questions:

1. Have you updated all instances of Xlight SFTP Server to the latest version that patches CVE-2024-46483, specifically versions 3.9.4.2 and earlier?
2. Can you confirm if you have implemented firewall rules to restrict access to the SFTP server and are actively monitoring for unexpected traffic as recommended?
3. Are you limiting network access to the SFTP server to trusted IPs only as a measure to mitigate the risk of CVE-2024-46483?
4. Given the public availability of PoC exploit code for CVE-2024-46483 on GitHub, what specific measures have you taken to monitor and detect potential exploitation attempts on your Xlight SFTP Server?

Remediation Recommendations for Vendors Subject to CVE-2024-46483

Vendors should implement the following remediation measures to effectively mitigate the risks posed by CVE-2024-46483:

• Update Xlight SFTP Server: Immediately upgrade to the latest version of Xlight SFTP Server, which patches CVE-2024-46483, to eliminate the vulnerability.
• Restrict Network Access: Limit access to the SFTP server by configuring firewall rules to allow connections only from trusted IP addresses, thereby reducing exposure to potential attackers.
• Monitor Network Traffic: Continuously monitor network traffic for any abnormal patterns or sustained requests that may indicate attempted exploitation of the vulnerability.
• Implement Strong Authentication: Enhance security by enforcing robust authentication mechanisms, such as multi-factor authentication (MFA), to prevent unauthorized access.
• Regular Security Audits: Conduct regular security assessments and vulnerability scans to ensure that all systems are up-to-date and free from exploitable vulnerabilities.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-46483

Black Kite’s FocusTag™ for CVE-2024-46483 was published on October 31, 2024, providing TPRM professionals with actionable intelligence to identify vendors utilizing vulnerable Xlight SFTP Server instances. By leveraging Black Kite’s platform, organizations can efficiently filter and target vendors that operate affected Xlight versions, streamlining their risk assessment and mitigation processes. Additionally, Black Kite offers comprehensive asset information, including specific IP addresses and subdomains associated with the vulnerable systems, enabling targeted remediation efforts and minimizing the resources required for broad-based vendor evaluations.

Elevating TPRM Strategies with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are instrumental in enhancing Third-Party Risk Management (TPRM) approaches, particularly when addressing vulnerabilities in widely-deployed systems like LiteSpeed Cache, RICOH Web Image Monitor, Squid Proxy, and Xlight FTP. These tags provide:

• Real-Time Vulnerability Tracking: Instantly identifying vendors affected by the latest vulnerabilities enables rapid and strategic responses.
• Risk Prioritization: By evaluating both the criticality of vendors and the severity of vulnerabilities, FocusTags™ assists in allocating resources more effectively.
• Informed Vendor Engagement: Facilitate targeted discussions with vendors, focusing on their specific security postures in relation to the identified vulnerabilities.
• Comprehensive Security Overview: With a broad view of the threat landscape, these tags aid in enhancing overall cybersecurity strategies.

Black Kite’s FocusTags™, tailored to the complexities of vulnerabilities in diverse systems, offer a streamlined, intelligent approach to TPRM. By converting intricate cyber threat data into actionable intelligence, these tags are critical for managing risks efficiently and proactively in an environment where cyber threats are constantly evolving.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• LiteSpeed Cache: CVE-2024-50550, Privilege Escalation Vulnerability iin LiteSpeed Cache plugin.
• RICOH Web Image Monitor: CVE-2024-47939, Buffer Overflow Vulnerability in RICOH Web Image Monitor.
• Squid Proxy: CVE-2024-45802, DoS Vulnerability in Squid Proxy Servers.
• XLight FTP: CVE-2024-46483, Integer Overflow and RCE Vulnerabilities in XLight FTP Servers.
• Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.
• FortiManager: CVE-2024-47575, Missing Authentication Vulnerability in FortiManager.
• Grafana: CVE-2024-9264, Remote Code Execution Vulnerability  in Grafana.
• Roundcube Webmail: CVE-2024-37383, Cross-Site Scripting (XSS) Vulnerability in Roundcube Webmail.
• Cisco FMC: CVE-2024-20424, Command Injection Vulnerability in Cisco Secure Firewall Management Center.
• Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
• GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
• pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
• Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
• Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-50550

https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-1-privilege-escalation-vulnerability?_s_id=cve

https://securityonline.info/over-6-million-sites-at-risk-severe-privilege-escalation-flaw-cve-2024-50550-in-litespeed-cache-plugin

https://nvd.nist.gov/vuln/detail/CVE-2024-47939

https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2024-000011

https://nvd.nist.gov/vuln/detail/CVE-2024-45802

https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj

https://nvd.nist.gov/vuln/detail/CVE-2024-46483

https://github.com/kn32/cve-2024-46483

https://www.xlightftpd.com/whatsnew.htm

The post FOCUS FRIDAY: TPRM INSIGHTS ON LITESPEED CACHE, RICOH WEB IMAGE MONITOR, SQUID PROXY, AND XLIGHT FTP VULNERABILITIES WITH BLACK KITE’S FOCUSTAGS™ appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s edition of Focus Friday, where we explore high-profile cybersecurity incidents and vulnerabilities through the lens of Third-Party Risk Management (TPRM). In today’s rapidly evolving threat landscape, critical vulnerabilities pose a significant risk to organizations relying on third-party software and services. This week, we dive into several crucial vulnerabilities, including those affecting Exchange Server, FortiManager, Grafana, Roundcube Webmail, and Cisco FMC each with potentially severe impacts on businesses. By leveraging Black Kite’s FocusTags™, TPRM professionals can gain key insights and stay ahead of these evolving threats.

Critical Microsoft Exchange Server RCE Vulnerabilities

What are the Microsoft Exchange Server RCE Vulnerabilities?

The vulnerabilities impacting Microsoft Exchange Server, particularly CVE-2021-26855, are critical Remote Code Execution (RCE) issues. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to send arbitrary HTTP requests and execute code on the target Exchange Server. Other vulnerabilities like CVE-2021-27065, CVE-2021-26858, and CVE-2021-26857 enable the attacker to install malicious programs and exfiltrate data. These vulnerabilities have a high EPSS score, with CVE-2021-26855 scoring 97.5%, indicating a significant likelihood of exploitation in the wild.

First discovered in early 2021, these vulnerabilities were rapidly exploited by various threat actors, including the Chinese-based group Salt Typhoon, targeting critical infrastructure. Exploits have allowed attackers to plant backdoors, steal sensitive data, and compromise systems. Microsoft and several security agencies, including CISA, have released advisories and urged immediate patching. CVE-2021-34473 and CVE-2021-31196 were added to CISA’s KEV catalog on August 21, 2024. 

The vulnerability was reported in the Wall Street Journal (WSJ) on October 11, 2024, and the details were later shared on the Chertoff Group website on October 18, 2024. Among the four CVEs we discussed (CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857), we included these in the FocusTag scope, which was tagged earlier this week by Black Kite’s Research & Intelligence Team (BRITE). Clients tagged under this FocusTag, who had previously taken precautions against CVE-2021-31196 and CVE-2021-34473, were protected from these four vulnerabilities as well. In addition to the above-mentioned group of four CVEs that were discussed in recent blogs, it is crucial for security personnel in organizations to remain vigilant regarding CVE-2021-31196 and CVE-2021-34473. We had previously mentioned CVE-2021-31196 and CVE-2021-34473 vulnerabilities in our August 23, 2024 Focus Friday post.

Why Should TPRM Professionals Be Concerned?

From a third-party risk management perspective, these vulnerabilities pose significant risks to organizations that rely on Microsoft Exchange Server for communication and operational functions. A successful attack on Exchange Servers can lead to full system compromise, allowing attackers to access sensitive emails, contacts, and other communications. Additionally, the compromised server can be leveraged for further attacks, potentially spreading malware or stealing additional data from third-party vendors. Given the widespread use of Exchange Servers in enterprise environments, the ripple effects of such a breach can be substantial, especially when considering the possibility of fraudulent emails being sent from compromised accounts.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

1. Have you applied the latest security updates to all affected versions of Exchange Server (2019 CU1 to CU8, 2016 CU8 to CU19, 2013 CU22, CU23, SP1, and 2010 SP3) to mitigate the risk of CVE-2021-31196, CVE-2021-34473, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, and CVE-2021-26857?
2. 2. Can you confirm if you have implemented strong security practices, including limiting access to the server, enabling multi-factor authentication, and regularly auditing access logs, to prevent potential exploitation of the Remote Code Execution (RCE) vulnerabilities in Microsoft Exchange Server?
3. 3. Are you actively monitoring network traffic to and from Exchange Server for any unusual activity that may indicate exploitation attempts related to CVE-2021-31196, CVE-2021-34473, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, and CVE-2021-26857?
4. 4. Given the critical nature of Exchange Server, have you undertaken proactive threat hunting to identify potential indicators of compromise related to the aforementioned CVEs?

Remediation Recommendations for Vendors

• Apply the Latest Security Updates. Microsoft has released security updates to address this vulnerability. Ensure that all affected Exchange Server installations are updated to the latest cumulative updates as listed above.
• Organizations are advised to prioritize patch management, strengthen authentication measures, and collaborate with ISPs to mitigate these evolving risks.
• Implement Strong Security Practices. Ensure that Exchange Server is properly configured with strong security settings, including limiting access to the server, enabling multi-factor authentication, and regularly auditing access logs.
• Consider Proactive Threat Hunting. Given the critical nature of Exchange Server, proactive threat hunting to identify potential indicators of compromise may be warranted.
• Monitor Network Traffic. Regularly monitor network traffic to and from Exchange Server for any unusual activity that may indicate exploitation attempts.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite provides a streamlined approach for identifying vendors at risk of these vulnerabilities. The Exchange Server RCE FocusTag enables TPRM professionals to pinpoint vendors who have vulnerable Microsoft Exchange Servers in their environment. Black Kite helps operationalize this information by providing detailed asset intelligence, including IP addresses and subdomains, linked to the vendors. With this level of insight, TPRM teams can prioritize outreach and remediation efforts, ensuring that only vendors with exposure to these vulnerabilities are addressed. Black Kite first published this tag in August 2024 and most recently updated it on October 23, 2024, with new threat intelligence related to Chinese state-sponsored threat actors.

FortiManager: CVE-2024-47575 Missing Authentication Vulnerability

What is the FortiManager CVE-2024-47575 Vulnerability?

CVE-2024-47575 is a critical missing authentication vulnerability that affects FortiManager, a system used to manage Fortinet’s network security devices. This vulnerability, assigned a CVSS score of 9.8 and an EPSS score of 0.04%, was first identified in the wild on June 27, 2024. It allows unauthenticated attackers to execute arbitrary code or commands by exploiting the FortiManager fgfmd daemon via specially crafted requests. Both on-premise and cloud versions of FortiManager are impacted, making this vulnerability a significant threat. On October 23, 2024, this vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability is actively exploited by the UNC5820 threat group, which has used it to steal configuration files, IP addresses, and credentials from FortiGate devices managed by FortiManager systems. This flaw poses a severe risk to organizations using FortiManager as it allows attackers to automate the exfiltration of sensitive information and potentially compromise their entire security infrastructure.

Why Should TPRM Professionals Be Concerned About the FortiManager Vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned because FortiManager is a critical tool for managing and securing network infrastructure. If compromised, attackers can gain access to sensitive configuration files and credentials for FortiGate devices, potentially leading to wider network breaches and unauthorized control of key network devices. The exposure of configuration details can lead to attackers disabling security defenses or manipulating device settings to bypass security measures. Additionally, the exploitation of this vulnerability could facilitate future attacks by providing attackers with the necessary information to escalate privileges or conduct lateral movements within the network.

As FortiManager is widely used by organizations to manage network security, the impact of this vulnerability could be devastating, particularly if sensitive information is exfiltrated and used to compromise other critical systems.

What Questions Should TPRM Professionals Ask Vendors About the FortiManager Vulnerability?

When assessing vendor exposure to CVE-2024-47575, TPRM professionals should ask:

1. Has the vendor applied the latest firmware updates that address CVE-2024-47575?
2. Are unregistered devices being blocked from connecting to the FortiManager system using the fgfm-deny-unknown configuration?
3. Have all FortiGate device credentials been updated following the discovery of this vulnerability?
4. Is the vendor actively monitoring FortiManager event logs for any suspicious activities, especially from unregistered devices like “localhost”?

Remediation Recommendations for Vendors subject to this risk

To mitigate the risks associated with CVE-2024-47575, vendors should:

• Apply firmware updates immediately. Ensure all FortiManager installations are updated to the latest secure versions (7.6.1, 7.4.5, 7.2.8, 7.0.13, 6.4.15, or above).
• Restrict device registrations by enabling fgfm-deny-unknown, which prevents unregistered devices from attempting to connect to FortiManager.
• Implement IP restrictions to limit access only to trusted FortiGate devices through the config system local-in-policy.
• Review FortiManager logs regularly for indicators of compromise (IoCs), including connections from unregistered devices or malicious IP addresses.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite published the FocusTag™ on October 23, 2024, identifying CVE-2024-47575 as a significant threat due to its active exploitation in the wild. TPRM professionals can operationalize this tag by using Black Kite’s insights to determine which of their vendors may be exposed to this vulnerability. Black Kite provides asset information such as IP addresses and subdomains that may be at risk, allowing organizations to pinpoint which vendors may need to implement remediation steps. This vulnerability was last updated in the tag with information about ongoing threat activity by the UNC5820 group, ensuring TPRM professionals stay informed as new details emerge.

CVE-2024-9264 and Grafana RCE Vulnerability

What is the Grafana RCE Vulnerability?

CVE-2024-9264 is a critical Remote Code Execution (RCE) vulnerability affecting Grafana, a popular open-source platform used for monitoring and observability. This vulnerability has a CVSS score of 9.9, making it extremely severe, indicating lower immediate exploitation potential. First disclosed in October 2024, this vulnerability is linked to an experimental feature, SQL Expressions, which was enabled by default due to improper implementation of feature flags. Attackers can inject system commands through improperly sanitized SQL queries, which could lead to full system compromise if exploited successfully.

While the vulnerability has not yet been observed in widespread exploitation, the presence of the PoC raises concerns about the likelihood of future attacks. The exploitation depends on whether the DuckDB binary is present on the Grafana server. If DuckDB is manually installed, attackers could read sensitive files like “/etc/passwd” or retrieve environment variables, making the impact devastating. As of now, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned?

From a TPRM perspective, CVE-2024-9264 presents serious risks to organizations using Grafana. Since Grafana is commonly deployed to monitor critical infrastructure, any compromise could lead to the exposure of sensitive data, such as operational logs or system configurations. Moreover, if an attacker gains control of the Grafana instance, they can potentially pivot to other parts of the network, launching further attacks. Given that any user with Viewer permissions can exploit this vulnerability, organizations using Grafana may unknowingly expose themselves to insider threats or unauthorized access by users with minimal privileges.

What Questions Should TPRM Professionals Ask Vendors About the Grafana RCE Vulnerability?

1. Have you upgraded your Grafana instances to one of the patched versions (v11.0.5+security-01, v11.1.6+security-01, v11.2.1+security-01, v11.0.6+security-01, v11.1.7+security-01, v11.2.2+security-01) to mitigate the risk of CVE-2024-9264?
2. Can you confirm if the DuckDB binary has been removed from the system’s PATH or uninstalled entirely to prevent exploitation of the CVE-2024-9264 vulnerability?
3. Have you implemented measures to regularly review system logs for suspicious activity, specifically related to potential exploitation of the SQL Expressions feature in Grafana?
4. Can you confirm if you have implemented proper access controls for users with Viewer permissions or higher to prevent unauthorized exploitation of the SQL Expressions feature in Grafana?

Remediation Recommendations for Vendors

• Immediately upgrade Grafana to a patched version, such as v11.0.5+security-01, v11.1.6+security-01, or the latest v11.2.2+security-01, to prevent exploitation.
• If a patch cannot be applied right away, remove or uninstall the DuckDB binary from the system to mitigate the risk.
• Regularly audit system logs and monitor access control for any unusual activity involving Grafana users with Viewer permissions or higher.
• Follow Grafana Labs’ security announcements for any additional updates or mitigations related to this vulnerability.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite helps TPRM professionals determine which vendors are vulnerable to this critical Grafana RCE vulnerability. The FocusTag™ for Grafana enables users to identify vendors who are potentially exposed by flagging related assets, including IP addresses and subdomains. With this actionable intelligence, TPRM teams can prioritize communications with affected vendors, ensuring timely remediation efforts. This tag was published by Black Kite in October 18, 2024, and ongoing updates are provided as new information becomes available.

CVE-2024-37383 and Roundcube Webmail XSS Vulnerability

What is the Roundcube Webmail XSS Vulnerability?

CVE-2024-37383 is a medium-severity Cross-Site Scripting (XSS) vulnerability impacting Roundcube Webmail. This vulnerability, with a CVSS score of 6.1 and an EPSS score of 0.05%, allows attackers to inject and execute arbitrary JavaScript code within the victim’s web browser. Discovered in October 2024, the flaw was exploited by unknown threat actors to steal user credentials by embedding malicious SVG animate attributes in emails. Once the victim opened the email, the embedded script exfiltrated login credentials to an external server. It’s currently not clear who is behind the exploitation activity, although prior flaws discovered in Roundcube have been abused by multiple hacking groups such as APT28, Winter Vivern, and TAG-70. After we tagged it, it was published in CISA’s Known Exploited Vulnerabilities (KEV) catalog on October 24, 2024.

Why Should TPRM Professionals Be Concerned?

From a TPRM perspective, this XSS vulnerability in Roundcube Webmail poses a significant risk to organizations that rely on this platform for email services. Exploitation of this vulnerability can lead to credential theft, allowing attackers to gain unauthorized access to sensitive accounts, potentially compromising email communications and exposing confidential information. Furthermore, the ability to execute malicious code via emails makes it a potent vector for phishing attacks, putting both vendors and their partners at risk. Email remains a critical component of most business operations, and any breach in this system can have far-reaching consequences, including reputational damage and regulatory scrutiny.

What Questions Should TPRM Professionals Ask Vendors About the Roundcube Webmail XSS Vulnerability?

1. Have you updated your Roundcube Webmail instances to the patched versions (1.5.7 or 1.6.7) that address CVE-2024-37383?
2. What measures have you implemented to detect and mitigate phishing attacks targeting email clients like Roundcube?
3. Can you confirm if you have implemented email filtering tools to block malicious attachments and scripts within emails as recommended in the advisory?
4. Have you enabled multi-factor authentication (MFA) on all critical systems to mitigate credential theft risks associated with this vulnerability?
5. Have you reviewed your email logs for any suspicious login activities or interactions with known malicious domains, such as ‘libcdn[.]org’?

Remediation Recommendations for Vendors

• Upgrade Roundcube Webmail to versions 1.5.7 or 1.6.7 to patch the XSS vulnerability and mitigate the risk of credential theft.
• Educate employees on how to identify and avoid phishing emails, with an emphasis on recognizing suspicious attachments or links.
• Implement multi-factor authentication (MFA) across all critical systems to reduce the likelihood of unauthorized access through stolen credentials.
• Conduct a thorough audit of Roundcube logs for any indicators of compromise (IoCs) related to this vulnerability or phishing attacks.
• Use email filtering tools to block potentially malicious content, such as scripts or SVG files, embedded within emails.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite’s FocusTag™ for Roundcube Webmail enables TPRM professionals to identify vendors using vulnerable versions of Roundcube. By providing detailed asset information, including IP addresses and subdomains associated with vendors, Black Kite allows TPRM teams to target remediation efforts where they are most needed. This FocusTag was published on October 24, 2024, and ongoing updates are available to ensure that TPRM professionals stay informed about the latest exploitation trends and mitigations related to this vulnerability.

CVE-2024-20424 and Cisco FMC Command Injection Vulnerability

What is the Cisco FMC Command Injection Vulnerability?

CVE-2024-20424 is a critical command injection vulnerability in Cisco Secure Firewall Management Center (FMC) Software, with a CVSS score of 9.9. This vulnerability arises from insufficient input validation in the web-based management interface of the software. Exploiting this flaw allows authenticated remote attackers to execute arbitrary commands with root privileges, potentially compromising the entire system. The vulnerability was first disclosed in October 2024, and although no active exploitation has been reported yet, the critical nature of this flaw makes it a priority for patching.

Attackers could exploit this vulnerability using credentials from a low-privileged account, such as a Security Analyst (Read Only), to escalate privileges and run high-level commands. This could result in unauthorized modifications, malware installation, or disabling critical security defenses. While there is no PoC available yet, the risk posed by this vulnerability is significant, particularly for organizations heavily relying on Cisco FMC software for managing their firewalls.

Why Should TPRM Professionals Be Concerned?

For third-party risk management (TPRM) professionals, this vulnerability presents a significant risk to organizations using Cisco FMC software. Compromising this system would allow attackers to control network security policies, firewall settings, and other critical functions, leading to potential unauthorized access across the network. Cisco FMC is often used to manage firewalls, and any disruption or control takeover could result in network breaches, exposure of sensitive data, and operational disruption. The criticality of CVE-2024-20424 makes it essential for TPRM professionals to ensure that their vendors and partners using Cisco FMC have properly mitigated this vulnerability.

What Questions Should TPRM Professionals Ask Vendors About the Cisco FMC Command Injection Vulnerability?

• Have you applied Cisco’s latest software updates that address CVE-2024-20424 and CVE-2024-20379 in Cisco FMC?
• Can you confirm if you have restricted access to the web-based management interface of Cisco FMC Software to trusted users only, as a measure to prevent potential exploitation of CVE-2024-20424 and CVE-2024-20379?
• Have you implemented multi-factor authentication (MFA) for user accounts, especially for low-level user accounts such as Security Analyst (Read Only), to prevent privilege escalation and execution of highly privileged commands as a result of CVE-2024-20424?
• Are you monitoring network activity for unusual behavior indicative of potential exploitation of the command injection vulnerability (CVE-2024-20424) and the improper input validation vulnerability (CVE-2024-20379) in Cisco FMC Software?

Remediation Recommendations for Vendors

• Immediately apply the latest software patches released by Cisco to address CVE-2024-20424 and CVE-2024-20379.
• Implement multi-factor authentication (MFA) for all users accessing Cisco FMC to mitigate unauthorized access risks.
• Restrict access to the Cisco FMC web-based management interface to trusted IP addresses and users only.
• Regularly monitor network traffic and logs for any suspicious activity or indicators of compromise.
• Follow Cisco’s official advisory for further instructions and guidance on securing Cisco FMC software.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite’s FocusTag™ for Cisco FMC provides a comprehensive view of which vendors are potentially exposed to these vulnerabilities. This tag allows TPRM professionals to pinpoint which of their third-party vendors or partners are using vulnerable Cisco FMC versions. By leveraging Black Kite’s asset intelligence, such as associated IP addresses and subdomains, TPRM teams can focus their remediation efforts on the vendors that pose the highest risk. Black Kite published this FocusTag on October 24, 2024, and it will be updated as new details or patches are released by Cisco.

Maximizing TPRM Effectiveness with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are vital tools for enhancing Third-Party Risk Management strategies, offering targeted insights that help organizations mitigate risks more efficiently. These tags, especially when dealing with vulnerabilities in Exchange Server, FortiManager, Grafana, Roundcube Webmail, and Cisco FMC, provide:

• Real-Time Risk Identification: Immediate recognition of vendors impacted by critical vulnerabilities, facilitating prompt and decisive action.
• Risk Prioritization: By assessing vendor importance and vulnerability severity, TPRM professionals can focus on the most critical issues first, ensuring resources are used effectively.
• Informed Vendor Engagement: Black Kite’s FocusTags™ empower organizations to hold informed, meaningful conversations with vendors about their security posture and remediation efforts, specifically addressing exposure to identified vulnerabilities.
• Strengthened Cybersecurity Posture: These tags offer a comprehensive overview of the threat landscape, enabling organizations to enhance their overall cybersecurity strategies, improving their resilience against future threats.

By transforming complex threat data into actionable intelligence, Black Kite’s FocusTags™ streamline the risk management process, enabling TPRM professionals to respond swiftly to emerging vulnerabilities and ensure the safety of their third-party ecosystem.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.
• FortiManager: CVE-2024-47575, Missing Authentication Vulnerability in FortiManager.
• Grafana: CVE-2024-9264, Remote Code Execution Vulnerability  in Grafana.
• Roundcube Webmail: CVE-2024-37383, Cross-Site Scripting (XSS) Vulnerability in Roundcube Webmail.
• Cisco FMC: CVE-2024-20424, Command Injection Vulnerability in Cisco Secure Firewall Management Center.
• Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
• GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
• pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
• Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
• Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.
• PAN-OS Cleartext: CVE-2024-8687, Cleartext Exposure Security Flaw in PAN-OS, GlobalProtect, Prisma Access.
• FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
• WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
• SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls

References

https://www.wsj.com/politics/national-security/u-s-officials-race-to-understand-severity-of-chinas-salt-typhoon-hacks-6e7c3951

https://chertoffgroup.com/china-based-cyber-attacks-highlight-us-tech-vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2021-26855

https://nvd.nist.gov/vuln/detail/CVE-2021-27065

https://nvd.nist.gov/vuln/detail/CVE-2021-26858

https://nvd.nist.gov/vuln/detail/CVE-2021-26857

https://blackkite.com/blog/focus-friday-tprm-insights-into-critical-vulnerabilities-in-microsoft-windows-solarwinds-whd-zimbra-and-exchange-server

https://nvd.nist.gov/vuln/detail/CVE-2024-47575

https://fortiguard.fortinet.com/psirt/FG-IR-24-423

https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks

https://nvd.nist.gov/vuln/detail/CVE-2024-9264

https://github.com/nollium/CVE-2024-9264/tree/main

https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264

https://grafana.com/security/security-advisories/cve-2024-9264

https://github.com/advisories/GHSA-q99m-qcv4-fpm7

https://nvd.nist.gov/vuln/detail/CVE-2024-37383

https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html

https://github.com/roundcube/roundcubemail/releases/tag/1.6.7

https://nvd.nist.gov/vuln/detail/CVE-2024-20424

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-v3AWDqN7

https://securityonline.info/cve-2024-20424-cvss-9-9-cisco-fmc-software-vulnerability-grants-attackers-root-access

The post FOCUS FRIDAY: ADDRESSING EXCHANGE SERVER RCE, FORTIMANAGER, GRAFANA, ROUNDCUBE WEBMAIL, AND CISCO FMC VULNERABILITIES FROM A TPRM PERSPECTIVE appeared first on Black Kite.

Written By: Ferdi Gül

This week’s Focus Friday blog highlights two critical vulnerabilities that pose significant risks to third-party ecosystems—CVE-2024-21216 affecting Oracle WebLogic Server and CVE-2024-9487 impacting GitHub Enterprise. These vulnerabilities, involving remote code execution and authentication bypass, respectively, threaten not only the organizations directly utilizing these products but also their entire supply chains. In this blog, we will dive into each vulnerability, its potential impact, and why Third-Party Risk Management (TPRM) professionals should pay close attention. We also explore how Black Kite’s FocusTags™ can streamline your risk assessment process by identifying vendors impacted by these threats and providing actionable insights for mitigation.

CVE-2024-21216: Oracle WebLogic Server RCE Vulnerability

What is the Oracle WebLogic Server RCE Vulnerability?

CVE-2024-21216 is a critical Remote Code Execution (RCE) vulnerability in Oracle WebLogic Server, affecting versions 12.2.1.4.0 and 14.1.1.0.0. This vulnerability allows attackers with network access via T3 or IIOP protocol to gain full control over the server without requiring authentication. Exploitation could lead to unauthorized data access, system manipulation, and further malicious activities like ransomware deployment. The vulnerability was first published on Oracle’s October 2024 CPU and holds a CVSS score of 9.8, signifying its severity. Although no known exploitation has been reported in the wild, a PoC is not yet available. Historically, similar vulnerabilities have been exploited by Chinese threat actors.

Why Should TPRM Professionals Care About Oracle WebLogic Server RCE Vulnerability?

Oracle WebLogic Server is a widely used platform for hosting business-critical applications. A successful attack could result in complete system compromise, exposing sensitive data or enabling malicious control of the organization’s operations. This vulnerability is particularly dangerous for organizations hosting externally-facing instances of WebLogic, as it could expose them to external threats. In the context of third-party risk management, any vendors or partners using Oracle WebLogic Server should be thoroughly assessed for potential exposure, especially if these servers host sensitive applications or data.

What questions should TPRM professionals ask vendors about CVE-2024-21216?

• Have you identified any instances of Oracle WebLogic Server versions 12.2.1.4.0 or 14.1.1.0.0 in your infrastructure?
• Have you applied the security patches released by Oracle in October 2024 for the affected WebLogic Server versions?
• Are the T3 and IIOP protocols disabled if they are not necessary for your environment?
• What security controls, such as MFA and access restrictions, are in place to protect administrative access to your WebLogic servers?

Remediation Recommendations for Vendors Subject to This Risk

• Immediately apply Oracle’s latest security patches for WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0.
• Disable or restrict access to T3 and IIOP protocols unless necessary for business operations.
• Implement strong access controls, including multi-factor authentication, for any WebLogic administrative interfaces.
• Limit external access to WebLogic servers by configuring firewalls or restricting IPs to trusted sources only.
• Regularly monitor network traffic for any suspicious activity targeting WebLogic servers.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Oracle WebLogic Server FocusTag on October 16, 2024, offering detailed insights into which vendors are at risk of this critical vulnerability. TPRM professionals can operationalize this FocusTag by identifying vendors using vulnerable WebLogic versions and prioritizing assessments and remediation efforts. The FocusTag also provides IP addresses and subdomains hosting the vulnerable systems, empowering organizations to act swiftly and mitigate risk efficiently. Monitoring vendors with exposure to this vulnerability through Black Kite’s intelligence platform can significantly reduce response time and mitigate potential exploitation risks.

CVE-2024-9487: GitHub Enterprise SAML SSO Authentication Bypass Vulnerability

What is the GitHub Enterprise SAML SSO Authentication Bypass Vulnerability?

CVE-2024-9487 is a critical vulnerability that affects GitHub Enterprise Server versions prior to 3.15. This vulnerability allows attackers to bypass SAML Single Sign-On (SSO) authentication, potentially granting unauthorized access to sensitive GitHub Enterprise Server instances. The issue stems from improper verification of cryptographic signatures during the SAML authentication process, which may allow attackers to bypass authentication and gain unauthorized access. This vulnerability has a CVSS score of 9.5, indicating its critical severity, and an EPSS score of 0.05%. While no known public exploitation has been reported, it poses a significant risk to enterprises that utilize GitHub Enterprise Server with SAML SSO and encrypted assertions.

The vulnerability was disclosed in October 2024 and has not yet been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. However, given the critical nature of the vulnerability and its potential impact on organizations, it should be addressed immediately by applying the recommended patches.

Why Should TPRM Professionals Care About the GitHub Enterprise Vulnerability?

GitHub Enterprise is widely used by organizations to manage their development environments and host proprietary code. A successful exploitation of CVE-2024-9487 could lead to unauthorized access to sensitive repositories, potentially exposing intellectual property, sensitive data, or security credentials. For TPRM professionals, the exposure of a third-party development platform like GitHub could have a cascading impact on software supply chains, making it critical to assess whether any vendors or partners are at risk due to this vulnerability.

Organizations with vendors relying on GitHub Enterprise must act swiftly to ensure that these systems are secure, as a breach could lead to unauthorized changes in code, further introducing vulnerabilities into the products and services downstream.

What questions should TPRM professionals ask vendors about CVE-2024-9487?

• Are you running any instances of GitHub Enterprise Server prior to version 3.15?
• Have you applied the necessary patches to mitigate CVE-2024-9487, especially for SAML SSO configurations?
• Is the “encrypted assertions” feature in SAML enabled on your GitHub Enterprise Server? If so, have you considered disabling it as a temporary mitigation?
• Have you implemented network access restrictions or monitoring mechanisms to detect unauthorized access attempts?

Remediation Recommendations for Vendors Subject to This Risk

• Upgrade GitHub Enterprise Server to one of the following patched versions: 3.11.16, 3.12.10, 3.13.5, or 3.14.2.
• If upgrading is not feasible immediately, disable the “encrypted assertions” feature within SAML configurations to mitigate the risk temporarily.
• Restrict network access to GitHub Enterprise Server to minimize exposure and reduce the attack surface.
• Monitor user access logs and network activity for any unusual authentication events or user provisioning activities that could indicate attempted exploitation.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the GitHub Enterprise FocusTag on October 14, 2024, offering in-depth insights into which vendors are exposed to this critical SAML SSO authentication bypass vulnerability. TPRM professionals can leverage this tag to identify at-risk vendors quickly, enabling faster remediation and risk mitigation. Additionally, Black Kite’s FocusTags™ provide a unique advantage by supplying the IP addresses and subdomains associated with vulnerable instances, allowing organizations to take swift, targeted action to secure their supply chain.

ENHANCING TPRM STRATEGIES WITH BLACK KITE’S FOCUSTAGS™

In an ever-evolving cybersecurity landscape, Black Kite’s FocusTags™ serve as a powerful tool to manage third-party risks efficiently. This week’s vulnerabilities in Oracle WebLogic Server and GitHub Enterprise exemplify how high-profile security flaws can cascade through supply chains, affecting multiple vendors and partners. With FocusTags™, you can stay ahead of these threats by:

• Instant Risk Identification: Quickly pinpoint which vendors in your supply chain are impacted by emerging vulnerabilities like CVE-2024-21216 and CVE-2024-9487, ensuring a fast and focused response.
• Risk Prioritization: FocusTags™ allow you to prioritize risks based on the criticality of affected vendors and the severity of vulnerabilities, ensuring your TPRM efforts are aligned with the highest potential risks.
• Vendor Engagement: Black Kite’s FocusTags™ equip you with detailed insights that facilitate meaningful discussions with your vendors, particularly about how they are addressing these specific vulnerabilities.
• Holistic Cybersecurity Posture: By providing a comprehensive view of the threat landscape, FocusTags™ enhance your overall cybersecurity strategy, helping you to address not just the vulnerabilities of today but also prepare for the risks of tomorrow.

Black Kite’s FocusTags™ continue to be an invaluable asset for TPRM professionals, offering real-time insights and targeted recommendations to help mitigate third-party risks associated with high-profile vulnerabilities.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
• GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
• pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
• Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
• Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.
• PAN-OS Cleartext: CVE-2024-8687, Cleartext Exposure Security Flaw in PAN-OS, GlobalProtect, Prisma Access.
• FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
• WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
• SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls
• Dahua IP Camera: CVE-2021-33045, CVE-2021-33044, Critical Authentication Bypass Vulnerabilities in Dahua IP Camera Systems

References

https://nvd.nist.gov/vuln/detail/CVE-2024-21216

https://www.oracle.com/security-alerts/cpuoct2024.html

https://nvd.nist.gov/vuln/detail/CVE-2024-9487

https://securityonline.info/github-enterprise-server-patches-critical-security-flaw-cve-2024-9487-cvss-9-5

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2

The post FOCUS FRIDAY: TPRM INSIGHTS INTO ORACLE WEBLOGIC SERVER AND GITHUB ENTERPRISE VULNERABILITIES appeared first on Black Kite.

Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer

Manufacturing companies are in the crosshairs of cybercriminals, with ransomware attacks as the number one threat to the industry. In our 2024 Report: The Biggest Third-Party Risks in Manufacturing, we analyzed 1,039 manufacturing companies across 10 sub-industries and found the sector accounts for 21% of all ransomware attacks globally. While these figures reveal the urgent need for individual companies to shore up their defenses, it’s essential to recognize that manufacturing companies do not operate in isolation—they exist within an intricate web of supply chains, where a disruption to one player can have cascading effects on others. 

Consider this: a ransomware attack on one of your key suppliers can stop your operations in their tracks. If a supplier responsible for microchips, preservatives, or critical machinery parts is taken offline, your own company might not be able to continue production. Even if you have no direct ransomware attack on your systems, you’re vulnerable to supply chain delays that can ripple throughout the network.

This means third-party risk management (TPRM) is not just a priority but a necessity for manufacturing companies that want to avoid catastrophic operational and financial consequences. Fixing your own vulnerabilities is essential, but if your key suppliers are compromised, your production lines and supply chain will suffer just as much.

A Chain is Only as Strong as Its Weakest Link

Why is the manufacturing industry such a hotbed for ransomware activity? Our findings indicate that 67% of manufacturing companies have vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. These are known vulnerabilities actively targeted by threat actors. If these go unchecked in your supply chain, your company may face operational disruptions, even if you’ve taken steps to secure your own systems.

For example, imagine you’re a food manufacturer relying on a supplier for metal cans. If that supplier is hit by ransomware, it can delay or prevent the packaging of your products, leading to missed deliveries and spoiled goods. Or consider an electronics manufacturer that relies on a supplier for microchips—an attack on the supplier could grind your production to a halt, leaving you unable to meet your customers’ demand.

Real-World Examples of Supply Chain Disruption

To contextualize just how consequential these unchecked risks can be, here are real-world examples of how ransomware attacks on manufacturers and their suppliers have caused significant operational and financial disruptions throughout the supply chain.

1. Clorox (2023): A ransomware attack on Clorox disrupted its IT infrastructure, causing product shortages that rippled through the supply chain. The attack forced Clorox to shut down its automated systems and switch to manual operations, significantly slowing down production and resulting in widespread product unavailability for retailers and consumers, particularly for high-demand products. The recovery process, which extended over weeks, showcased the broader impact of cyberattacks on supply chains and consumer markets.
2. Norsk Hydro (2019): The 2019 LockerGoga ransomware attack on aluminum giant Norsk Hydro halted production at several of its global facilities and cost the company approximately $71 million. The company had to switch from automated to manual operations, leading to significant delays in manufacturing and delivery of aluminum products. This affected industries that depend on Norsk Hydro’s aluminum, such as automotive, construction, and packaging, causing delays and shortages in their own supply chains, highlighting the interconnectedness of global supply chains and the severe impact a single cyberattack can have across multiple industries.
3. Lacroix Electronics (2023): Lacroix, a French electronics manufacturer, temporarily shut down three of its production sites following a ransomware attack. The shutdown of production over the course of a week created bottlenecks, impacting both Lacroix’s internal processes and its downstream partners.
4. Acer (2021): Acer was hit by a $50 million ransomware attack in March 2021, launched by the REvil group. The attackers gained access to Acer’s systems and demanded payment in cryptocurrency to provide a decryption key and avoid leaking sensitive data. As a major player in electronics manufacturing, disruptions at Acer affected the availability of critical components, which in turn impacted other companies reliant on Acer for parts.

In each case, it wasn’t just the ransomed companies facing operational chaos—real, time-sensitive challenges fell on the businesses that relied on them for critical supplies and components. These dependent companies had to navigate the cascading effects of disrupted supply chains, from raw material shortages to delayed shipments. So ransomware isn’t just an internal issue for the company dealing with the attack firsthand. It’s a third-party risk management (TPRM) problem for companies relying on the compromised supplier.

Proactive Steps to Secure Your Supply Chain

In 2023, the MOVEit Transfer vulnerability exposed hundreds of organizations, including manufacturers, to ransomware attacks. The CLOP ransomware group exploited a software flaw, leading to widespread disruptions in industries ranging from logistics to production. This incident demonstrates the importance of scrutinizing third-party software tools—any weak link in the supply chain could be an entry point for cybercriminals, potentially affecting your entire business.

One effective way to manage this is by leveraging tools like Black Kite’s Ransomware Susceptibility Index® (RSI™), which measures how likely a company or supplier is to suffer a ransomware attack. This allows you to assess not only your own company’s risk but also the risk posed by your third-party vendors. With these insights, you can take proactive steps to address vulnerabilities in your supply chain before they become costly breaches.

Conclusion: Securing the Entire Ecosystem

The findings from our report should serve as a wake-up call to manufacturing companies. It’s not enough to secure your own systems—you must ensure that your supply chain is secure. Ransomware attacks and cyber vulnerabilities within your third-party vendors pose a significant risk to your operations.

By taking a proactive, comprehensive approach to third-party risk management, you can mitigate these risks and ensure business continuity, protecting not only your operations but also the entire supply chain on which you depend.

Want to learn how your company and its third-party vendors stack up in terms of ransomware susceptibility and cyber risk? Schedule a demo with Black Kite today and take the first step toward securing your manufacturing operations.

References:

https://www.industryweek.com/technology-and-iiot/article/21274431/the-clorox-co-recovers-from-severe-cyberattack

https://news.microsoft.com/source/features/digital-transformation/hackers-hit-norsk-hydro-ransomware-company-responded-transparency

https://www.securityweek.com/lacroix-closes-production-sites-following-ransomware-attack/amp

https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/amp

The post Manufacturing at Risk: Why Securing Your Supply Chain is Critical appeared first on Black Kite.

Written by: Jeffrey Wheatman

When it comes to third-party risk management (TPRM), many organizations treat it as a purely technical issue, relying on cybersecurity teams to handle vendor vulnerabilities and security gaps. However, this mindset often overlooks a critical truth: TPRM is a business problem that requires strategic decisions based on business value, operational impact, and financial risk—not just technical fixes.

That means, you can’t just go throwing a bunch of technical requests over to your vendors’ technical teams. Yet that’s exactly what many TPRM teams do today. They end up sending the vendors a long list of concerns such as open vulnerabilities, missing patches, and other technology threats, believing that the best way forward is for the vendors’ technical teams to take action. How can your vendors possibly handle that workload from you, let alone all the other customers they serve? The truth is, they can’t.

As we reveal in our RiskBusters episode, there is a better way. While technical people play a crucial role in assessing security controls and identifying risks, these insights need to be contextualized within a broader business framework. It’s not just about patching vulnerabilities; it’s about determining which risks have the most significant impact on your business and working collaboratively with vendors to mitigate those risks. The solution? A balanced approach that aligns technical assessments with business priorities.

Let’s dig deeper into the facts. 

3 Facts About the Importance of TRPM for Businesses

Fact: Organizations are being targeted through their third-parties.

What You Should Know:

• Zero-day vulnerabilities allow mass exploitation.
• Third-party vendors are now prime targets for cybercriminals.
• An increased reliance on vendors increases risk exposure.
• A single vendor breach can impact many organizations.

With the impact of third-party breaches intensifying with each passing year, we see more and more cases in which vendor relationships become the “way in” for bad actors. The attackers themselves have realized how many of today’s businesses rely heavily on their third-party vendor relationships, and a single breach can cause significant cascading effects. Zero-day vulnerabilities, like the one found in MOVEit last year, make it especially easy for bad actors to exploit dozens of businesses using a single, vulnerable system.

Fact: Not every vulnerability is going to get fixed.

What You Should Know:

• Not every vulnerability poses a serious risk to your business.
• Assess financial and operational impacts first.
• Prioritize the vulnerabilities that matter most.
• Focus resources on high-impact issues.

When it comes to managing third-party risk, not every vulnerability is equal, and not every risk requires immediate action. The key to effective risk management is understanding the potential impact of vulnerabilities on your business. By using contextual intelligence, you can assess the financial, operational, and reputational costs of leaving certain risks unaddressed. This allows business stakeholders to prioritize vulnerabilities based on their potential impact, rather than overwhelming vendors with every issue.

With a clear understanding of which risks pose the greatest threat to your bottom line, your technical teams and vendors can focus their efforts on mitigating what matters most—ensuring that your resources are used efficiently and effectively.

Fact: It’s possible to overwhelm your vendors with requests.

What You Should Know: 

• Bombarding vendors with issues slows down remediation.
• Vendors may ignore unclear or excessive demands.
• Generic scores or long lists create frustration.
• Overwhelming vendors damages collaboration.

Prioritization is important because many businesses have tried to collaborate with their vendors and been met with silence or inaction. This is often because they go into conversations with existing or prospective vendors expecting them to fix an unfiltered list of security issues. Because after all, they believe that this is simply a technical problem and the vendor has the right technical people to do something about it! Because of this expectation, these businesses end up sending their vendors one of the following documents:

• A): a long list of security concerns (“Hey, we need you to fix these 783 vulnerabilities by next month.”)
• B): a vague SRS risk score (“You scored a D according to X firm. Fix that, or else!”)
• C): a lengthy questionnaire (“We want to make sure that you’re secure enough to meet our compliance requirements. Please take eight hours out of your day to fill in this detailed questionnaire.”)

But when they send this type of vague and/or overwhelming information without a clear idea as to which third-party risks are most pressing to fix, these companies end up sabotaging their relationships with vendors. The vendors either ignore the requests because they don’t know where to start, or the relationship becomes strained. Either way, it’s not the result you’re looking for: action taken to mitigate overall business risk.

Is a secure and collaborative vendor relationship just the stuff of myths and legends?

How can organizations shift away from overwhelming their vendors with technical requests and focus on what really matters—reducing business risk? Watch the video below to find out how aligning technical assessments with business priorities can lead to more effective, collaborative TPRM strategies.

Check Out Episode 4 Now!

Align Third-Party Risk Management with Business Priorities

Managing third-party risk doesn’t have to overwhelm your team—or your vendors. By focusing on business-critical risks and using tools like Black Kite’s Strategy Report, you can guide your vendors toward actionable, prioritized risk remediation steps. With clear communication and a well-defined strategy, you’ll not only protect your business but also foster stronger, more collaborative relationships with your vendors.

And with Black Kite Bridge™️, you can take what you’ve prioritized in the Strategy Report to your vendors with streamlined communication, allowing vendors to easily access your most pressing concerns and providing them with actionable intelligence. This collaborative approach ensures that risk management becomes a shared responsibility, not just a technical burden.

To learn more about turning TPRM into a business-driven process and debunking common myths, watch our latest RiskBusters episode above. Subscribe to our YouTube channel for more myth-busting insights into third-party risk management!

To learn more about common TPRM assumptions and see if they’re fact or fiction, subscribe to our YouTube channel so you can catch all of our RiskBusters™️ episodes!

The post RiskBusters™ Reveal: TPRM Is More Than a Technical Problem, It’s a Business Imperative appeared first on Black Kite.

Written By: Ferdi Gül

Welcome to this week’s Focus Friday blog, where we delve into high-profile cybersecurity incidents from a Third-Party Risk Management (TPRM) perspective. This week, we examine critical vulnerabilities affecting Fortinet Core Products, Cisco RV Routers, and Ivanti Connect Secure. These vulnerabilities present significant risks, from privilege escalation to remote code execution, impacting enterprise security across various sectors. Understanding and addressing these issues are essential to maintaining a strong security posture and mitigating potential breaches.

CVE-2024-23113: Fortinet Core Products Format String Vulnerability

What is the Fortinet Core Products Format String Vulnerability?

CVE-2024-23113 is a critical format string vulnerability affecting Fortinet products, including FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. This flaw allows a remote, unauthenticated attacker to execute arbitrary code by sending specially crafted requests to the affected systems. The vulnerability, with a CVSS score of 9.8 and an EPSS score of 0.80%, was disclosed in February 2024 and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on October 9, 2024. Although no proof-of-concept (PoC) exploit code has been publicly released, threat actors are focusing on exploiting vulnerabilities in Fortinet systems to breach corporate networks, aiming to launch ransomware attacks or engage in cyber espionage. Therefore, it is recommended to upgrade the Fortinet’s products to the patched versions.

Why Should TPRM Professionals Care About This Vulnerability?

For TPRM professionals, vulnerabilities in Fortinet core products are highly concerning because these systems are often deployed in sensitive enterprise environments. If exploited, CVE-2024-23113 could allow attackers to take control of Fortinet systems, execute arbitrary commands, and compromise the entire network. This risk is particularly critical in environments where FortiOS is used to secure sensitive operations, including financial transactions, communications, and administrative controls. The vulnerability’s ability to bypass authentication and execute commands remotely makes it a prime target for ransomware attacks and cyber espionage.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To mitigate the risk of CVE-2024-23113, TPRM professionals should ask vendors the following questions:

1. Have you updated all instances of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager to the latest versions (FortiOS: 7.4.3, 7.2.7, or 7.0.14 or above, FortiProxy: 7.4.3, 7.2.9, or 7.0.16 or above, FortiSwitchManager: 7.2.4 or 7.0.4 or above) to mitigate the risk of CVE-2024-23113?
2. Have you implemented the recommended action of disabling FGFM access for each interface until the system can be updated, and closely observing network activity for any abnormal behavior that may indicate attempted exploitation of this vulnerability?
3. Can you confirm if you have restricted FGFM connections to specific IPs as an additional mitigation step, even though it does not fully prevent exploitation and should be treated as a temporary solution until patching is completed?
4. For FortiPAM, have you migrated to fixed releases as no specific patches are provided for vulnerable versions to mitigate the risk of CVE-2024-23113?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using affected Fortinet products should:

• Apply patches immediately to upgrade FortiOS to versions 7.4.3, 7.2.7, or 7.0.14 and similar versions for FortiProxy and FortiSwitchManager.
• Disable FGFM access temporarily, or restrict it to specific trusted IPs to minimize exposure.
• Implement local-in policies to restrict access to FGFM services.
• Monitor network activity closely for signs of exploitation, and review access logs regularly.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite provides the Fortinet Core Products FocusTag to help identify vendors with potential exposure to CVE-2024-23113. The tag, first published on October 9, 2024, allows TPRM professionals to identify at-risk vendors by mapping affected assets like IP addresses and subdomains. This enables targeted risk assessments and allows professionals to prioritize outreach and remediation efforts for the most vulnerable vendors. Black Kite’s ability to provide real-time intelligence on exploited vulnerabilities is a key differentiator in managing third-party risks.

CVE-2024-20393 and CVE-2024-20470: Cisco RV Routers Privilege Escalation and Remote Code Execution Vulnerabilities

What are the Cisco RV Routers Privilege Escalation and RCE Vulnerabilities?

CVE-2024-20393 and CVE-2024-20470 are high-severity vulnerabilities impacting Cisco RV340, RV340W, RV345, and RV345P VPN Routers. CVE-2024-20393 enables privilege escalation, while CVE-2024-20470 allows remote code execution. Both vulnerabilities involve weaknesses in the web-based management interface and can be exploited by an authenticated attacker with limited privileges. With CVSS scores of 7.2 and 8.8, respectively, these flaws pose serious risks to network integrity and sensitive data.

Why Should TPRM Professionals Care About These Vulnerabilities?

For organizations using Cisco RV routers, these vulnerabilities can severely compromise network security. If exploited, attackers can escalate privileges or execute arbitrary code, leading to unauthorized access to sensitive data or full system takeover. Given that these routers are often used in business-critical environments, failing to address these vulnerabilities may result in breaches, data exfiltration, or service disruption.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

1. Have you checked and confirmed that the remote management feature is disabled on all your Cisco Small Business RV Series routers, specifically the RV340, RV340W, RV345, and RV345P models, to mitigate the risk of CVE-2024-20393 and CVE-2024-20470?
2. Given that Cisco has not provided any patches or workarounds for these vulnerabilities, have you considered replacing the affected Cisco Small Business RV Series routers with more secure alternatives that receive active support and security updates?
3. Can you confirm if you have implemented network monitoring solutions to detect any suspicious activity that could indicate an exploitation of the privilege escalation and remote code execution vulnerabilities (CVE-2024-20393 and CVE-2024-20470) in the Cisco Small Business RV Series routers?
4. Have you taken steps to restrict network access to the affected Cisco Small Business RV Series routers to local connections only, as a measure to mitigate the risk of CVE-2024-20393 and CVE-2024-20470?

Remediation Recommendations for Vendors Subject to This Risk

• Disable remote management immediately.
• Migrate to secure router models, as these devices no longer receive software support.
• Restrict network exposure to local traffic only.
• Monitor network traffic for suspicious activity related to privilege escalation or RCE attempts.

How Can TPRM Professionals Leverage Black Kite for These Vulnerabilities?

Black Kite’s Cisco RV Routers FocusTag helps TPRM professionals identify vendors at risk from these vulnerabilities. Published on October 7, 2024, the FocusTag offers real-time data on vulnerable assets, allowing organizations to prioritize mitigation efforts and reduce exposure. By providing asset-specific intelligence such as IP addresses and vulnerable systems, Black Kite enables more focused risk management.

CVE-2024-37404: Ivanti Connect Secure Remote Code Execution Vulnerability

What is the Ivanti Connect Secure RCE Vulnerability?

CVE-2024-37404 is a critical Remote Code Execution (RCE) vulnerability affecting Ivanti Connect Secure and Policy Secure products. This flaw, caused by improper input validation in the admin portal during the Certificate Signing Request (CSR) generation process, allows an authenticated attacker to execute arbitrary code. With a CVSS score of 9.1, this vulnerability poses a significant risk, potentially allowing attackers to take full control of vulnerable systems. The issue was first disclosed in October 2024, and while no known exploitation has been observed in the wild, a proof-of-concept (PoC) has been published, demonstrating how the attack can be carried out by manipulating configuration files through specially crafted input. 

In previous discussions on ICS, we noted that the Chinese nation-state-linked threat actor UTA0178 is suspected of exploiting these systems. MITRE research highlights the ROOTROT webshell tool, used by attackers to execute commands, steal credentials, exfiltrate files, and more. Vulnerabilities in ICS devices are exploited to propagate the Mirai botnet, leading to large-scale DDoS attacks and other cyber threats.

Why Should TPRM Professionals Care About this Vulnerability?

For organizations utilizing Ivanti Connect Secure, this vulnerability could lead to complete system compromise. Given the privileged role these systems play in secure communications and network management, the exploitation of this flaw could result in data breaches, system disruptions, and potential ransomware attacks. Attackers could use compromised admin credentials to access and exploit this vulnerability, especially in environments where access controls are weak or multi-factor authentication (MFA) is not implemented.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

1. Have you upgraded all instances of Ivanti Connect Secure and Policy Secure to versions 22.7R2.1, 22.7R2.2, and 22.7R1.1 respectively to mitigate the risk of CVE-2024-37404?
2. Can you confirm if you have implemented the recommended mitigation measures such as enabling admin access only on the management interface, monitoring network traffic for unusual activities, and strengthening password policies and MFA protections?
3. Have you taken steps to prevent the injection of Carriage Return Line Feed (CRLF) characters into input fields in the admin portal, specifically in the Certificate Signing Request (CSR) generation process, to prevent the manipulation of configuration files and loading of malicious libraries?
4. Can you confirm if you have implemented measures to detect and prevent the uploading of malicious ZIP files masquerading as client logs, which could lead to remote code execution and granting of root-level access to the system?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using Authentik should follow these remediation steps:

• Update to the latest versions of Ivanti Connect Secure (22.7R2.1 or 9.1R18.9 when available) and Ivanti Policy Secure (22.7R1.1).
• Restrict admin access to internal networks and ensure it is protected by a firewall or jump host.
• Enforce strong access controls, including MFA and password vaults, to limit exposure.
• Enable admin logging and monitor for suspicious activity involving administrative credentials.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite provides the Ivanti Connect Secure FocusTag, which helps TPRM professionals identify vendors at risk of this vulnerability. Published in October 2024, this FocusTag delivers critical insights into affected assets, allowing TPRM professionals to prioritize vendors that need immediate remediation. This targeted intelligence aids in reducing exposure by focusing on the vendors most likely to be impacted by CVE-2024-37404, helping organizations streamline their third-party risk management processes.

By providing detailed asset information such as vulnerable subdomains or IP addresses, Black Kite allows its customers to operationalize these insights and reduce the potential risk from vendors who might be compromised through this vulnerability.

Maximizing TPRM Effectiveness With Black Kite’s FocusTags™

Black Kite’s FocusTags are indispensable tools for refining Third-Party Risk Management (TPRM) strategies. Here’s how Black Kite’s FocusTags™ empower organizations to effectively manage vulnerabilities like those in Fortinet Core Products, Cisco RV Routers, and Ivanti Connect Secure:

• Real-Time Risk Identification: FocusTags instantly identify vendors impacted by critical vulnerabilities, enabling organizations to react swiftly and mitigate threats before they escalate.
• Targeted Risk Prioritization: By assessing both the severity of the vulnerability and the criticality of the affected vendors, FocusTags help allocate resources efficiently to address the most pressing risks.
• Informed Vendor Engagement: These tags facilitate deeper discussions with vendors about their exposure and remediation plans, ensuring that conversations are focused and actionable.
• Comprehensive Security Enhancement: With a broad view of the threat landscape, FocusTags strengthen the overall security posture, allowing TPRM professionals to adapt their strategies to the latest cyber risks.

Incorporating Black Kite’s FocusTags into your TPRM processes ensures that your organization remains proactive and responsive to the rapidly evolving cyber threat environment, empowering you to manage third-party risks effectively and safeguard your enterprise.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
• pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
• Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
• Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.
• PAN-OS Cleartext: CVE-2024-8687, Cleartext Exposure Security Flaw in PAN-OS, GlobalProtect, Prisma Access.
• FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
• WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
• SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls
• Dahua IP Camera: CVE-2021-33045, CVE-2021-33044, Critical Authentication Bypass Vulnerabilities in Dahua IP Camera Systems
• Microsoft Privilege Escalation Vulnerability: CVE-2024-38193, CVE-2024-38106, CVE-2024-38107, Critical Privilege Escalation Vulnerabilities in Microsoft Windows
• SolarWinds WHD: CVE-2024-28986, Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk

References

https://www.fortiguard.com/psirt/FG-IR-24-029

https://nvd.nist.gov/vuln/detail/CVE-2024-23113

Cisco Security Advisory – Cisco Small Business RV34x VPN Routers Privilege Escalation and Remote CodeExecution Vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2024-20393

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-and-Policy-Secure-CVE-2024-37404?language=en_US

https://securityonline.info/cve-2024-37404-critical-rce-flaw-discovered-in-ivanti-connect-secure-policy-secure-poc-published

https://blackkite.com/blog/focus-friday-tprm-challenges-in-the-face-of-ivanti-ics-cacti-sonicwall-confluence-and-citrix-vulnerabilities

The post FOCUS FRIDAY: INSIGHTS INTO THIRD-PARTY RISKS IN FORTINET CORE PRODUCTS, CISCO RV ROUTERS, AND IVANTI CONNECT SECURE VULNERABILITIES appeared first on Black Kite.