Written by: Ferdi Gül

This Week’s Emerging Third-Party Risks in Email Infrastructure and Web Frameworks

Welcome to this week’s edition of Focus Friday, where we provide timely insights into high-profile vulnerabilities from a Third-Party Risk Management (TPRM) lens. In today’s interconnected environment, vulnerabilities affecting one vendor’s technology stack can ripple across entire ecosystems—disrupting operations, compromising sensitive data, and escalating vendor risk exposure.

This week’s FocusTags™ spotlight several notable vulnerabilities with direct implications for organizations relying on third-party software for communication infrastructure and web application delivery. We begin with Zimbra’s CalendarInvite XSS vulnerability, already being exploited by APT28; then examine DrayTek Vigor gateway devices, which are being recruited into botnets due to a critical OS command injection flaw. We also review a newly disclosed privilege escalation vulnerability in Atlassian Jira Data Center, which allows low-privilege users to act with higher-privilege permissions, threatening issue tracking and service management workflows. In addition, we cover a Denial-of-Service vulnerability in Tornado Web Server that threatens application availability, and an actively exploited zero-day XSS vulnerability in MDaemon Email Server, used for credential theft and mailbox compromise.

Each of these incidents highlights the urgency of identifying and remediating vulnerabilities—not just internally, but across your third-party network. This blog helps TPRM professionals do exactly that.

CVE-2024-27443 – Zimbra Webmail CalendarInvite XSS Vulnerability

What is CVE-2024-27443 in Zimbra?

CVE-2024-27443 is a medium-severity reflected Cross-Site Scripting (XSS) vulnerability affecting Zimbra Collaboration Suite (ZCS) versions 9.0.x (prior to Patch 39) and 10.0.x (prior to 10.0.7). The flaw resides in the Classic Webmail UI’s CalendarInvite feature, where the X-Zimbra-Calendar-Intended-For email header is improperly sanitized. This allows attackers to inject malicious JavaScript into calendar invitations.

When a user opens a crafted calendar invite in the Classic UI, the embedded script executes within their webmail session, potentially enabling attackers to:

• Steal authentication cookies
• Redirect or manipulate incoming emails
• Insert unauthorized calendar events
• Send emails or alter contact information as the user.

The vulnerability has a CVSS v3.1 score of 6.1 (Medium) and an EPSS score of 16.22%. It was patched on March 1, 2024, but was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025, indicating active exploitation in the wild. Notably, the Sednit group (also known as APT28) has been linked to exploiting this vulnerability as part of Operation RoundPress, targeting governmental and defense entities in Eastern Europe and beyond.

Why Should TPRM Professionals Be Concerned About CVE-2024-27443?

Zimbra is widely used for enterprise email and calendar services. A compromise of its webmail interface can lead to unauthorized access to sensitive communications and data. The exploitation of CVE-2024-27443 allows attackers to impersonate users, exfiltrate confidential information, and potentially pivot to other systems within the organization.Given the association with APT28, a state-sponsored threat actor, the risk extends to espionage and targeted attacks against critical sectors.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-27443?

1. Have you upgraded your Zimbra Collaboration to at least 9.0.0 P39 or 10.0.7 to mitigate the risk of CVE-2024-27443?
2. Have you implemented the recommended hardening measures such as disabling or restricting HTML calendar rendering in the Classic UI and enforcing a Content Security Policy (CSP) to block inline scripts in email/calendar views?
3. Have you reviewed your webmail access logs for suspicious calendar invite parameters and deployed IDS/IPS signatures to detect XSS payload patterns in calendar headers as recommended?
4. Can you confirm if you have trained your users to view calendar invitations only from trusted senders and report unexpected invites as part of your mitigation strategy against CVE-2024-27443?

Remediation Recommendations for Vendors Affected by CVE-2024-27443

• Apply Vendor Patches: Upgrade Zimbra Collaboration to at least version 9.0.0 Patch 39 or 10.0.7.
• Harden Webmail Rendering: Disable or restrict HTML rendering in calendar invitations within the Classic UI until patching is complete.
• Enforce Content Security Policies (CSP): Implement CSP to block inline scripts in email and calendar views.
• User Training: Educate users to be cautious with calendar invites, especially from unknown senders, and to report suspicious activities.
• Monitor and Detect: Review webmail access logs for unusual calendar invite parameters and deploy intrusion detection systems to identify XSS payload patterns.

How Can TPRM Professionals Leverage Black Kite for CVE-2024-27443?

Black Kite has issued the “Zimbra – May2025” FocusTag, providing high-confidence intelligence on vendors potentially exposed to CVE-2024-27443. This tag includes detailed information such as affected assets, IP addresses, and subdomains associated with vulnerable Zimbra deployments. By utilizing this FocusTag, TPRM professionals can:

• Quickly identify and prioritize vendors at risk
• Access actionable intelligence to assess the extent of exposure
• Streamline communication with vendors regarding remediation efforts
• Reduce the burden of broad-based questionnaires by focusing on affected parties

CVE-2024-12987 – DrayTek Vigor OS Command Injection Vulnerability

What is CVE-2024-12987 in DrayTek Vigor Devices?

CVE-2024-12987 is a critical OS command injection vulnerability affecting DrayTek Vigor2960, Vigor300B, and Vigor3900 routers running firmware version 1.5.1.4 or earlier. The flaw resides in the Web Management Interface’s /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, where improper sanitization of the session parameter allows remote attackers to inject and execute arbitrary shell commands.

An attacker can exploit this vulnerability by sending a specially crafted HTTP/1.0 request with a hex-encoded payload to the vulnerable endpoint, resulting in command execution with elevated privileges. A public proof-of-concept (PoC) script demonstrates this exploitation method.

The vulnerability has a CVSS v3.1 score of 9.8 (Critical) and an EPSS score of 56.05%. It was added to CISA’s Known Exploited Vulnerabilities catalog on May 16, 2025, indicating active exploitation in the wild. Notably, the Rust-based botnet “RustoBot” leverages this vulnerability to compromise DrayTek gateways, recruiting them into distributed denial-of-service (DDoS) campaigns across regions including Japan, Taiwan, Vietnam, and Mexico.

Why Should TPRM Professionals Be Concerned About CVE-2024-12987?

DrayTek Vigor devices are commonly used as network gateways in enterprise environments. A compromise of these devices can lead to unauthorized access to internal networks, data exfiltration, and service disruptions. The exploitation of CVE-2024-12987 allows attackers to execute arbitrary commands, potentially leading to full device compromise and lateral movement within the network. Given the active exploitation by botnets like RustoBot, the risk extends to participation in large-scale DDoS attacks, amplifying the potential impact on both the compromised organization and external targets.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-12987?

1. Have you updated all instances of DrayTek Vigor2960, Vigor300B, and Vigor3900 devices to firmware version 1.5.1.5 or later to mitigate the risk of CVE-2024-12987? If your devices were on version 1.0.5 or earlier, did you first upgrade to 1.0.7.1 before applying 1.5.1.5?
2. Have you implemented a Web Application Firewall (WAF) or Access Control Lists (ACLs) to filter unexpected parameters and disable unused CGI endpoints, specifically the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, to prevent the OS command injection vulnerability?
3. Have you deployed IDS/IPS signatures for CVE-2024-12987 and are you actively monitoring for inbound requests to /cgi-bin/mainfunction.cgi/apmcfgupload and anomalous User-Agent strings or unexpected HTTP/1.0 traffic patterns as part of your incident response strategy?
4. Given that the RustoBot botnet is actively exploiting this vulnerability, have you reviewed your logs for signs of exploitation and prepared for rapid rollback or device restoration in case of a suspected compromise?

Remediation Recommendations for Vendors Affected by CVE-2024-12987

• Upgrade Firmware: Immediately update affected DrayTek devices to firmware version 1.5.1.5. For devices on version 1.0.5 or earlier, first upgrade to 1.0.7.1 before applying the latest firmware.
• Restrict Management Access: Limit access to the Web Management Interface to trusted administrative networks; block direct internet exposure.
• Network Segmentation: Isolate device management VLANs and implement firewall rules to prevent lateral movement.
• Monitor & Detect: Scan for inbound requests to /cgi-bin/mainfunction.cgi/apmcfgupload and anomalous User-Agent strings or unexpected HTTP/1.0 traffic patterns.
• Harden Configuration: Employ a Web Application Firewall (WAF) or Access Control Lists (ACLs) to filter unexpected parameters and disable unused CGI endpoints.
• Incident Response: Review logs for signs of exploitation, deploy intrusion detection/prevention systems (IDS/IPS) signatures for CVE-2024-12987, and plan for rapid rollback or device restoration if compromise is suspected.

How Can TPRM Professionals Leverage Black Kite for CVE-2024-12987?

Black Kite has issued the “DrayTek Vigor – May2025” FocusTag, providing high-confidence intelligence on vendors potentially exposed to CVE-2024-12987. This tag includes detailed information such as affected assets, IP addresses, and subdomains associated with vulnerable DrayTek deployments. By utilizing this FocusTag, TPRM professionals can:

CVE-2025-22157 – Atlassian Jira Data Center Privilege Escalation

What is the Jira Data Center Privilege Escalation Vulnerability (CVE-2025-22157)?

CVE-2025-22157 is a high-severity privilege escalation vulnerability affecting Atlassian Jira Core and Jira Service Management Data Center and Server editions. This flaw allows authenticated users with low-level permissions to perform actions under higher-privileged accounts by exploiting improper permission checks in Jira’s REST API and backend handlers. The vulnerability was introduced in versions 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core, and versions 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management.

With a CVSS score of 7.2 and an EPSS score of 0.05%, this vulnerability poses a significant risk, allowing attackers to compromise administrative functions, alter project configurations, and disrupt service-desk operations. As of now, there is no public PoC exploit code, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned About CVE-2025-22157?

Jira Data Center is widely used for project management, issue tracking, and service management across various industries. A privilege escalation vulnerability in such a critical system can lead to unauthorized access to sensitive data, disruption of workflows, and potential compliance violations. Third-party vendors using vulnerable versions of Jira may inadvertently expose your organization to these risks.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-22157?

1. Can you confirm if you have upgraded all instances of Jira Core Data Center & Server and Jira Service Management Data Center & Server to the recommended versions (9.12-series → ≥ 9.12.20; 10.3-series → ≥ 10.3.5; 10.4-series → ≥ 10.6.0; 10.5-series → ≥ 10.5.1) to mitigate the risk of CVE-2025-22157?
2. Have you implemented stricter privilege boundaries and temporary restrictions on low-privilege accounts until patches are applied as recommended in the advisory for CVE-2025-22157?
3. Have you enabled logging and alerts for privilege-sensitive API endpoints and administrative actions to monitor potential exploitation of the privilege escalation vulnerability (CVE-2025-22157) in Jira Core and Service Management?
4. Have you conducted an audit of existing project-level and read-only roles for unusual API activity as part of your response to the CVE-2025-22157 vulnerability?

Remediation Recommendations for Vendors Affected by CVE-2025-22157

• Upgrade Jira Immediately: Apply the latest patches provided by Atlassian to address CVE-2025-22157.
• Review Permissions: Conduct a thorough audit of user roles and permissions to ensure proper access controls are in place.
• Harden Access Controls: Implement stricter privilege boundaries and consider temporary restrictions on low-privilege accounts until patches are applied.
• Monitor & Alert: Enable logging and alerts for privilege-sensitive API endpoints and administrative actions to detect any suspicious activities.

How Can TPRM Professionals Leverage Black Kite for CVE-2025-22157?

Black Kite published the FocusTag for CVE-2025-22157 on May 22, 2025. This tag enables TPRM professionals to identify third-party vendors that may be affected by this vulnerability. By providing asset information such as IP addresses and subdomains, Black Kite allows for a more precise assessment of potential risks within your supply chain. Utilizing this information, you can prioritize remediation efforts, engage in informed discussions with vendors, and enhance your organization’s overall cybersecurity posture.

CVE-2025-47287 – Tornado Web Server DoS Vulnerability

What is the Tornado multipart/form-data Denial-of-Service vulnerability (CVE-2025-47287)?

CVE-2025-47287 is a high-severity Denial-of-Service (DoS) vulnerability affecting Tornado, a Python-based asynchronous web framework and networking library. The vulnerability arises from the way Tornado’s built-in multipart/form-data parser handles malformed inputs. In affected versions (all releases prior to 6.5.0), if the parser encounters certain structural issues in multipart requests, it logs a warning message but continues attempting to parse the rest of the request.

Because Tornado’s logging system operates synchronously by default, an attacker can remotely send a malformed multipart request to any vulnerable endpoint. This causes the application to generate a large volume of log entries, rapidly consuming disk space, CPU, and I/O resources. The attack does not require authentication or complex exploitation, and the affected parser is enabled by default.

This vulnerability carries a CVSS score of 7.5 (High) and an EPSS score of 0.10%. It was publicly disclosed on May 15, 2025, through GitHub’s security advisory system. There is no evidence of exploitation in the wild, and the issue has not been added to CISA’s Known Exploited Vulnerabilities catalog. Likewise, CISA has not issued an advisory regarding this vulnerability at this time.

Why Should TPRM Professionals Be Concerned About CVE-2025-47287?

While the vulnerability does not provide direct access to sensitive data or remote code execution capabilities, it poses a significant threat to service availability, which can have downstream effects on any integrated or dependent systems. Organizations using Tornado in public-facing APIs or web applications may experience partial or complete outages if targeted with malformed multipart/form-data payloads.

From a third-party risk management (TPRM) perspective, vendors who use Tornado in production environments without proper traffic filtering or resource limits may unknowingly expose critical services to denial-of-service scenarios. If such services are part of an enterprise’s supply chain—such as SaaS products or integration providers—disruptions may cascade into the organization’s own operations, undermining continuity and performance expectations.

Remediation Recommendations for Vendors Affected by CVE-2025-47287

Vendors who maintain Tornado-based systems should take the following technical steps to mitigate risk:

• Upgrade Framework: Update Tornado to version 6.5.0 or later, where the issue has been resolved.
• Proxy Mitigation: As a temporary measure, configure reverse proxies or Web Application Firewalls (WAFs) to block or rate-limit requests with Content-Type: multipart/form-data.
• Input Validation: Implement strict server-side validation of multipart payload structures before they are processed by Tornado’s parser.
• Resource Limiting: Enforce OS- or container-level resource quotas (e.g., for CPU, memory, and disk I/O) to prevent single services from exhausting shared system resources.
• Monitoring and Alerting: Set up logging and metric-based alerting to detect rapid increases in log volume or application latency.

How Can TPRM Professionals Leverage Black Kite for CVE-2025-47287?

Black Kite published the Tornado Web Server FocusTag on May 20, 2025, in response to the disclosure of CVE-2025-47287. This tag enables TPRM professionals to identify vendors potentially running vulnerable versions of Tornado, especially those with public-facing services that may accept multipart/form-data inputs.

The FocusTag offers very high confidence in product identification and includes granular intelligence such as subdomain and IP address visibility, helping organizations zero in on real exposure rather than issuing broad-based surveys. Operationalizing this tag allows risk teams to prioritize follow-ups with only the vendors that are relevant to this incident, saving time and reducing unnecessary noise in communication workflows.

The tag is set to expire on August 31, 2025, unless new developments warrant an update. Black Kite’s ability to tie internet-facing telemetry to software versioning ensures that customers receive actionable third-party insights rather than generic alerts.

CVE-2024-11182 – MDaemon Email Server XSS Vulnerability

What is the MDaemon Webmail XSS Vulnerability (CVE-2024-11182)?

CVE-2024-11182 is a medium-severity cross-site scripting (XSS) vulnerability affecting MDaemon Email Server versions prior to 24.5.1. The flaw resides in the webmail interface’s HTML email rendering component, where improper sanitization allows attackers to inject malicious JavaScript code via specially crafted emails. This vulnerability enables remote attackers to execute arbitrary scripts in the context of the user’s browser session, potentially leading to credential theft and unauthorized access to sensitive information.

The vulnerability has a CVSS score of 6.1 and an EPSS score of 37.33%. It was actively exploited as a zero-day by the Russia-linked threat actor APT28 (also known as Fancy Bear or Sednit) in a campaign dubbed “Operation RoundPress,” targeting government and defense sector webmail servers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-11182 to its Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025, highlighting its active exploitation in the wild.

Why Should TPRM Professionals Be Concerned About CVE-2024-11182?

MDaemon Email Server is widely used by organizations for email communication. Exploitation of CVE-2024-11182 can lead to unauthorized access to email accounts, exposure of sensitive communications, and potential lateral movement within an organization’s network. For third-party risk management (TPRM) professionals, this vulnerability poses significant concerns:

• Data Exfiltration: Attackers can harvest credentials, contact lists, and email contents, leading to potential data breaches.
• Persistent Access: The use of malicious Sieve rules allows attackers to maintain access even after initial compromise.
• Supply Chain Risks: Vendors using vulnerable MDaemon versions may become entry points for attackers into larger networks.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-11182?

To assess the risk associated with this vulnerability, TPRM professionals should inquire:

1. Have you updated all instances of MDaemon Webmail to version 24.5.1 or later to mitigate the risk of CVE-2024-11182?
2. Can you confirm if you have implemented a strict Content Security Policy to block inline scripts and disabled automatic HTML email rendering as recommended in the advisory?
3. Have you audited Sieve rules to identify and remove any unauthorized mail-forwarding rules in users’ mailboxes that could be a result of the SpyPress stealer?
4. Are you monitoring for indicators such as unusual HTTP POSTs to compromised webmail servers, creation of atypical Sieve rules, and outbound traffic to known SpyPress C2 endpoints to detect any potential exploitation of CVE-2024-11182?

Remediation Recommendations for Vendors Affected by CVE-2024-11182

Vendors utilizing MDaemon Email Server should take the following actions:

• Immediate Patching: Upgrade to MDaemon version 24.5.1 or later to address the vulnerability.
• Disable HTML Rendering: Configure webmail clients to disable automatic HTML email rendering or enforce strict Content Security Policies (CSP) to mitigate XSS risks.
• Audit and Monitor: Regularly review mail forwarding rules and monitor for unusual activities, such as unexpected HTTP POST requests to known malicious domains.
• User Training: Educate users about the risks of opening emails from unknown sources and encourage reporting of suspicious activities.

How Can TPRM Professionals Leverage Black Kite for CVE-2024-11182?

Black Kite provides visibility into third-party vulnerabilities, including CVE-2024-11182. By utilizing Black Kite’s platform, TPRM professionals can:

• Identify Exposure: Determine which vendors are running vulnerable versions of MDaemon Email Server.
• Assess Risk: Evaluate the potential impact of the vulnerability on the organization’s supply chain.
• Monitor Remediation: Track vendors’ progress in addressing the vulnerability and ensure timely patching.

Strengthening TPRM with Black Kite’s FocusTags™

When high-impact vulnerabilities like those found in Zimbra, DrayTek Vigor, Atlassian Jira Data Center, Tornado, and MDaemon emerge, time is of the essence. Black Kite’s FocusTags™ offer organizations a strategic advantage by transforming complex threat data into actionable intelligence—enabling faster, more focused responses to third-party exposure.

Here’s how FocusTags™ enhance your TPRM program:

• Vendor-Specific Vulnerability Detection: Black Kite pinpoints which of your vendors are at risk based on real-world data, including IPs and subdomains associated with vulnerable assets.
• Prioritized Risk Management: FocusTags™ help organizations allocate resources where it matters most—toward vendors affected by the most critical or actively exploited vulnerabilities.
• Informed Vendor Dialogue: Instead of generic outreach, you can ask precise, vulnerability-specific questions to assess a vendor’s mitigation strategy and security posture.
• Streamlined Incident Response: With enriched threat context and timely updates, FocusTags™ empower your TPRM team to act decisively when new vulnerabilities arise.

By operationalizing Black Kite’s FocusTags™, TPRM professionals can cut through the noise and quickly narrow their focus to the vendors that truly require attention—enhancing resilience in an ever-evolving threat landscape.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Zimbra – May2025 : CVE-2024-27443, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration (ZCS).
• DrayTek Vigor – May2025 : CVE-2024-12987, OS Command Injection Vulnerability in DrayTek  Vigor Routers.
• Atlassian Jira Data Center : CVE-2025-22157, Privilege Escalation Vulnerability in Jira Core Data Center, Jira Core Server, Jira Service Management Data Center, Jira Service Management Server.
• Tornado Web Server : CVE-2025-47287, DoS Vulnerability in Tornado Web Server.
• MDaemon Email Server : CVE-2024-11182, Cross-Site Scripting (XSS) Vulnerability in MDaemon Email Server.
• Ivanti EPMM – May2025 : CVE-2025-4427, CVE-2025-4428, Authentication Bypass and Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile (EPMM)
• SysAid On-Premises : CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
• Apache ActiveMQ – May2025 : CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
• Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
• Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
• SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
• Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
• Fortinet Symlink Backdoor : CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
• SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
• Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.
• Adobe ColdFusion : CVE-2025-24446 CVE-2025-24447 CVE-2025-30281 CVE-2025-30282 CVE-2025-30284 CVE-2025-30285 CVE-2025-30286 CVE-2025-30287 CVE-2025-30288 CVE-2025-30289 CVE-2025-30290, Deserialization of Untrusted Data, Improper Authentication, Improper Access Control, OS Command Injection, Improper Input Validation, Path Traversal Vulnerabilities in Adobe ColdFusion.
• Beego: CVE-2025-30223, Reflected/Stored XSS Vulnerabilities in Beego Web Framework.
• Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
• FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
• MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
• Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
• Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
• Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-27443
• https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes
• https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes
• https://nvd.nist.gov/vuln/detail/CVE-2024-12987
• https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf
• https://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5_01release-note.pdf
• https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf
• https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f
• https://cybersecuritynews.com/new-rust-botnet-hijacking-routers/
• https://nvd.nist.gov/vuln/detail/CVE-2025-22157
• https://jira.atlassian.com/browse/JRASERVER-78766
• https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
• https://vulmon.com/vulnerabilitydetails?qid=CVE-2025-47287
• https://nvd.nist.gov/vuln/detail/CVE-2025-47287
• https://nvd.nist.gov/vuln/detail/CVE-2024-11182#range-16046862
• https://files.mdaemon.com/mdaemon/beta/RelNotes_en.html
• https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html

The post Focus Friday: TPRM Insights into Zimbra, Draytek Vigor, Atlassian Jira Data Center, Tornado, and MDaemon Vulnerabilities appeared first on Black Kite.

Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer

With over 40,000 vulnerabilities disclosed last year—a 38% jump from the year prior—the real challenge for third-party risk management (TPRM) professionals isn’t knowing which risks exist. It’s knowing which ones to act on and how—a task made particularly difficult when managing risk across hundreds of vendors.

In Part 1 of our series, I introduced a three-dimensional approach to cybersecurity vulnerability management in TPRM—detailed in our 2025 Supply Chain Vulnerability Report—to help teams prioritize vulnerabilities in the supply chain based on severity, exploitability, and exposure. This dramatically narrows the field from tens of thousands of Common Vulnerabilities & Exposures (CVEs) to a much more manageable number.

But identifying risk is only half of the process. Acting on it is the other half.

In this second video, I walk through how TPRM teams can operationalize vulnerability intelligence, moving beyond theoretical prioritization to real-world application. Using tools like Black Kite’s FocusTags™, teams can gain clear visibility into which vulnerabilities are most urgent, which vendors might be exposed, and what steps to take for remediation.

View this video on YouTube.

Act On the Right Vulnerabilities With FocusTags™

A vulnerability’s CVSS score can clue you into potential severity, while its EPSS score can help predict the likelihood of exploitation. But neither tells the full story. Some vulnerabilities look dangerous on paper but are rarely exploited, while others fly under the radar until they become the entry point for a major breach. 

Black Kite’s FocusTags help security teams tell the difference, surfacing the CVEs that are highly likely to be exploited, regardless of their severity level. It does this by layering in real-world signals that indicate whether bad actors are likely to attack.

How to Filter CVEs by Real-World Exploitability:

1. CISA KEV inclusion: Has the vulnerability already been exploited in the wild?
2. Public exploit availability: Are proof-of-concept (PoC) exploits readily available?
3. Threat actor interest: Has it been mentioned in underground forums or used in attack campaigns?
4. Community discussions: Is there a surge in security researchers analyzing it?
5. Zero-day status: Is it newly disclosed with limited patches available?
6. Supply chain impact: Does it affect widely used products with third-party exposure?

Analyzing these risk factors, FocusTags help TPRM teams detect not just the most severe vulnerabilities, but also the ones most likely to be weaponized. Instead of reacting to every “critical” CVE, teams can focus on the ones that pose the greatest risk to their supply chain.

Risk Hunting, Not Just Monitoring

Most TPRM programs still depend on slow, reactive processes—waiting for vendor disclosures, following up on questionnaires, and hoping for timely responses. But the gap between disclosure and exploitation is shrinking fast: In 2021, attackers took 42 days on average to exploit a new CVE. By 2023, that window dropped to just 5 days. 

When exploitation moves that quickly, speed matters.

FocusTags enable a more proactive approach, helping security teams shift from passive monitoring to active risk hunting. Through Black Kite’s Risk Intelligence page, teams can identify which vendors are likely exposed, track changes in exposure over time, and access vendor-specific guidance to drive faster remediation.

To make action even more precise, we recently introduced Vulnerability Intelligence Briefs (VIBs) which offer detailed views of each CVE and where they are found in our customers’ supply chains. Think of them like baseball cards, but for vulnerabilities: each one gives you the essential stats you need to understand the risk and act fast.

If a CVE affects a vendor in your ecosystem, the brief tells you who’s likely running it and what questions to ask to confirm and resolve it. With these insights, you can act early, armed with the data needed to initiate informed, targeted vendor outreach.

The Future of TPRM Is Intelligence in Action

Third-party risk management isn’t about chasing every vulnerability—it’s about knowing which ones warrant your attention and moving quickly. And that requires more than static scores or vendor questionnaires. 

As exploitation timelines shrink and supply chains become more complex, security teams need context on which they can act. Tools like FocusTags help meet that need, highlighting the vulnerabilities that require immediate attention due to exposure, exploitability, and third-party risk.

This kind of actionable vulnerability assessment is what defines the future of TPRM. By understanding attacker behavior, identifying vendor exposure, and prioritizing action based on real-world signals, security teams can move beyond reactive patching and toward a more strategic defense of their third-party ecosystem.

Read the full 2025 Supply Chain Vulnerability Report for more insights on how to apply vulnerability intelligence across your vendor ecosystem.

The post How to Implement Vulnerability Management in TPRM appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we delve into high-profile incidents from a Third-Party Risk Management (TPRM) perspective. This week, we’re focusing on vulnerabilities discovered in Ivanti’s Endpoint Manager Mobile (EPMM). Specifically, we’ll address two critical flaws, CVE-2025-4427 (Authentication Bypass) and CVE-2025-4428 (Remote Code Execution), which, when exploited together, allow unauthenticated attackers to bypass authentication and execute arbitrary code remotely on affected systems. These vulnerabilities, if left unchecked, could pose a serious threat to organizations using Ivanti EPMM for mobile device management. Read on to explore the details and how Black Kite’s FocusTags™ can assist in managing the associated risks.

What is the Ivanti EPMM RCE and Authentication Bypass Vulnerability? (CVE-2025-4427, CVE-2025-4428)

Ivanti Endpoint Manager Mobile (EPMM) has two vulnerabilities, CVE-2025-4427 and CVE-2025-4428, that are critical for organizations using this software for mobile device management. These vulnerabilities, when chained together, allow unauthenticated attackers to bypass authentication and execute arbitrary code remotely on the affected systems.

• CVE-2025-4427: This is an authentication bypass vulnerability that allows attackers to access protected resources without valid credentials. It has a medium severity level with a CVSS score of 5.3 and an EPSS score of 0.94%.
• CVE-2025-4428: This vulnerability is a remote code execution (RCE) flaw that enables attackers to execute arbitrary code on the target system. This vulnerability has a high severity level with a CVSS score of 7.2 and an EPSS score of 0.51%.

Both vulnerabilities were discovered and publicly disclosed in May 2025, and there are reports of active exploitation in the wild. However, no PoC exploit code has been publicly released. The vulnerabilities were not added to CISA’s KEV catalog as of the time of disclosure.

Why Should TPRM Professionals Care About These Vulnerabilities?

For third-party risk management (TPRM) professionals, these vulnerabilities pose a severe risk because they impact the integrity and availability of the mobile device management (MDM) infrastructure. Organizations using Ivanti EPMM for mobile device management may be exposed to potential breaches, unauthorized access, and even complete control over their devices and networks.

If attackers successfully exploit these vulnerabilities, they could gain access to sensitive data and internal configurations, leading to further lateral movement in the network. This makes it essential for TPRM professionals to assess the risk posed by vendors using Ivanti EPMM, especially those running vulnerable versions.

What Questions Should TPRM Professionals Ask Vendors About Ivanti EPMM Vulnerabilities?

• Have you applied the latest security patches to Ivanti EPMM (versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1)?
• What access control measures do you have in place to secure the Ivanti EPMM API, such as using a Web Application Firewall (WAF) or Portal ACLs?
• Can you confirm whether any unusual API requests or failed authentication attempts have been detected in your logs?
• If your organization is unable to immediately upgrade Ivanti EPMM, what mitigation strategies are in place to reduce the impact of these vulnerabilities?

Remediation Recommendations for Vendors Subject to This Risk

• Upgrade Ivanti EPMM to a fixed version: Apply the patches available in versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1 to address both CVE-2025-4427 and CVE-2025-4428.
• Implement strong access control: Use Portal ACLs or an external WAF to restrict API access and ensure that only authorized services and IP addresses can interact with the EPMM API.
• Review and strengthen integrations: Ensure that critical integrations such as Windows Autopilot and Microsoft Graph API are properly configured to prevent disruptions.
• Monitor for signs of exploitation: Regularly review logs for failed authentication attempts and abnormal API requests, and follow up with Ivanti support if exploitation is suspected.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite’s FocusTag for Ivanti EPMM highlights the affected versions and helps TPRM professionals quickly identify vendors exposed to these critical vulnerabilities. By using Black Kite’s platform, TPRM teams can determine which vendors are affected, identify any potentially vulnerable assets (like IP addresses and subdomains), and prioritize outreach to those vendors for remediation.

The FocusTag also provides actionable intelligence, such as the specific versions at risk and recommendations for mitigations. This enables organizations to proactively manage their risk exposure and make data-driven decisions.

Since this is a new FocusTag, it provides an updated and detailed analysis of the risk posed by Ivanti EPMM vulnerabilities. Black Kite customers can operationalize this tag by integrating the identified vulnerabilities into their risk management workflows, ensuring a more targeted and efficient vendor outreach process.

Update on SAP NetWeaver Vulnerabilities: Threat Actor Activity Continues

In April 2025, Black Kite’s FocusTag for SAP NetWeaver included a series of vulnerabilities that continue to pose a significant threat to organizations relying on this enterprise platform. As of May 2025, the situation has escalated, with multiple ransomware groups now actively exploiting these vulnerabilities.

The CVE-2025-42999, an insecure deserialization vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader, has been added to the existing SAP NetWeaver VCFRAMEWORK [Suspected] FocusTag. This vulnerability allows privileged users to upload untrusted serialized content, which, when deserialized, can severely compromise the system’s confidentiality, integrity, and availability.

The vulnerability has been actively exploited by several threat actor groups, including notorious ransomware gangs. As detailed in SAP’s May 2025 Security Patch Day alert, the RansomEXX and BianLian ransomware groups are targeting SAP NetWeaver systems with this flaw. While no ransomware payloads have been successfully deployed, the ongoing exploitation is a stark reminder of the continuing risk posed by this vulnerability. Additionally, several Chinese APT groups are also targeting unpatched NetWeaver instances, with evidence suggesting strategic objectives tied to espionage.

What Does This Mean for TPRM Professionals?

The addition of CVE-2025-42999 to the SAP NetWeaver FocusTag further emphasizes the critical nature of this vulnerability. TPRM professionals must now be even more vigilant in identifying vendors and third parties that rely on SAP NetWeaver systems. With active exploitation reported in the wild, including by sophisticated ransomware actors, the risk to organizations’ operational continuity is heightened.

If you’re managing third-party risks related to SAP NetWeaver, it is crucial to ensure that vendors have applied the latest patches and are actively monitoring for suspicious activity, especially around Visual Composer and its related components. Prompt remediation and proactive monitoring will be key to preventing a potential breach.

For those following the SAP NetWeaver VCFRAMEWORK [Suspected] FocusTag, stay informed on new CVEs and exploit activity to adjust your risk mitigation strategies accordingly.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

In today’s rapidly evolving cybersecurity landscape, staying ahead of vulnerabilities is crucial for robust Third-Party Risk Management (TPRM). Black Kite’s FocusTags™ provide essential insights and tools to effectively manage these risks, especially in the face of emerging threats like those found in Ivanti EPMM and SAP NetWeaver.

Here’s how Black Kite’s FocusTags™ can enhance your TPRM strategy:

• Real-Time Vulnerability Tracking: FocusTags™ allow TPRM professionals to quickly identify vendors affected by the latest vulnerabilities, enabling faster, more strategic responses.
• Risk Prioritization: FocusTags™ help prioritize risks based on the severity of vulnerabilities and the importance of affected vendors, ensuring resources are allocated where they’re needed most.
• Informed Vendor Conversations: FocusTags™ facilitate targeted and meaningful discussions with vendors, addressing their specific security posture in relation to identified vulnerabilities.
• Comprehensive Security Overview: With a clear, broad view of the threat landscape, FocusTags™ contribute to stronger, more proactive cybersecurity strategies.

Black Kite’s FocusTags™ transform complex cyber threat data into actionable intelligence, empowering TPRM professionals to effectively manage risks, reduce exposure, and bolster security.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Ivanti EPMM – May2025: CVE-2025-4427, CVE-2025-4428, Authentication Bypass and Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile (EPMM)
• SysAid On-Premises: CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
• Apache ActiveMQ – May2025: CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
• Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
• Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
• SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
• Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
• Fortinet Symlink Backdoor : CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
• SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
• Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.
• Adobe ColdFusion : CVE-2025-24446 CVE-2025-24447 CVE-2025-30281 CVE-2025-30282 CVE-2025-30284 CVE-2025-30285 CVE-2025-30286 CVE-2025-30287 CVE-2025-30288 CVE-2025-30289 CVE-2025-30290, Deserialization of Untrusted Data, Improper Authentication, Improper Access Control, OS Command Injection, Improper Input Validation, Path Traversal Vulnerabilities in Adobe ColdFusion.
• Beego: CVE-2025-30223, Reflected/Stored XSS Vulnerabilities in Beego Web Framework.
• Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
• FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
• MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
• Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
• Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
• Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
• SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-4427
• https://nvd.nist.gov/vuln/detail/CVE-2025-4428
• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
• https://securityonline.info/ivanti-epmm-flaws-exploited-in-the-wild-chained-rce-and-auth-bypass-threaten-mobile-device-management/
• https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-ongoing-sap-netweaver-attacks/
• https://securityonline.info/sap-security-alert-may-2025-patch-day-exposes-critical-threats/
• https://blackkite.com/blog/focus-friday-tprm-approach-to-sat-netweaver-vcframework-rce-and-apache-tomcat
• http-2-dos-and-rewrite-rule-bypass/
  

The post FOCUS FRIDAY: TPRM Insights on Ivanti EPMM and SAP NetWeaver Vulnerabilities – Ongoing Threat Actor/Ransomware Groups Activity appeared first on Black Kite.

Written by: Dr. Ferhat Dikbiyik, Chief Research & Intelligence Officer

“What percentage of CVEs do you cover?” 

It’s a question we hear a lot at Black Kite. It’s reasonable on the surface, but ultimately misleading.

It’s like asking a meteorologist how many weather events they track. The number might be high, but it tells you nothing about whether a severe storm is headed for your house. The same logic applies here. The total count of vulnerabilities a platform covers—or claims to cover—doesn’t actually tell you how well it assesses risk to your business.

At Black Kite, we don’t optimize for volume. We optimize for relevance, discoverability, and actionability. Because when it comes to third-party risk, more data is not necessarily better data. It’s just more noise.

CVE ‘Coverage’ Doesn’t Tell the Whole Story

More than 40,000 CVEs were published in 2024. Narrow it down to those with a CVSS score above 9.0, and you’re still looking at more than 4,400 critical issues.

Understandably, many security teams start with scale: How much of that are we tracking? However, “coverage” is a flawed metric. Here’s why:

1. It depends entirely on the scope.
What’s being covered? Every CVE ever published? Just critical ones? Only those with active exploitation? The definition of “coverage” varies so widely that it becomes almost meaningless.

2. Visibility is variable.
We identify vulnerable software versions only when they’re visible via OSINT—through headers, banners, exposed services, and so on. Not every version leaves enough of a fingerprint to be seen externally (i.e., discoverable by bad actors). As detection techniques evolve, our coverage evolves. This isn’t a static number.

3. More CVEs don’t mean better insight.
If a system is severely outdated, it’s already high-risk. Tagging it with 500 additional CVEs doesn’t make it more actionable. In fact, it often dilutes the signal. What matters is knowing the right vulnerabilities, not all of them.

The takeaway? CVE count is a distraction. What’s important is whether the vulnerabilities you can see are the ones that matter—and whether they’re likely to be exploited in the wild.

What Actually Matters in Vulnerability Intelligence

At Black Kite, our job isn’t to show you every CVE (although we do offer quite a robust CVE database with TPRM insights to the public). For our customers, our job is to surface the few dozen vulnerabilities that truly matter for your vendor ecosystem—so you can act quickly and decisively.

We get there in two ways.

1. Auto-Scanning for Patch Management Risk

Our platform continuously scans exposed infrastructure using passive OSINT techniques like banner grabbing, protocol response analysis, and header inspection. From that, we extract product and version data (when available), match it to known Common Platform Enumerations (CPEs), and map it to vulnerabilities from NIST’s National Vulnerability Database.

We apply strict filters to keep the output meaningful:

• Focus on CVEs from the past two years unless they’re especially high-impact.
  
• Exclude low-severity vulnerabilities.
  
• Prioritize CVEs likely to be discoverable via OSINT.
  
• Limit the number of CVEs associated with a given asset.
  

For example, if we find a server running Windows Server 2008 R2, we flag the 10 most relevant CVEs. We don’t tag all 500-plus known vulnerabilities for that product. The additional volume wouldn’t change the risk signal. It’s already high.

2. FocusTags™ for High-Priority Threats

Some vulnerabilities warrant immediate action. For these, we created FocusTags™—a curated set of CVEs selected for their real-world risk based on exploitability, exposure, and threat actor interest.

For example, in 2024, more than 40,000 CVEs were published.

• Around 1,000 passed our initial risk filters.
  
• Of those, 780 were designated high-priority.
  
• 295 received FocusTags based on their visibility in OSINT and likely impact.

These tags often overlap with known exploited vulnerabilities—many of which we flagged before public exploitation was confirmed. In certain cases, we used advanced techniques like TLS certificate analysis or favicon hash matching to surface assets that don’t respond to traditional scanning methods.

A note: Black Kite is not a vulnerability scanner. We do not perform authenticated internal scans. Instead, we use OSINT to identify whether systems appear susceptible to known vulnerabilities. Our goal is to measure risk exposure—not confirm exploit paths or patch status.

Rethink Third-Party Vulnerability Management with Black Kite

Yes, the threat landscape is growing more complex. But so are the tools we have to manage it.

We no longer need to chase every vulnerability across every vendor. With the right intelligence, we can take a more targeted, more effective approach. That means better prioritization, smarter remediation, and stronger overall cyber resilience.Want to see what that looks like in practice? Read our full 2025 Supply Chain Vulnerability Report.

Dr. Ferhat Dikbiyik is the Chief Research & Intelligence Officer at Black Kite, where he leads BRITE, the team behind third-party risk intelligence, ransomware trend analysis, and the tools helping organizations stay three steps ahead of their next threat.

The post Why Counting CVEs Misses the Real Third-Party Risk appeared first on Black Kite.

Written by: Ferdi Gül

This week’s Focus Friday highlights four high-priority vulnerabilities affecting widely used enterprise technologies: SysAid On-Premises, Apache ActiveMQ, Webmin, and Couchbase Server. Each of these products serves a critical function—whether facilitating IT service management, message brokering, system administration, or database operations. Their importance makes them prime targets for exploitation, and this week’s disclosures demonstrate both the breadth and depth of third-party risks facing modern enterprises.

From pre-authentication remote code execution in SysAid to denial-of-service vulnerabilities in ActiveMQ, privilege escalation flaws in Webmin, and file disclosure issues in Couchbase, the potential for vendor-side compromise is substantial. This week’s blog dissects these incidents through a Third-Party Risk Management (TPRM) lens and explains how Black Kite’s FocusTags™ empower organizations to swiftly identify which vendors are truly at risk and prioritize outreach accordingly.

CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 – SysAid On-Premises XXE Injection Vulnerabilities

What are the SysAid On-Premises Pre-Auth XXE Vulnerabilities?

In March 2025, multiple critical pre-authentication XML External Entity (XXE) injection vulnerabilities were disclosed in SysAid On-Premises, a widely used IT Service Management (ITSM) solution. These flaws—CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777—impact the /mdm/checkin, /mdm/serverurl, and /lshw endpoints respectively. Improper XML parsing in these components allows attackers to inject external entities, enabling unauthenticated access to sensitive local files or performing Server-Side Request Forgery (SSRF).

The vulnerabilities are classified as Critical, each carrying a CVSS score of 9.3, although these scores were not officially published at the time of writing. A working Proof-of-Concept (PoC) exploit is publicly available. While these CVEs are not yet listed in CISA’s Known Exploited Vulnerabilities (KEV), historical precedence—such as the exploitation of CVE-2023-47246 by the Cl0p ransomware group—suggests high likelihood of active weaponization.

All three vulnerabilities are patched in SysAid On-Premises version 24.4.60 b16, released in March 2025. Earlier versions remain susceptible, including v23.3.40, the version confirmed to be vulnerable by researchers.

Why Should TPRM Professionals Be Concerned About These SysAid Vulnerabilities?

SysAid On-Premises is more than just helpdesk software—it is a business-critical, internet-facing ITSM platform. It manages internal tickets, configuration data, asset inventories, and privileged workflows across an enterprise. As such, any compromise could cascade across multiple internal systems.

The pre-authentication nature of these vulnerabilities significantly lowers the exploitation barrier, especially since one of the attack paths exposes the plaintext administrator password stored in the InitAccount.cmd file. With that credential, attackers gain privileged access to the SysAid environment, and in known exploit chains, this leads to Remote Command Execution (RCE) via a separate post-auth command injection vector.

Vendors using SysAid On-Premises are at elevated risk of compromise through:

• Data theft from internal ticketing systems
• Hijacking of asset and configuration repositories
• Leveraging helpdesk channels for internal spear-phishing
• Deployment of ransomware through administrative access

These risks multiply when threat actors use the platform as a pivot to access more sensitive parts of a vendor’s network.

What Questions Should TPRM Professionals Ask Vendors About These SysAid Vulnerabilities?

Organizations managing third-party risk should direct the following questions to vendors potentially using SysAid On-Premises:

1. Have you updated all instances of SysAid On-Premises to version 24.4.60 b16 or later to mitigate the risk of CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777?
2. Can you confirm that all external access points to SysAid endpoints (/mdm/checkin, /mdm/serverurl, /lshw) have been appropriately secured or restricted from unauthorized external connections to prevent XML External Entity (XXE) injection and Server-Side Request Forgery (SSRF)?
3. Have you implemented monitoring measures to detect suspicious or malicious requests targeting the SysAid endpoints (/mdm/checkin, /mdm/serverurl, /lshw) that were previously vulnerable to XXE injection and SSRF?
4. Have you reviewed and updated your incident response procedures to ensure rapid identification and remediation capabilities for XXE-based vulnerabilities, specifically those identified in CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following remediation steps to mitigate these vulnerabilities:

• Upgrade Immediately to SysAid On-Premises version 24.4.60 b16 or later.
• Restrict or firewall external access to /mdm/checkin, /mdm/serverurl, and /lshw endpoints to limit exposure.
• Audit the file system for the presence of InitAccount.cmd or other artifacts containing plaintext credentials and securely delete them.
• Continuously monitor logs for anomalous or suspicious activity directed at the vulnerable endpoints.
• Implement server-side XML parsing hardening practices across all Java-based services to prevent future XXE flaws.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the SysAid On-Premises [Suspected] FocusTag™ on May 7, 2025, identifying vendors potentially exposed to CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777. The FocusTag enables third-party risk managers to zero in on vendors that are running vulnerable assets, significantly reducing the time required to triage broad vulnerabilities.

The tag includes:

• Asset-level attribution such as IP addresses and subdomains hosting vulnerable versions
• Vendor-specific insights into deployment confidence levels (Medium in this case)
• References to public exploit code and vulnerability details

This tag empowers TPRM professionals to focus only on vendors truly at risk, minimizing redundant outreach and enabling faster remediation.

CVE-2025-27533 in Apache ActiveMQ

What is CVE-2025-27533 in Apache ActiveMQ?

CVE-2025-27533 is a medium-severity vulnerability identified in Apache ActiveMQ, a widely used open-source message broker. The flaw arises from improper validation of buffer sizes during the unmarshalling of OpenWire commands. An attacker can exploit this vulnerability by sending specially crafted OpenWire packets that trigger excessive memory allocation, leading to memory exhaustion and potential denial-of-service (DoS) attacks.

Exploit Conditions for CVE-2025-27533

An attacker can exploit this vulnerability only if all of the following are true:

1. OpenWire Protocol Is Reachable
   • The flaw is triggered during the unmarshalling of OpenWire commands.
   • The attacker must be able to send data over OpenWire (the protocol clients use to communicate with the ActiveMQ broker).
2. Mutual TLS (mTLS) Is Disabled
   • mTLS prevents unauthorized clients from connecting to the broker.
   • When mTLS is turned off (the default setting), attackers can readily establish sessions and deliver malicious OpenWire messages.
3. Authentication Is Not Enforced
   • If mTLS isn’t required, the broker may accept incoming connections without verifying credentials.
   • This allows unauthenticated, remote attackers to trigger memory exhaustion on the broker.

Although no PoC exploit code is currently available for CVE‑2025‑27533 and it remains tracked under Apache issue AMQ‑6596 without inclusion in CISA’s KEV catalog, its potential for unauthenticated memory‑exhaustion attacks against critical messaging brokers poses a serious reliability and availability risk in enterprise environments.

Why Should TPRM Professionals Care About CVE-2025-27533?

Apache ActiveMQ serves as a critical component in many enterprise environments, facilitating communication between different applications and systems. A DoS attack exploiting this vulnerability could disrupt business operations, leading to service outages and potential data loss. Furthermore, if mutual TLS (mTLS) is not enabled, attackers can exploit this vulnerability remotely without authentication, increasing the risk of widespread impact.

What questions should TPRM professionals ask vendors about CVE-2025-27533?

1. Have you updated all instances of Apache ActiveMQ to the patched versions (6.1.6 or later, 5.19.0 or later, 5.18.7 or later, 5.17.7 or later, 5.16.8 or later) to mitigate the risk of CVE-2025-27533?
2. Can you confirm if you have implemented Mutual TLS (mTLS) on your Apache ActiveMQ to prevent unauthorized clients from establishing connections to the broker and potentially exploiting CVE-2025-27533?
3. Have you set up automated monitoring and alerting for sudden spikes in memory usage or broker performance degradation, which may signal exploitation attempts of CVE-2025-27533?
4. Have you restricted network access to ActiveMQ broker ports—especially OpenWire (typically TCP port 61616)—to only trusted IP ranges or internal systems to mitigate the risk of CVE-2025-27533?

Remediation Recommendations for Vendors Subject to This Risk

• Upgrade Immediately: Update Apache ActiveMQ to one of the patched versions: 6.1.6 or later, 5.19.0 or later, 5.18.7 or later, 5.17.7 or later, 5.16.8 or later.
• Implement Mutual TLS: For affected brokers that cannot yet be upgraded, enforce mutual TLS (mTLS) to mitigate unauthenticated remote access.
• Restrict Network Access: Limit access to ActiveMQ broker ports—especially OpenWire (typically TCP port 61616)—to only trusted IP ranges or internal systems.
• Monitor Resource Usage: Set up automated monitoring and alerting for sudden spikes in memory usage or broker performance degradation.
• Inspect Logs and Network Traffic: Review ActiveMQ logs and network traffic for anomalies or malformed OpenWire command activity.
• Test Application Compatibility: After upgrading, validate that internal applications depending on ActiveMQ still function as expected.
• Use Web Application Firewalls (WAF) or Proxies: If possible, front ActiveMQ brokers with reverse proxies or WAFs that can enforce additional traffic validation and rate-limiting.
• Develop an Incident Response Plan: Prepare your IR team to respond to a broker-level DoS scenario by including procedures for isolating affected brokers, restarting services, and rerouting messaging workloads if necessary.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite provides continuous monitoring and risk assessment capabilities that can help TPRM professionals identify and manage vulnerabilities like CVE-2025-27533. By leveraging Black Kite’s platform, organizations can:

• Detects the presence of vulnerable Apache ActiveMQ instances within their vendor ecosystem.
• Assess the potential impact of CVE-2025-27533 on their supply chain.
• Receive timely alerts and recommendations for remediation actions.

Black Kite’s FocusTag™ for Apache ActiveMQ – May2025, published on May 8, 2025, offers detailed insights into this vulnerability, including affected versions, mitigation strategies, and monitoring recommendations. TPRM professionals can use this information to engage with vendors, ensure timely patching, and enhance their overall risk management posture.

CVE-2025-2774 – Webmin CRLF Injection Privilege Escalation Vulnerability

What is the Webmin CRLF Injection Privilege Escalation Vulnerability?

CVE-2025-2774 is a critical CRLF (Carriage Return Line Feed) injection vulnerability affecting Webmin versions prior to 2.302. This flaw arises from improper neutralization of CRLF sequences in CGI request handling, allowing authenticated attackers to manipulate HTTP headers and execute arbitrary code with root privileges. The vulnerability has a CVSS score of 8.8, indicating high severity and low exploit probability.

Discovered and reported to the vendor on February 28, 2025, the vulnerability was publicly disclosed on May 1, 2025. As of now, there is no evidence of exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Webmin is a widely used web-based system administration tool for Unix-like servers, with over a million installations worldwide. A successful exploit of CVE-2025-2774 could grant attackers root-level access, allowing them to:

• Modify or disrupt critical server configurations
• Access, modify, or exfiltrate sensitive data
• Deploy malware or establish persistent unauthorized access
• Disrupt services and operations

Given Webmin’s role in managing critical server functions, this vulnerability poses significant risks to organizations relying on it for system administration.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-2774?

1. Can you confirm if you have updated all your Webmin installations to version 2.302 or later to mitigate the risk of the CRLF Injection Privilege Escalation Vulnerability (CVE-2025-2774)?
2. Have you implemented robust access controls and limited user permissions to prevent low-privilege Webmin accounts from exploiting this vulnerability?
3. Are you actively reviewing your server and Webmin logs for signs of unusual or suspicious activities, particularly around CGI request handling, as a measure to detect potential exploitation of CVE-2025-2774?
4. Have you ensured that your incident response plans include scenarios involving privilege escalation and immediate steps for isolation, investigation, and remediation in the event of a successful exploitation of the CRLF Injection Privilege Escalation Vulnerability (CVE-2025-2774)?

Remediation Recommendations for Vendors Subject to This Risk

• Immediately update Webmin installations to version 2.302 or later.
• Restrict Webmin access to trusted networks and enforce strong authentication practices.
• Review server and Webmin logs diligently for signs of unusual or suspicious activities.
• Implement and maintain robust access controls, following the principle of least privilege.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the FocusTag for CVE-2025-2774 on May 7, 2025. TPRM professionals can utilize Black Kite’s platform to identify vendors potentially affected by this vulnerability. The platform provides asset information, such as IP addresses and subdomains, associated with the vendors’ systems, enabling organizations to assess and manage third-party risks effectively.

CVE-2025-46619 – Couchbase Server Local File Inclusion Vulnerability

What is the Couchbase Server Local File Inclusion Vulnerability?

CVE-2025-46619 is a high-severity Local File Inclusion (LFI) vulnerability identified in Couchbase Server versions prior to 7.6.4 (all platforms) and 7.2.7 (Windows builds). Affected Versions are 7.6.3, 7.6.2, 7.6.1, 7.6.0, 7.2.6, 7.2.5, 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x, 5.x, 4.x, 3.x, 2.x.

This flaw allows unauthorized users to access sensitive system files, such as /etc/passwd or /etc/shadow, without proper authorization. The vulnerability arises from improper access controls, enabling attackers to read arbitrary files on the server.

The vulnerability was publicly disclosed on April 30, 2025. As of now, there is no evidence of exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerability’s CVSS score of 7.6 is currently classified as High.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Couchbase Server is a widely-used NoSQL document database, integral to many enterprise applications. Exploitation of CVE-2025-46619 could allow attackers to access sensitive configuration files, leading to potential data breaches or system compromises. Given the prevalence of Couchbase in critical systems, this vulnerability poses a significant risk to organizations relying on it for data management.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-46619?

1. Have you upgraded all instances of Couchbase Server to version 7.6.4 (cross-platform) or 7.2.7 (Windows) to mitigate the risk of CVE-2025-46619?
2. Can you confirm that you have implemented monitoring and auditing measures to detect unusual file-read attempts, specifically related to potential exploitation of the Local File Inclusion (LFI) vulnerability in Couchbase Server?
3. Have you conducted an internal verification to inventory all Windows deployments of Couchbase Server and confirmed they are running versions 7.2.7 or higher?
4. Have you reviewed and adjusted the configuration of any web-facing interfaces to ensure they do not expose arbitrary file paths, as recommended in the remediation measures for CVE-2025-46619?

Remediation Recommendations for Vendors Subject to This Risk

• Immediately upgrade Couchbase Server to version 7.6.4 or 7.2.7 (for Windows) to remediate the LFI vulnerability.
• Restrict database process permissions to prevent unauthorized file reads.
• Ensure that any web-facing interfaces do not expose arbitrary file paths.
• Monitor access logs for unusual file-read attempts and conduct regular vulnerability scans.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the FocusTag™ for CVE-2025-46619 on May 6, 2025. TPRM professionals can utilize Black Kite’s platform to identify vendors potentially affected by this vulnerability. The platform provides asset information, such as IP addresses and subdomains, associated with the vendors’ systems, enabling organizations to assess and manage third-party risks effectively.

Enhancing Vendor Risk Management with Black Kite’s FocusTags™

In an era where threat actors rapidly pivot to exploit newly disclosed vulnerabilities, organizations need fast, intelligent ways to assess third-party exposure. That’s where Black Kite’s FocusTags™ come into play—especially for critical flaws like those found in SysAid, Apache ActiveMQ, Webmin, and Couchbase Server.

Here’s how Black Kite’s FocusTags™ amplify TPRM efficiency and precision:

• Vendor-Specific Risk Identification: By tagging vendors with confirmed or suspected exposure to these vulnerabilities, FocusTags™ eliminate guesswork and reduce the number of vendors that require immediate attention.
• Asset-Level Context: Beyond just naming the vendor, FocusTags™ provide concrete intelligence—such as IP addresses or subdomains hosting vulnerable systems—making the risk truly actionable.
• Prioritized Outreach: Knowing which vendors are affected and how, enables TPRM teams to send targeted, informed questionnaires rather than blanketed inquiries that burden vendors and slow down triage.
• Holistic Threat Context: FocusTags™ incorporate exploitation status, CISA KEV presence, patch availability, and severity scoring, giving teams a full-spectrum view of risk.

With Black Kite’s FocusTags™, your organization is empowered to act swiftly and precisely—not just to understand where exposure exists, but to take meaningful, time-sensitive steps to reduce risk in a constantly evolving threat landscape.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• SysAid On-Premises: CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
• Apache ActiveMQ – May2025: CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
• Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
• Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
• SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
• Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
• Fortinet Symlink Backdoor : CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
• SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
• Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.
• Adobe ColdFusion : CVE-2025-24446 CVE-2025-24447 CVE-2025-30281 CVE-2025-30282 CVE-2025-30284 CVE-2025-30285 CVE-2025-30286 CVE-2025-30287 CVE-2025-30288 CVE-2025-30289 CVE-2025-30290, Deserialization of Untrusted Data, Improper Authentication, Improper Access Control, OS Command Injection, Improper Input Validation, Path Traversal Vulnerabilities in Adobe ColdFusion.
• Beego: CVE-2025-30223, Reflected/Stored XSS Vulnerabilities in Beego Web Framework.
• Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
• FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
• MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
• Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
• Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
• Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
• SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-2775
• https://nvd.nist.gov/vuln/detail/CVE-2025-2776
• https://nvd.nist.gov/vuln/detail/CVE-2025-2777
• https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
• https://thehackernews.com/2025/05/sysaid-patches-4-critical-flaws.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-27533
• https://lists.apache.org/thread/8hcm25vf7mchg4zbbhnlx2lc5bs705hg
• https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617
• https://www.zerodayinitiative.com/advisories/ZDI-25-282/
• https://securityonline.info/cve-2025-2774-webmin-vulnerability-allows-root-level-privilege-escalation/
• https://www.couchbase.com/alerts/
• https://nvd.nist.gov/vuln/detail/CVE-2025-46619
• https://securityonline.info/cve-2025-46619-lfi-vulnerability-affects-multiple-versions-of-couchbase-server-for-windows/

The post Focus Friday: TPRM Insights Into SysAid, ActiveMQ, Webmin, and Couchbase Server Vulnerabilities appeared first on Black Kite.

Written by: Dr. Ferhat Dikbiyik, Chief Research & Intelligence Officer

From corporate-sounding breach statements to templated negotiations and ESXi support, LockBit blurred the line between cybercrime and customer service — until they were hacked themselves.

If you’ve ever imagined ransomware gangs as chaotic bands of hoodie-wearing hackers launching attacks from the shadows, LockBit would like a word — preferably via encrypted chat, with structured pricing, timezone-aware support, and test decrypts to elp you “experience the product” before buying.

LockBit operates with a surprising level of business sophistication, offering structured pricing, customer support, and even test decrypts. This article details their corporate-like breach announcement after being hacked themselves, their tiered negotiation tactics, and their understanding of enterprise IT environments like ESXi. Ultimately, defenders need to recognize this business-like approach to ransomware in order to better anticipate and prevent future attacks.

LockBit Is All Business

After being hacked themselves on May 7, 2025, LockBit released a statement so polished it could’ve been run through a corporate PR team:

“I’m currently investigating how the breach happened and rebuilding the system… no decryptors or any stolen company data were harmed. The full panel and blog are still operational.”

They even offered to pay for intel on the perpetrator (“xoxo” from Prague) — a move eerily reminiscent of a bug bounty program, though they may have just misread a cheeky “hugs and kisses from Prague” sign-off as a hacker’s handle.

Yes, you read that correctly.

This isn’t just ransomware. It’s ransomware-as-a-business.
And if LockBit had an investor pitch deck, I wouldn’t be surprised if it included growth charts and an affiliate referral program.

But that’s the thing: LockBit wasn’t just a criminal enterprise. It was a business. A brand. A platform.
And just like any startup past its prime, it had structured pricing, technical documentation, customer onboarding…and a spectacular fall.

From Peak Power to a Platform Breach

Before Operation Cronos dismantled parts of its infrastructure earlier this year, LockBit was the reigning king of ransomware. They leaked data from over 200 victims per month, supported hundreds of affiliates, and ran a criminal operation with all the polish of a B2B tech firm.

After Cronos, that number dropped to single digits per month. Many affiliates walked away. And when LockBit got breached themselves, the mask slipped, revealing not just their systems, but their business logic.

The leaked negotiation chats read less like ransom demands and more like CRM transcripts.

How to Sell a Ransom, LockBit Style

LockBit’s chats followed a consistent rhythm: name your price, offer a taste, apply pressure, close the deal. Sound familiar?

1. Negotiation, But Make It Tiered

One small business pleads:

“We feel like the price is high. Can we agree on $3,600?”

LockBit’s response?

“Ok, $3600” (reduced from $4,000)

But after an initial discount, they’re not here for haggling:

“no”
“There will be no more talk about discounts.”

Ransom pricing was neatly aligned with perceived company size:

• Small businesses: $1,500–$4,000
• Mid-sized companies: $30K–$70K
• Large enterprises: $100K–$150K+
  

Total across all negotiations: $767,800
Average ask: $40,410

This isn’t chaos. It’s value-based pricing.

2. Customer Service Scripts, with Encryption

“You can attach a few files for test decryption by packing them into an archive…”
“Please wait for a reply, sometimes it takes several hours due to possible time zone differences.”

These lines appear over and over — clearly copy-pasted. 

We’re not dealing with improvisation here. We’re dealing with internal playbooks and canned responses. Like Zendesk, but for extortion.

3. Trust-Building with Freemium Tactics

Need proof that the decryptor works? No problem.

“We can decrypt few random files for FREE.”
“You will need to disable your AV and just run the .exe decryptor.”

That’s not just social engineering. That’s product-led growth.

4. Fear, Shame, and a Bit of Taunting

In one case, a desperate employee begs:

“Please don’t spoil my life… My company will file a case on me… My family will be suffered.”
LockBit replies coldly: “I can’t help you, it’s to end this dialog.”

Elsewhere, they mock:

“You know your pass: P@ssw0rd”

They don’t just threaten. They undermine your confidence.

5. Targeted Pressure, Personalized Pricing

LockBit tailors its tactics to your environment:

“We found a lot of contact information of your employees, clients, partners…”
“We will try to convey information about the leak to each of these contacts.”

And if you’re rich?

“I saw your financial report. Our price is not big for you.”
“The price…was formed based on the indicators of your company.”

This is market segmentation, but for criminal revenue.

6. Enterprise IT Support… from Criminals

Need to decrypt an ESXi cluster? LockBit’s got you.

“Log in to vCenter, enable SSH, upload decryptor… run ./decrypt… check decrypt.llg log…”
“Do not run multiple decryptors simultaneously… or files may be corrupted.”

We’ve seen fewer steps in vendor documentation.
These actors understand virtualization, backup systems, and endpoint behavior.

This isn’t script kiddie territory. This is ransomware with release notes.

The Breach Heard Around the Dark Web

When LockBit got breached, the illusion cracked.

They scrambled to assure “customers” that nothing critical was lost, systems were being rebuilt, and operations were ongoing. The message, minus the extortion and anonymity, would be right at home in an AWS status update.

The offer to pay for intel on “xoxo from Prague” (which again, might’ve just been a sarcastic sign-off) cemented the absurdity: even ransomware groups are vulnerable to phishing and misinterpretation.

They were so committed to acting like a business… they ended up reacting like one too.

Lessons for Defenders

So what now?

LockBit may be on the decline, but the playbook they wrote will outlive them. And the next ransomware “startup” will come with better UX, faster support, and cleaner infrastructure.

To stay ahead, we need to:

• Monitor for ransomware susceptibility, not just breaches
• Assess vendor-level risk posture, continuously
• Recognize criminal operations behaving like product teams

At Black Kite, we’ve developed tools like the Ransomware Susceptibility Index® (RSI™) and FocusTags™ to help our clients and their vendors stay ahead of this evolution — not just after an incident, but before they become one.

Because if ransomware syndicates are going to act like businesses, it’s time we start treating them like competitors — not just criminals.

Dr. Ferhat Dikbiyik is the Chief Research & Intelligence Officer at Black Kite, where he leads BRITE, the team behind third-party risk intelligence, ransomware trend analysis, and the tools helping organizations stay three steps ahead of their next threat.

The post Your Friendly Neighborhood Ransomware Syndicate Will See You Now appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we approach the latest critical vulnerabilities through a third-party risk management lens. We begin with SAP NetWeaver Visual Composer’s unauthenticated file upload RCE (CVE-2025-31324), a zero-day actively exploited on over 1,200 servers. Then, we turn to Apache Tomcat’s April 2025 issues—CVE-2025-31650 (HTTP/2 memory-leak DoS) and CVE-2025-31651 (rewrite-rule bypass)—which pose denial-of-service and data-exposure risks. In each section, we’ll outline key details, TPRM-specific questions, and actionable remediation steps, before demonstrating how Black Kite’s FocusTags™ streamline vendor risk identification and response.

CVE-2025-31324 in SAP NetWeaver VCFRAMEWORK

What is the SAP NetWeaver VCFRAMEWORK RCE vulnerability?

This issue is an unauthenticated file-upload flaw in the Metadata Uploader component of SAP NetWeaver Visual Composer (VCFRAMEWORK). Attackers can send crafted POST requests to /developmentserver/metadatauploaderto place JSP, WAR, or JAR payloads on the server, then invoke them via simple GET requests—achieving full remote code execution and system takeover.
It is rated Critical with a CVSS v3.1 base score of 10.0 SAP Support Portal and carries an EPSS score of 55.64%. The National Vulnerability Database first published the CVE on April 24, 2025.
Exploitation in the wild has been observed since at least March 27, 2025, primarily targeting manufacturing environments and deploying webshells such as helper.jsp and cache.jsp. Post-exploit tooling includes Brute Ratel C2 and Heaven’s Gate for stealthy persistence (per FocusTag details).
This CVE was added to CISA’s Known Exploited Vulnerabilities catalog on April 29, 2025. CISA has not issued a separate advisorial beyond the KEV entry.

Why should TPRM professionals care?

SAP NetWeaver is a widely deployed application server and development platform—often underpinning critical business processes. An unauthenticated RCE in a Visual Composer add-on can lead to full server compromise, unauthorized data access, lateral movement, and supply‐chain ripple effects. TPRM teams must ensure that any third‐party vendors using VCFRAMEWORK have assessed their exposure and applied mitigations promptly to avoid costly incident response and reputational damage.

What questions should TPRM professionals ask vendors about CVE-2025-31324?

To assess vendor risk, consider asking:

1. Have you applied the emergency patch, SAP Security Note 3594142, to all instances of SAP NetWeaver AS Java 7.xx with the Visual Composer (VCFRAMEWORK) component installed to mitigate the risk of CVE-2025-31324?
2. Have you conducted an audit to search for and remove unauthorized JSP/WAR/JAR files under ‘…/irj/servlet_jsp/irj/root/’ that may have been uploaded due to the vulnerability in the Metadata Uploader component of SAP NetWeaver Visual Composer?
3. Have you implemented measures to restrict access to all Metadata Uploader URL variants via SICF, especially if Visual Composer is unused, to prevent unauthenticated file uploads and remote code execution?
4. Are you actively monitoring your NetWeaver logs and alerting on POSTs to uploader endpoints that return HTTP 200 without an authentication challenge to detect potential exploitation of CVE-2025-31324?

Remediation Recommendations for Vendors subject to this risk

Vendors should take the following steps immediately:

• Apply the Emergency Patch: Deploy SAP Security Note 3594142 (released April 25, 2025) without delay.
• Restrict Endpoint Access: Disable or firewall all Metadata Uploader URL variants via SICF if Visual Composer is unused.
• Audit & Remediate: Search for JSP/WAR/JAR files in the servlet paths and remove any unauthorized webshells.
• Monitor & Detect: Forward NetWeaver logs to your SIEM; alert on HTTP 200 POSTs to uploader endpoints that bypass authentication.
• Harden Configurations: Enforce HTTPS, require authentication on portal interfaces, and restrict access to trusted hosts.
• Run Scanners: Use available CVE-2025-31324 scanning tools to identify remaining exposures and verify remediation.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the SAP NetWeaver VCFRAMEWORK [Suspected] FocusTag on April 29, 2025, highlighting over 1,200 exposed servers and active exploitation trends. Within the Black Kite platform, TPRM teams can:

• Identify at-risk vendors: Automatically surface which third parties in your ecosystem host vulnerable Visual Composer instances.
• Pinpoint vulnerable assets: Obtain IP addresses and subdomains linked to exposed VCFRAMEWORK components.
• Track remediation progress: Monitor vendor patch status and anomalous telemetry around the /metadatauploader endpoint.

Drive focused outreach: Narrow questionnaires and assessments to only those vendors with confirmed exposure, reducing vendor fatigue and accelerating risk mitigation.

CVE-2025-31650 & CVE-2025-31651 in Apache Tomcat

What are the CVE-2025-31650 and CVE-2025-31651 vulnerabilities?

CVE-2025-31650 is a denial-of-service issue in Tomcat’s HTTP/2 implementation: malformed priority headers lead to incomplete request cleanup, causing a memory leak and eventual server crash. It carries a CVSS v4 score of 8.7 and an EPSS of 0.03%.
CVE-2025-31651 is a rewrite-rule bypass flaw in Tomcat’s RewriteValve: certain percent-encoded paths slip past security rules, exposing JSP shells or confidential files. It has a CVSS v3.1 score of 7.5 and an EPSS of 0.02%.
Both were first published on April 28, 2025 National Vulnerability DatabaseNational Vulnerability Database. Public proof-of-concept code exists for each, but no active exploitation has been reported and neither appears in CISA’s Known Exploited Vulnerabilities catalog.

Why should TPRM professionals care?

Apache Tomcat powers countless web applications. A DoS can disrupt critical services and lead to business outages, while a rewrite-rule bypass can expose sensitive data and application logic. In a third-party risk context, vendors running affected versions—even if not compromised—pose material operational and data-exposure risks.

What questions should TPRM professionals ask vendors about these flaws?

To home in on true exposure, consider asking:

1. Have you updated all instances of Apache Tomcat to versions 9.0.104, 10.1.40, or 11.0.6 (or later) to mitigate the risk of CVE-2025-31650 and CVE-2025-31651?
2. Can you confirm if you have disabled HTTP/2 or the RewriteValve entirely if your application does not explicitly require them, as recommended in the advisory to mitigate the risk of CVE-2025-31650 and CVE-2025-31651?
3. Have you implemented runtime protections such as using a reverse proxy (e.g. NGINX, Apache HTTPD) to filter out invalid HTTP/2 frames and suspicious URL-encoded paths before they reach Tomcat, as recommended in the advisory?
4. Have you audited and strengthened your RewriteValve rules, including adding explicit RewriteCond checks to reject requests containing %3F, %25, or other high-risk encodings, as recommended in the advisory to mitigate the risk of CVE-2025-31651?

Remediation Recommendations for Vendors subject to this risk

Vendors should:

• Upgrade to Fixed Versions: Immediately move to Apache Tomcat 9.0.104, 10.1.40, or 11.0.6 (or later).
• Harden HTTP/2 Configuration: Disable HTTP/2 if not required; otherwise, enforce valid priority header parsing at the proxy or WAF.
• Review RewriteValve Rules: Ensure canonicalization of percent-encoded paths and add explicit RewriteCond checks for high-risk encodings.
• Implement Runtime Protections: Use a reverse proxy or WAF to drop malformed HTTP/2 frames and suspicious URL-encoded requests before they reach Tomcat.
• Monitor & Alert: Instrument JVM memory metrics for early out-of-memory warnings; log and alert on anomalous priority headers or percent-encoded URIs.

How TPRM professionals can leverage Black Kite for these Apache Tomcat vulnerabilities

Black Kite published the “Apache Tomcat – Apr2025” FocusTag on April 30, 2025, highlighting both DoS (CVE-2025-31650) and rewrite-rule bypass (CVE-2025-31651) flaws. Through the platform, TPRM teams can:

• Identify exposed vendors running affected Tomcat versions with HTTP/2 or RewriteValve enabled.
• Obtain asset details—including IP addresses and subdomains—hosting vulnerable instances.
• Track patch deployment and anomalous activity around HTTP/2 and rewrite endpoints.

Target outreach to only vendors with confirmed exposure, reducing questionnaire overload and speeding mitigation.

Elevating TPRM Outcomes With Black Kite’s FocusTags™

Black Kite’s FocusTags™ are essential for transforming raw vulnerability data into TPRM-ready intelligence. With tags for SAP NetWeaver VCFRAMEWORK and Apache Tomcat’s April 2025 flaws, TPRM teams can:

• Rapid Vendor Exposure Discovery: Flag which suppliers run the vulnerable Visual Composer component or affected Tomcat versions with HTTP/2 or RewriteValve enabled.
• Precise Asset Mapping: Retrieve IP addresses and subdomain details tied to exposed servers for targeted assessments.
• Risk Prioritization: Focus remediation by combining vulnerability severity (critical RCE vs. high DoS/bypass) and vendor importance.
• Efficient Vendor Engagement: Tailor questionnaires and follow-ups only to vendors with confirmed exposures, cutting down on outreach volume.
• Ongoing Monitoring: Track patch deployment status and detect post-patch exploitation attempts around /metadatauploader endpoints or malformed HTTP/2 traffic.

By integrating these FocusTags™ into your TPRM workflow, you gain a data-driven method that accelerates vendor risk reduction and boosts overall supply-chain resilience.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
• Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
• Fortinet Symlink Backdoor : CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
• SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
• Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.
• Adobe ColdFusion : CVE-2025-24446 CVE-2025-24447 CVE-2025-30281 CVE-2025-30282 CVE-2025-30284 CVE-2025-30285 CVE-2025-30286 CVE-2025-30287 CVE-2025-30288 CVE-2025-30289 CVE-2025-30290, Deserialization of Untrusted Data, Improper Authentication, Improper Access Control, OS Command Injection, Improper Input Validation, Path Traversal Vulnerabilities in Adobe ColdFusion.
• Beego: CVE-2025-30223, Reflected/Stored XSS Vulnerabilities in Beego Web Framework.
• Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
• FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
• MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
• Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
• Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
• Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
• SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
• MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-31324
• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
• https://www.bleepingcomputer.com/news/security/over-1-200-sap-netweaver-servers-vulnerable-to-actively-exploited-flaw/https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
• https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/
• https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-31324%2B&dataset=unique_ips&limit=1000&group_by=geo&style=stacked
• https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
• https://lists.apache.org/list.html?announce@tomcat.apache.org
• https://nvd.nist.gov/vuln/detail/CVE-2025-31650
• https://nvd.nist.gov/vuln/detail/CVE-2025-31651
• https://securityonline.info/apache-tomcat-security-update-fixes-dos-and-rewrite-rule-bypass-flaws/
• https://github.com/absholi7ly/TomcatKiller-CVE-2025-31650/blob/main/TomcatKiller.py
• https://github.com/gregk4sec/CVE-2025-31651/blob/main/CVE-2025-31651.md

The post Focus Friday: TPRM Approach to SAP NetWeaver VCFRAMEWORK RCE and Apache Tomcat HTTP/2 DoS and Rewrite-Rule Bypass appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we spotlight emerging cybersecurity threats through the lens of Third-Party Risk Management (TPRM). As organizations continue to rely heavily on digital ecosystems involving hundreds or thousands of vendors, a single vulnerability in a third-party product can ripple across entire supply chains. This week, we analyze three critical issues affecting high-profile technologies used globally: the exploitation of Fortinet SSL-VPN vulnerabilities through a symlink backdoor, a DoS flaw in SonicWall’s Gen7 SSLVPN interface, and a resource exhaustion vulnerability in Redis servers. Each of these poses unique challenges for TPRM professionals seeking to evaluate vendor exposure and reduce systemic risk.

Through the use of Black Kite’s FocusTags™, organizations can more effectively identify which vendors are likely impacted, prioritize mitigation efforts, and streamline communication. Let’s break down the technical and strategic implications of each threat.

Fortinet Symlink Backdoor: Legacy CVEs Continue to Impact Organizations

What is the Fortinet Symlink Backdoor and Which Vulnerabilities Are Involved?

A newly identified post-exploitation method has come to light, which exploits previously patched FortiGate vulnerabilities—CVE‑2022‑42475, CVE‑2023‑27997, and CVE‑2024‑21762. This technique involves the creation of symbolic links within the SSL-VPN language files directory, effectively leveraging access to gain persistent visibility into the root file system. Upon gaining access to a vulnerable FortiGate device, attackers created symbolic links in the public-facing language folder, enabling them to bypass patching efforts and maintain read access to critical system files—even after the original flaws had been remediated.

• CVE-2022-42475: A heap-based buffer overflow vulnerability in FortiOS SSL-VPN, allowing arbitrary code execution. CVSS: 9.8, EPSS: 93.17%​
• CVE-2023-27997: A heap-based buffer overflow in FortiOS and FortiProxy SSL-VPN, enabling remote code execution. CVSS: 9.8, EPSS: 90.28%​
• CVE-2024-21762: An out-of-bounds write vulnerability in FortiOS, leading to arbitrary code execution. CVSS: 9.8, EPSS: 91.91%​

According to telemetry from the Shadowserver Foundation, over 16,620 FortiGate devices across the globe have been compromised through this symlink backdoor. The majority of these cases are concentrated in Asia, followed by Europe and North America.

Proof-of-concept exploit code for the related vulnerabilities is readily available online. All three CVEs involved were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in 2022, 2023, and 2024, reflecting their known exploitation in real-world attacks. Notably, Black Kite previously issued FocusTags™ for two of these vulnerabilities: CVE‑2024‑21762 was tagged with the “FortiOS SSL VPN [Suspected]” label on February 9, 2024, while CVE‑2022‑42475 was covered under the “APT‑Risk: FortiOS/Zoho” tag on September 7, 2023. Customers who responded to those alerts likely addressed the underlying vulnerabilities proactively. However, this newly emerged post-exploitation technique warrants renewed attention.

Each of these vulnerabilities is known to be actively exploited in the wild. CVE-2022-42475 has been linked to APT5, Volt Typhoon, and UNC3886, and associated with malware families such as BOLDMOVE, Coathanger, and NoName. CVE-2023-27997 has been exploited by Volt Typhoon, APT15, APT31, Fox Kitten, RansomHub, and MirrorFace, with related malware including Coathanger, LODEINFO, NOOPDOOR, and RansomHub. CVE-2024-21762 has also seen confirmed exploitation by Volt Typhoon, often using the Coathanger and Black Basta malware families. While there is no confirmed proof that CVE-2024-21762 was directly used to plant this specific symlink backdoor, its exploitation remains highly probable and cannot be ruled out.

CISA added CVE-2023-27997 to its Known Exploited Vulnerabilities (KEV) catalog on June 13, 2023, and CVE-2024-21762 on February 9, 2024 . CVE-2022-42475 has also been associated with nation-state threat actors.

Why Should TPRM Professionals Be Concerned About This Backdoor?

FortiGate devices are widely used for network security, including firewall and VPN functionalities. A compromised FortiGate device within a vendor’s infrastructure can lead to unauthorized access to sensitive data, configuration files, and network traffic. This persistent access poses significant risks, including data breaches and lateral movement within networks.​

What Questions Should TPRM Professionals Ask Vendors Regarding This Issue?

To assess the risk associated with this backdoor, consider asking vendors the following questions:

1. Have you upgraded your Fortinet devices to the patched FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 to mitigate the risk of CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762?
2. Have you implemented the recommended actions such as hardening SSL-VPN configurations, continuous monitoring, forensic assessment & cleanup, and deploying AV/IPS signatures to detect and remove the malicious symbolic link?
3. Can you confirm if you have disabled SSL-VPN if not in use, or restricted access to trusted IPs only, as part of your mitigation strategy against the persistent symlink exploit in Fortinet devices?
4. Have you conducted a forensic investigation to identify and remove lingering symlinks, reset all credentials, revoke certificates, and rotate secrets that may have been exposed due to the exploitation of CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to mitigate the risk associated with the Fortinet Symlink Backdoor:

• Update FortiOS: Upgrade to the latest FortiOS versions that address the known vulnerabilities and remove the symlink backdoor.​
• Inspect for Indicators of Compromise: Examine FortiGate devices for unauthorized symbolic links and other signs of compromise.​
• Review SSL-VPN Configurations: Ensure that SSL-VPN settings are secure and do not allow unauthorized access to sensitive directories.​
• Implement Monitoring and Alerting: Set up continuous monitoring to detect unusual activities or configurations within FortiGate devices.​

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite provides a FocusTag for the Fortinet Symlink Backdoor, enabling organizations to identify vendors potentially affected by this issue. The FocusTag includes detailed information about the associated vulnerabilities, affected assets, and remediation guidance. By utilizing this FocusTag, TPRM professionals can prioritize their risk assessments, focusing on vendors with known exposures, and facilitate targeted remediation efforts.​

CVE-2025-32818 in SonicWall SSLVPN Gen 7

What is the SonicWall SSLVPN DoS Vulnerability?

CVE-2025-32818 is a high-severity vulnerability impacting the SonicWall SonicOS SSLVPN Virtual Office interface, identified as a Null Pointer Dereference issue. This flaw allows unauthenticated remote attackers to crash the firewall, leading to a Denial-of-Service (DoS) condition. The vulnerability affects Gen7 firewall models and NSv platforms running firmware versions 7.1.1-7040 through 7.1.3-7015, and TZ80 models on version 8.0.0-8037 or earlier.

Disclosed publicly on April 23, 2025, by SonicWall PSIRT (Advisory ID: SNWLID-2025-0009), the vulnerability has a CVSS v3 score of 7.5 and an EPSS score of 0.04%. It is exploitable only if the SSLVPN service is enabled. While proof-of-concept exploit code is not yet publicly available, and the issue is not included in CISA’s Known Exploited Vulnerabilities catalog, proactive mitigation is strongly encouraged. Given the firewall’s critical role in securing remote access, any disruption to its availability can impact business continuity.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

SonicWall Gen7 devices are widely deployed by vendors for secure remote access. These devices protect sensitive traffic through their SSLVPN services, and a crash of such a firewall can mean sudden loss of remote connectivity, disruption of business-critical workflows, and exposure to further compromise during downtime. Even though this vulnerability does not allow code execution or data exfiltration directly, it can be weaponized for targeted service disruption—especially in organizations that rely on 24/7 availability.

From a third-party risk perspective, a vendor with vulnerable or improperly configured SonicWall devices may lose access to essential services or fail to meet service-level agreements (SLAs). If exploited during an incident, the firewall’s unavailability can also delay incident response or containment activities.

What questions should TPRM professionals ask vendors about CVE-2025-32818?

To better understand vendor exposure and readiness, consider asking:

1. Have you updated your Gen7 NSv & Firewalls to SonicOS 7.2.0-7015 or later, and TZ80 to 8.0.1-8017 or later to mitigate the risk of CVE-2025-32818?
2. Can you confirm if the SSLVPN service on your SonicWall devices has been disabled to prevent the exploitation of the Null Pointer Dereference issue in the SonicOS SSLVPN Virtual Office interface?
3. Have you observed any unexpected reboots or service interruptions in your Gen7 NSv (NSv 270, NSv 470, NSv 870), Gen7 Firewalls (TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700: Firmware 7.1.1-7040 through 7.1.3-7015 (7.1.x)) and TZ80: 8.0.0-8037 and earlier, which could indicate a Denial-of-Service attack due to CVE-2025-32818?
4. Have you implemented strict access controls on all management interfaces and disabled unused services on your SonicWall devices as a part of hardening measures against potential exploitation of CVE-2025-32818?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using SonicWall SSLVPN Gen7 appliances should take the following remediation steps:

• Apply Firmware Updates: Upgrade all affected Gen7 Firewalls and NSv platforms to version 7.2.0-7015 or higher, and TZ80 devices to 8.0.1-8017 or higher.
• Temporarily Disable SSLVPN: If patching cannot be performed immediately, disable the SSLVPN service to prevent exploitation.
• Audit System Logs: Review logs for signs of service crashes or abnormal behavior linked to SSLVPN usage.
• Restrict Access: Limit external access to the SSLVPN interface through IP whitelisting and network segmentation.
• Review Configuration: Ensure unnecessary services, especially public-facing features like Virtual Office, are disabled when not in use.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the SonicWall SSLVPN Gen7 FocusTag on April 25, 2025, enabling TPRM teams to pinpoint vendors potentially exposed to CVE-2025-32818. This tag provides asset-level visibility, including IP addresses and service banners that indicate the presence of vulnerable configurations.

By using this FocusTag, risk managers can prioritize outreach to vendors actively running impacted SonicWall models and validate whether they’ve implemented mitigation steps. If a vendor has SonicWall SSLVPN publicly exposed, the tag surfaces this directly, significantly reducing the scope of your due diligence efforts.

This tag is especially useful for organizations relying on multiple vendors that use SonicWall for remote access, helping you rapidly assess operational impact and contain downstream availability risks before they escalate.

CVE-2025-21605 in Redis Server

What is the Redis Server DoS Vulnerability?

CVE-2025-21605 is a high-severity Denial-of-Service (DoS) vulnerability impacting Redis servers. The flaw arises due to unlimited growth of output buffers, caused by an unauthenticated client sending commands or triggering repeated “NOAUTH” responses when password authentication is enabled. If exploited, the Redis server’s memory can be completely exhausted, causing the service to crash. This vulnerability carries a CVSS v3 score of 7.5 and an EPSS score of 0.04%.

First publicly disclosed on April 23, 2025, via GitHub Security Advisories (GHSA-r67f-p999-2gff), the issue affects Redis versions from 2.6 up to but not including 7.4.3. Although no proof-of-concept exploit code is publicly available at this time, Redis’s widespread deployment in production environments elevates the concern. As of today, CVE-2025-21605 has not been added to CISA’s Known Exploited Vulnerabilities catalog, and no advisory has been released by CISA.

Redis maintainers have addressed this vulnerability in Redis 7.4.3, where sensible client output buffer limits have been introduced.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Redis servers are commonly used to cache critical application data, manage sessions, and handle real-time information. A service crash triggered by an unauthenticated client could lead to serious disruption in vendor environments, including website outages, application failures, and business process interruptions.

From a TPRM perspective, any vendor relying on exposed or improperly secured Redis instances is at risk of operational downtime without advance warning. In environments where Redis clusters are part of larger SaaS offerings or critical backend systems, a DoS incident could cascade across dependent systems, impacting availability and client trust. Given that Redis by default does not restrict output buffer growth for normal clients, vendors who have not proactively hardened their Redis configurations may be vulnerable.

What questions should TPRM professionals ask vendors about CVE-2025-21605?

To assess third-party exposure related to this Redis vulnerability, consider asking:

1. Have you updated all instances of Redis Server to version 7.4.3 or later to mitigate the risk of CVE-2025-21605?
2. Have you configured the client-output-buffer-limit normal <hard-limit> in redis.conf to throttle untrusted clients and prevent unlimited output buffer growth?
3. Have you enforced TLS and required client-side certificates to ensure only authenticated clients can connect to your Redis servers?
4. Have you implemented network access controls such as firewalls, iptables, or security groups to restrict unauthenticated access to your Redis servers?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should adopt the following mitigation and remediation strategies:

• Upgrade Redis: Update Redis servers to version 7.4.3 or later, where built-in safeguards against buffer exhaustion are implemented.
• Apply Manual Controls: Set a strict client-output-buffer-limit for normal clients in the redis.conf configuration file.
• Restrict Access: Use firewalls, iptables, or security groups to limit access to Redis servers only to trusted networks or authenticated clients.
• Enforce Secure Communication: Enable TLS encryption and require client-side certificates to authenticate users connecting to the Redis server.
• Monitor Resource Utilization: Continuously monitor memory usage patterns and set up alerts for unusual output buffer growth.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite released the Redis Server FocusTag on April 23, 2025, allowing organizations to quickly identify vendors potentially exposed to CVE-2025-21605. By using this FocusTag, TPRM teams can pinpoint companies operating vulnerable Redis versions or improperly configured instances that may be susceptible to DoS attacks.

The FocusTag enriches risk assessments by providing asset-level intelligence such as IP addresses and relevant service information. With this insight, TPRM professionals can prioritize outreach and remediation requests, ensuring that critical third-party partners address the vulnerability before it leads to business disruption.

In environments where Redis plays a pivotal backend role, using Black Kite’s FocusTags™ ensures that availability risks are proactively managed, rather than discovered during an unexpected service failure.

Enabling Proactive TPRM With Black Kite’s FocusTags™

The vulnerabilities explored in this week’s Focus Friday—ranging from backdoor persistence via patched Fortinet SSL-VPN flaws, to denial-of-service conditions in SonicWall appliances and Redis servers—highlight the diverse and evolving nature of third-party cybersecurity risk. In environments where availability, remote access security, and in-memory data handling are mission-critical, even a single overlooked CVE can introduce severe operational and reputational damage.

Black Kite’s FocusTags™ empower TPRM teams to tackle this complexity head-on with:

• Asset-Specific Vulnerability Detection: Identify which vendors are operating affected systems based on real asset intelligence, including IP addresses and exposed services.
• Risk Triage at Scale: Quickly narrow down vendor lists by severity, exposure type, and system criticality—enabling faster decisions and response planning.
• Vendor-Specific Inquiry Support: Use detailed FocusTag insights to pose informed, vulnerability-specific questions during vendor outreach.
• Improved Incident Preparedness: Continuously monitor your third-party landscape as new vulnerabilities emerge, ensuring that no critical issue is missed.

With threats targeting everything from network edge devices to internal caching systems, Black Kite’s FocusTags™ offer a powerful lens to see where exposure lies, how to address it, and how to prioritize what matters most—before incidents escalate.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Fortinet Symlink Backdoor :  CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
• SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
• Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.
• Adobe ColdFusion : CVE-2025-24446 CVE-2025-24447 CVE-2025-30281 CVE-2025-30282 CVE-2025-30284 CVE-2025-30285 CVE-2025-30286 CVE-2025-30287 CVE-2025-30288 CVE-2025-30289 CVE-2025-30290, Deserialization of Untrusted Data, Improper Authentication, Improper Access Control, OS Command Injection, Improper Input Validation, Path Traversal Vulnerabilities in Adobe ColdFusion.
• Beego: CVE-2025-30223, Reflected/Stored XSS Vulnerabilities in Beego Web Framework.
• Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
• FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
• MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
• Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
• Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
• Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
• SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
• MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).
• DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-21762

https://nvd.nist.gov/vuln/detail/CVE-2023-27997

https://nvd.nist.gov/vuln/detail/cve-2022-42475

https://cybersecuritynews.com/hackers-actively-exploits-patched-fortinet-fortigate-devices

https://www.bleepingcomputer.com/news/security/over-16-000-fortinet-devices-compromised-with-symlink-backdoor/?utm_source=chatgpt.com

https://www.fortiguard.com/psirt/FG-IR-22-398

https://nvd.nist.gov/vuln/detail/CVE-2025-32818

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0009

https://securityonline.info/high-severity-sonicwall-sslvpn-vulnerability-allows-firewall-crashing

https://nvd.nist.gov/vuln/detail/CVE-2025-21605

https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff

The post Focus Friday: TPRM Insights Into Fortinet Backdoors, SonicWall SSLVPN, and Redis DoS Vulnerabilities appeared first on Black Kite.

Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer

Drowning in vulnerability alerts? You’re not alone. Cybersecurity professionals dealing with Third-Party Risk Management (TPRM) are facing an overwhelming flood of Common Vulnerabilities and Exposures (CVEs), making it nearly impossible to address every single threat. Traditional methods of vulnerability management, often relying solely on severity scores, simply aren’t cutting it in today’s complex supply chain environment. How do you decide which vulnerabilities to tackle first when you have thousands clamoring for attention?

Fortunately, there’s a better way.

In this video, I walk through the findings of our 2025 Supply Chain Vulnerability Report, featuring original research by the Black Kite Research & Intelligence Team (BRITE), breaking down the key challenges of vulnerability prioritization and introducing a powerful three-dimensional approach that helps TPRM professionals effectively prioritize vulnerabilities in their supply chain. This method allows you to focus on what truly matters and dramatically reduce risk.

View this video on YouTube.

Three Dimensions for Prioritizing CVEs in TPRM:

1. Severity

This is the traditional approach, using metrics like CVSS to assess the potential impact of a vulnerability. While important, the report emphasizes that severity alone is insufficient.

2. Exploitability

This dimension considers the likelihood of a vulnerability being actively exploited by threat actors. Factors like the availability of exploit code and threat actor trends come into play.

3. Exposure

This crucial element addresses how many of your vendors or third parties are susceptible to a specific vulnerability. A high-severity, easily exploitable vulnerability affecting a large number of your vendors poses a significantly greater risk.

Result: Hear the Signal in the Noise

By combining these three dimensions, security teams can move beyond simply reacting to the loudest alerts and develop a truly strategic approach to vulnerability management. The video provides clear explanations and visual aids to help you grasp these concepts and begin implementing them in your own organization.

Dive deeper and gain a comprehensive understanding of supply chain vulnerability management. Read the full 2025 Supply Chain Vulnerability Report for detailed analysis, actionable recommendations, and best practices.

And be sure to watch Part 2 of my video walkthrough of the report to discover how Black Kite solves the problem of managing vulnerability risks in the supply chain with FocusTags™ vulnerability intelligence.

The post How to Prioritize Vulnerabilities in Your Supply Chain: A Proven Approach to Cut Through the Noise appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we examine three high‑profile vulnerabilities through a Third‑Party Risk Management (TPRM) lens. Today, we’ll dive into the critical remote code execution flaw in Ivanti Connect Secure As cyber threats continue to evolve in scope and complexity, Third-Party Risk Management (TPRM) teams are increasingly challenged to respond to emerging vulnerabilities with speed and precision. In this week’s Focus Friday, we examine two critical security issues—one affecting Adobe ColdFusion and the other targeting the Beego framework for Go. Both vulnerabilities expose organizations to serious risks, including remote code execution (RCE), access control bypass, and session hijacking.

We break down each incident from a TPRM perspective, highlighting the specific technical risks, vendor remediation recommendations, and key questions TPRM professionals should ask. Additionally, we demonstrate how Black Kite’s FocusTags™ help organizations identify affected vendors quickly and take meaningful action without wasting time on broad-based questionnaires or assumptions.

Critical Adobe ColdFusion Vulnerabilities

What are the Critical Vulnerabilities Recently Discovered in Adobe ColdFusion?

A large set of critical vulnerabilities was recently identified in Adobe ColdFusion, affecting versions 2021, 2023, and 2025. These flaws, including CVE-2025-24446, CVE-2025-24447, CVE-2025-30281 through CVE-2025-30290, span multiple attack categories such as arbitrary file system read, remote code execution (RCE), OS command injection, access control bypass, and improper authentication. The CVSS scores for these vulnerabilities range from 7.5 to 9.8, and their EPSS scores indicate active risk, with some as high as 1.44%.

These vulnerabilities stem from insecure deserialization, improper input validation, access control weaknesses, and failure to sanitize user-supplied input.

While no exploitation has been observed in the wild yet, and these CVEs are not currently listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, the public disclosure on April 8, 2025, along with multiple critical CVSS scores and high EPSS predictions, raises serious concerns.

Why Should TPRM Professionals Care About These Vulnerabilities?

TPRM professionals must be particularly cautious when it comes to ColdFusion deployments, as these vulnerabilities directly impact critical business applications hosted on ColdFusion platforms. Exploitation could lead to unauthorized file access, arbitrary code execution, or full system compromise—potentially exposing sensitive client data or internal business logic.

Adobe ColdFusion is frequently used in enterprise and government environments. The presence of deserialization vulnerabilities and OS-level command injection significantly increases the risk of lateral movement, persistent access, and data exfiltration within third-party ecosystems. Additionally, since these issues affect all ColdFusion versions prior to the latest updates, unpatched systems are common in unmanaged or aging vendor environments.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

To assess vendor exposure, TPRM professionals should consider asking:

1. Have you updated all instances of Adobe ColdFusion to the latest versions (ColdFusion 2021 Update 19, ColdFusion 2023 Update 13, ColdFusion 2025 Update 1) to mitigate the risk of the mentioned CVEs?
2. Can you confirm if you have implemented the recommended actions such as auditing access controls and logs, reviewing file upload and deserialization controls, and limiting application exposure to mitigate the risk of these vulnerabilities?
3. Have you applied the security configuration settings included in the ColdFusion Security documentation and reviewed the respective Lockdown guides as recommended by Adobe?
4. Have you updated your ColdFusion JDK/JRE LTS version to the latest update release and set the recommended JVM flags on a JEE installation of ColdFusion as a secure practice?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using ColdFusion should take the following technical steps to address these vulnerabilities:

• Patch Immediately: Upgrade ColdFusion to the latest versions—2025 Update 1, 2023 Update 13, or 2021 Update 19.
• Secure Deserialization and Upload Paths: Review all serialization-related functions and restrict unsafe classes using Adobe’s serial filter documentation.
• Apply JVM Flags for JEE Installations: Set -Djdk.serialFilter values as recommended by Adobe to block dangerous object types during deserialization.
• Isolate ColdFusion Services: Place ColdFusion services behind firewalls or WAFs and restrict access to only required IP ranges.
• Audit Access Logs: Review logs for unauthorized access attempts or security feature misuse, especially around the setAdminPassword, upload handlers, or URL routing logic.
• Follow Adobe’s Lockdown Guide: Apply recommended security configurations from Adobe’s official lockdown and JVM guidance for your ColdFusion version.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the Adobe ColdFusion FocusTag™ on April 11, 2025, to help organizations identify at-risk vendors rapidly. Using internet-wide scanning, subdomain fingerprinting, and exposed asset detection, Black Kite identifies vendors that host ColdFusion installations vulnerable to the disclosed CVEs.

TPRM teams can use this FocusTag™ to immediately narrow down the list of potentially impacted vendors, enabling fast risk prioritization, informed questioning, and effective outreach. By providing visibility into external-facing infrastructure and the likelihood of exposure, Black Kite simplifies complex supply chain risk monitoring in real time.

CVE-2025-30223: Beego RenderForm() XSS Vulnerability

What is the Critical XSS Vulnerability in the Beego Framework?

CVE-2025-30223 is a critical Cross-Site Scripting (XSS) vulnerability discovered in the Beego web framework for Go, affecting all versions up to and including v2.3.5. The issue resides in the RenderForm() function, which dynamically generates HTML form fields. This function improperly handles user-supplied input and outputs it as raw HTML using template.HTML, bypassing Go’s built-in HTML escaping mechanisms.

The underlying problem originates from a helper function, renderFormField(), which uses fmt.Sprintf() to construct form input fields with values such as label, name, and value directly injected into the HTML structure. Since no HTML escaping is applied to these values, attackers can inject JavaScript payloads into form fields. This makes it possible to exploit the vulnerability through:

• Attribute Injection, such as injecting code into the DisplayName field (onmouseover=”alert(‘XSS’)”),
• Content Injection, such as inserting <script> tags into a textarea field.

With a CVSS score of 9.3, the vulnerability poses significant risk, especially in applications where user-generated content is displayed to others. Although this CVE is not listed in CISA’s KEV catalog as of now, a public proof-of-concept (PoC) was made available in early April 2025, demonstrating how JavaScript payloads can be rendered and executed in real-world browser sessions.

Why Should TPRM Professionals Care About This Vulnerability?

Beego is a widely adopted Go framework, popular among SaaS and platform providers due to its performance and simplicity. Applications that use RenderForm() with user-controlled inputs are highly susceptible to exploitation. This vulnerability is especially problematic for TPRM because:

• It allows client-side code execution in users’ browsers.
• It enables session hijacking, credential theft, and fake form injection.
• It can compromise administrative interfaces, resulting in account takeover of privileged users.

Vendors using Beego without proper patching or escaping mechanisms expose their customers to client-side threats that are difficult to detect from the backend. Moreover, XSS vulnerabilities often serve as an entry point for further attacks, including credential stuffing, business logic abuse, or malware injection.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To assess the exposure of vendors using the Beego framework, consider asking the following:

1. Have you upgraded all instances of Beego Framework to version v2.3.6 or later to mitigate the risk of CVE-2025-30223?
2. Can you confirm if you have reviewed all components using the RenderForm() function in your Beego application and ensured that no untrusted data is passed directly without escaping?
3. Have you implemented a strong Content Security Policy (CSP) to restrict which scripts can be executed in the browser, as a measure to prevent the execution of malicious JavaScript injected via XSS?
4. Have you audited stored data that might have been injected with XSS payloads before patching, especially in user-generated fields like DisplayName or Bio, to ensure no malicious scripts are present?

Remediation Recommendations for Vendors Subject to This Risk

Organizations using vulnerable Beego versions should take immediate actions:

• Upgrade Beego to v2.3.6 or later, which properly escapes all HTML input using template.HTMLEscapeString() inside RenderForm() and its helper methods.
• Sanitize All Inputs: Audit application code to ensure no unescaped user data is being passed to the UI layer.
• Implement CSP: Use Content Security Policy headers to prevent the execution of inline or unauthorized scripts.
• Review Cookies: Set HttpOnly and Secure flags on cookies to prevent session theft through JavaScript.
• Scan and Monitor: Use automated security scanners to detect residual or future XSS vulnerabilities and monitor for unusual activity within administrative dashboards.
• Audit Stored Data: Check stored fields like DisplayName and Bio for embedded scripts that may persist across sessions.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the FocusTag™ for the Beego XSS vulnerability (CVE-2025-30223) on April 11, 2025. This tag identifies vendors whose exposed applications may be using vulnerable versions of the Beego framework. By analyzing HTML source code, script libraries, and domain-level fingerprints, Black Kite provides asset-specific intelligence such as affected subdomains or externally facing interfaces.

With the tag’s VERY HIGH confidence level, TPRM professionals can quickly pinpoint which vendors require immediate outreach. The FocusTag™ streamlines due diligence by narrowing down the scope of concern, enabling organizations to conduct targeted assessments instead of issuing blanket questionnaires.

Enhancing TPRM With Black Kite FocusTags™

The rise of exploitable software supply chain vulnerabilities—such as those in Adobe ColdFusion and Beego—demands a smarter, more targeted approach to Third-Party Risk Management. Black Kite’s FocusTags™ deliver that precision by equipping organizations with real-time, asset-level intelligence tied to the latest threats. Here’s how these tags empower TPRM teams:

• Threat-Centric Vendor Identification: Know exactly which vendors in your ecosystem are affected by vulnerabilities like CVE-2025-30223 or CVE-2025-24447—no guesswork, no overreach.
• Risk-Based Prioritization: Align vendor outreach efforts with the severity of each threat and the business criticality of the impacted third parties.
• Actionable Engagement: Conduct targeted conversations with vendors, backed by knowledge of exposed assets, vulnerable software versions, and available patches.
• Continuous Security Visibility: Access a constantly updated view of your third-party landscape, driven by internet-wide scanning, external intelligence, and contextual enrichment.

FocusTags™ are more than alerts—they are operational tools built to support agile, scalable risk management strategies. Whether responding to deserialization flaws in ColdFusion or XSS vectors in Beego, Black Kite’s platform ensures TPRM professionals are equipped with the right insights, right when they need them.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Adobe ColdFusion : CVE-2025-24446 CVE-2025-24447 CVE-2025-30281 CVE-2025-30282 CVE-2025-30284 CVE-2025-30285 CVE-2025-30286 CVE-2025-30287 CVE-2025-30288 CVE-2025-30289 CVE-2025-30290, Deserialization of Untrusted Data, Improper Authentication, Improper Access Control, OS Command Injection, Improper Input Validation, Path Traversal Vulnerabilities in Adobe ColdFusion.
• Beego: CVE-2025-30223, Reflected/Stored XSS Vulnerabilities in Beego Web Framework.
• Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
• FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
• MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
• Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
• Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
• Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
• SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
• MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).
• DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.
• VMware ESXi – Mar2025 : CVE-2025-22224, CVE-2025-22225, CVE-2025-22226, Heap Overflow Vulnerability, TOCTOU Race Condition Vulnerability, Arbitrary Write Vulnerability, Information Disclosure Vulnerability in VMware ESXi.
• Apache Tomcat – Mar2025 : CVE-2025-24813, Remote Code Execution Vulnerability, Information Disclosure and Corruption Vulnerability in Apache Tomcat.

References

https://helpx.adobe.com/security/products/coldfusion/apsb25-15.html

https://thehackernews.com/2025/04/adobe-patches-11-critical-coldfusion.html

https://nvd.nist.gov/vuln/detail/CVE-2025-24446

https://nvd.nist.gov/vuln/detail/CVE-2025-24447

https://nvd.nist.gov/vuln/detail/CVE-2025-30281

https://nvd.nist.gov/vuln/detail/CVE-2025-30282

https://nvd.nist.gov/vuln/detail/CVE-2025-30284

https://nvd.nist.gov/vuln/detail/CVE-2025-30285

https://nvd.nist.gov/vuln/detail/CVE-2025-30286

https://nvd.nist.gov/vuln/detail/CVE-2025-30287

https://nvd.nist.gov/vuln/detail/CVE-2025-30288

https://nvd.nist.gov/vuln/detail/CVE-2025-30289

https://nvd.nist.gov/vuln/detail/CVE-2025-30290

https://securityonline.info/cve-2025-30223-cvss-9-3-critical-xss-vulnerability-discovered-in-beego-framework

https://nvd.nist.gov/vuln/detail/CVE-2025-30223

https://github.com/beego/beego/security/advisories/GHSA-2j42-h78h-q4fg

https://gist.github.com/thevilledev/8fd0cab3f098320aa9daab04be59fd2b

The post FOCUS FRIDAY: THIRD-PARTY RISKS FROM ADOBE COLDFUSION AND BEEGO XSS VULNERABILITIES appeared first on Black Kite.