Welcome to the January 2025 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.
The Black Kite Research & Intelligence Team (BRITE) tracked 546 ransomware incidents in January 2025, marking a sharp increase compared to January 2024, which saw approximately 300 cases. This significant rise indicates that ransomware activity is escalating at an alarming pace. Among these incidents, 274 were recorded in the United States, 32 in Canada, 23 in the United Kingdom, and 18 in France.
Manufacturing was the most targeted sector, followed by technical services. Closing out December with 535 cases, ransomware groups have historically shown a tendency to slow down at the beginning of the year. However, this year is proving to be an exception.
Top Threat Actors in January 2025
The Clop ransomware group took the lead in January 2025 by a significant margin with 115 publicly disclosed victims. As usual, RansomHub remained among the top-ranking groups with 42 victims. One of the most notable groups this month was Lynx, which saw a major surge with 42 victims in January. They were followed by the Akira group, which recorded 38 victims.
Clop Is No Joke, But It’s Not What It Used to Be
Nearly all of the 115 Clop attacks were linked to the CLEO vulnerability, continuing the momentum from Clop’s December disclosures. Initially, only 50 victims were expected, but as the group continues to release names in alphabetical order, the final number could reach 500.
Among these 115 victims, the United States was the most affected, with 79 cases, followed by Canada with 12 and the Netherlands with 4.
In terms of industry impact among these attacks, the manufacturing sector suffered the highest number of attacks, with 34 victims. It was followed by the transportation sector with 18 victims, the information technology sector with 17, and the technical services sector with 14.
Two years ago, during the MoveIT disclosures, Clop was at the center of global media attention. Now, despite its high ransomware activity, the group seems to be struggling to capture the same level of interest. They kept postponing victim disclosures, which was unusual for them, and then starting sharing victims in a different way to seek attention. Whether this signals Clop’s waning influence or a shift in public perception remains to be seen, but one thing is certain: the group appears increasingly frustrated by the lack of attention.
Screenshot from the site where Clop now publishes stolen data.
FunkSec: From Ransomware to Full-Fledged Cybercrime Group
FunkSec continued its aggressive expansion in January, making headlines with its unconventional tactics:
Launched FunkBID, a data leak auction platform.
Announced a partnership with Fsociety for joint ransomware operations.
Gave media interviews, shedding light on their internal workings.
Released FunkSec V1.2, their own Ransomware-as-a-Service (RaaS) for $100.
Threatened a cybersecurity researcher who had written about them.
Established their own forum to further expand their operations.
Screenshot of the site where Funksec announced Funksec V1.2
Key takeaways from their recent interview:
They claim to be entirely self-taught with no external affiliations.
AI plays a role in their operations, but they state it accounts for only 20%.
They have developed their own GPT model for internal use.
Their primary goal is financial gain, but they explicitly state hostility toward Israel and the U.S.
The group consists of four members.
While hacking remains their focus, they employ specialized ransomware developers.
They use tools like Shodan Premium and Burp Pro, alongside advanced custom brute force tools.
Rust is their programming language of choice.
FunkSec’s erratic yet calculated moves make them one of the most unpredictable actors in the ransomware ecosystem. Their expansion beyond traditional ransomware operations suggests a broader ambition that could redefine the threat landscape.
Is Babuk Back? Or Just an Imposter?
A new leak site emerged in January claiming to be affiliated with Babuk, publishing 60 alleged victims. While this sparked speculation that the notorious ransomware group had returned, our analysis revealed that most of the disclosed victims had already been published by FunkSec, RansomHub, and LockBit.
Shortly after the site gained traction, access was restricted, leaving its authenticity in question. Whether this marks the actual return of Babuk or merely an opportunistic attempt to capitalize on the name remains unclear.
Screenshot of the new Babuk Ransomware Leaks Site.
New Groups Keep Emerging, but Originality Is Fading
Ransomware groups continue to surface at an increasing rate, and the rise of Ransomware-as-a-Service (RaaS) is undoubtedly fueling this trend. However, despite this growth, these groups seem to do little more than mimic each other. Many simply replicate existing leak sites, making it increasingly difficult to track them as they blur into one another.
In previous years, such copycat behavior was less common, but now it’s becoming the norm. This shift strongly suggests that experienced cybercriminals are being replaced by younger, less-skilled actors. As a result, while the number of ransomware groups grows, innovation within the ecosystem seems to be stagnating.
A new group appears to imitate the RansomHub group.
Attacks Are Increasing, but Ransom Payments Are Decreasing
While ransomware attacks surged in 2024, total ransom payments dropped by 35%, amounting to $813.55 million. Companies are increasingly adopting robust cybersecurity measures, improving backup strategies, and benefiting from law enforcement crackdowns on cybercriminals.
Notably, the international operation “Operation Cronos” disrupted LockBit’s infrastructure, demonstrating the growing impact of coordinated cybercrime enforcement. However, despite these advancements, ransomware groups are evolving their tactics, becoming more aggressive in their extortion methods.
In response, the UK government is considering stricter regulations, including:
Banning public institutions and critical infrastructure providers from making ransom payments.
Mandating all victims to report ransomware incidents to authorities.
Authorities believe these measures will curb ransomware groups’ financial streams and act as a deterrent. If enacted, these regulations could reshape how organizations respond to ransomware threats.
Key Takeaways
January 2025 set a record-breaking pace for ransomware incidents.
Clop led the charge but may be struggling to maintain its past level of influence.
FunkSec is rapidly expanding its operations beyond ransomware, building a cybercrime ecosystem.
The alleged return of Babuk remains uncertain, raising questions about its legitimacy.
While ransom payments are declining, attack volume is increasing, prompting tighter regulations.
For cybersecurity teams, 2025 is already shaping up to be one of the most challenging years yet. Black Kite’s Ransomware Susceptibility Index® (RSITM) offers a proactive approach by assessing the likelihood of a ransomware attack throughout the third-party ecosystem. By leveraging RSI, risk managers can identify high-risk vendors before an attack strikes, prioritize remediation efforts, and ultimately safeguard their organizations against the escalating threat.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
In this week’s Focus Friday, we examine high-impact vulnerabilities affecting Palo Alto Networks PAN-OS, Ivanti Connect Secure, Zimbra Collaboration, and Cacti, all of which pose significant third-party risk concerns. These vulnerabilities range from remote code execution (RCE) flaws to SQL injection attacks that could lead to data breaches, system takeovers, and supply chain risks.
Organizations relying on network security appliances, email collaboration tools, and monitoring frameworks must take proactive measures to assess their exposure and secure their vendor ecosystem against these threats. In this blog, we provide an in-depth Third-Party Risk Management (TPRM) perspective, detailing how these vulnerabilities could impact vendor security postures and what questions security teams should ask to mitigate risks.
Additionally, we highlight how Black Kite’s FocusTags™ provide real-time insights into vendor exposure, helping organizations prioritize remediation efforts and streamline their risk management processes.
Filtered view of companies with PAN-OS – Feb2025 FocusTag™ on the Black Kite platform.
CVE-2025-0108, CVE-2025-0110: Authentication Bypass & Command Injection in PAN-OS
What are the PAN-OS Authentication Bypass and Command Injection Vulnerabilities?
Two high-severity vulnerabilities have been identified in Palo Alto Networks PAN-OS, affecting network security devices:
CVE-2025-0108 (Authentication Bypass – CVSS: 8.8): This vulnerability affects the management web interface of PAN-OS. An unauthenticated attacker with network access can bypass authentication and invoke specific PHP scripts. While it does not allow remote code execution, it compromises system integrity and confidentiality.
CVE-2025-0110 (Command Injection – CVSS: 8.6): Found in the OpenConfig plugin, this vulnerability enables an authenticated administrator with gNMI request privileges to inject and execute arbitrary commands. The commands run as the _openconfig user, which has Device Administrator privileges, potentially leading to full system compromise.
Both vulnerabilities were published on February 12, 2025. One proof-of-concept exploit is available on github.com. There is no evidence of active exploitation or inclusion in CISA’s KEV catalog at this time. However, PAN-OS vulnerabilities have been targeted in the past, making proactive mitigation crucial.
Why Should TPRM Professionals Be Concerned About These Vulnerabilities?
Third-party risk management (TPRM) professionals should be concerned due to the critical role of PAN-OS in enterprise cybersecurity.
Authentication Bypass (CVE-2025-0108): Attackers could exploit this flaw to gain unauthorized access to PAN-OS management functions, leading to potential misconfigurations, unauthorized changes, or exposure of sensitive network settings.
Command Injection (CVE-2025-0110): If the OpenConfig plugin is enabled, an attacker with administrator access could execute arbitrary system commands, escalating privileges or deploying persistent malware on PAN-OS devices.
For vendors relying on PAN-OS for perimeter security, exploitation of these vulnerabilities could lead to network-wide security breaches, data exposure, and compromised firewall configurations.
What Questions Should TPRM Professionals Ask Vendors?
To assess vendor exposure, TPRM professionals should ask:
Have you identified any PAN-OS devices in your environment that are running vulnerable versions (before PAN-OS 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, 10.1.14-h9)?
Do you use the OpenConfig plugin in PAN-OS? If so, have you verified that it is updated to version 2.1.2 or later?
What access controls are in place to restrict exposure of the PAN-OS management web interface to untrusted networks?
Have you applied Palo Alto Networks’ recommended mitigations, such as disabling unused plugins and restricting management access?
Remediation Recommendations for Vendors Subject to this Risk
To mitigate the risk associated with these vulnerabilities, vendors should:
✔ Upgrade PAN-OS to patched versions:
PAN-OS 11.2 → Upgrade to 11.2.4-h4 or later
PAN-OS 11.1 → Upgrade to 11.1.6-h1 or later
PAN-OS 10.2 → Upgrade to 10.2.13-h3 or later
PAN-OS 10.1 → Upgrade to 10.1.14-h9 or later
If running PAN-OS 11.0 (EoL), upgrade to a supported version.
✔ Update OpenConfig plugin to version 2.1.2 or later (if enabled). ✔ Restrict management interface access to trusted internal IPs only. ✔ Disable the OpenConfig plugin if not in use to reduce the attack surface. ✔ Monitor system logs for unusual access or command execution activity. ✔ Apply Palo Alto Networks’ Threat Prevention rules to block potential exploits (Threat IDs 510000, 510001).
How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities
Black Kite has tagged this issue as “PAN-OS – Feb2025” with a VERY HIGH confidence level.
The FocusTag™ identifies vendors potentially affected by CVE-2025-0108 and CVE-2025-0110.
Black Kite provides asset intelligence, including IP addresses and subdomains hosting vulnerable PAN-OS instances.
The FocusTag™ was published on February 13, 2025, allowing TPRM teams to take proactive measures before potential exploitation.
Black Kite’s PAN-OS – Feb2025 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-22467, CVE-2024-38657, CVE-2024-10644: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure
What Are the Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure?
Multiple critical vulnerabilities have been identified in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products:
CVE-2025-22467 (CVSS: 9.9): A stack-based buffer overflow vulnerability in ICS versions prior to 22.7R2.6. This flaw allows a remote authenticated attacker with low privileges to execute arbitrary code, potentially leading to full system compromise.
CVE-2024-38657 (CVSS: 9.1): An external control of file name or path vulnerability affecting ICS (before 22.7R2.4) and IPS (before 22.7R1.3). A remote authenticated attacker with administrative privileges can write arbitrary files on the system, which may lead to unauthorized file manipulation or system compromise.
CVE-2024-10644 (CVSS: 9.1): A code injection vulnerability in ICS (before 22.7R2.4) and IPS (before 22.7R1.3). This allows a remote authenticated attacker with administrative privileges to execute arbitrary commands on the system, potentially resulting in complete system control.
These vulnerabilities were publicly disclosed on February 11, 2025. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Other vulnerabilities to be mindful of include CVE-2024-12058 (arbitrary file read), CVE-2024-13842 (sensitive data exposure), and CVE-2024-13843 (cleartext storage of sensitive information), which, despite their lower CVSS scores, should still be carefully considered.
Why Should TPRM Professionals Be Concerned About These Vulnerabilities?
Third-Party Risk Management (TPRM) professionals should be concerned due to the following reasons:
Remote Code Execution Risks: Exploitation of these vulnerabilities could allow attackers to execute arbitrary code or commands, leading to unauthorized access, data breaches, and potential lateral movement within the network.
Privilege Escalation: Attackers with low-level access could exploit these flaws to escalate privileges, gaining administrative control over critical systems.
Supply Chain Impact: Vendors utilizing vulnerable versions of ICS and IPS may inadvertently expose connected organizations to security risks, emphasizing the importance of assessing third-party security postures.
What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?
To assess vendor exposure, TPRM professionals should inquire:
Which versions of Ivanti Connect Secure and Ivanti Policy Secure are currently deployed within your environment?
Have the identified vulnerabilities (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644) been remediated by updating to the latest recommended versions?
What measures are in place to monitor and detect potential exploitation attempts related to these vulnerabilities?
Is multi-factor authentication (MFA) enabled for all administrative access to these systems?
Remediation Recommendations for Vendors Subject to This Risk
To mitigate the risks associated with these vulnerabilities, vendors should:
✔ Update to Patched Versions:
For Ivanti Connect Secure, upgrade to version 22.7R2.6 or later.
For Ivanti Policy Secure, upgrade to version 22.7R1.3 or later.
✔ Restrict Administrative Privileges:
Limit administrative access to essential personnel.
Enforce principle of least privilege to reduce risk.
✔ Implement Multi-Factor Authentication (MFA):
Ensure MFA is enabled for all administrative and remote access.
✔ Monitor System Logs:
Regularly review logs for unusual activities or signs of attempted exploitation.
✔ Apply Security Best Practices:
Follow Ivanti’s security guidelines to mitigate risks associated with authenticated users.
How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities
Black Kite has tagged these vulnerabilities under “Ivanti Connect Secure – Feb2025” with a HIGH confidence level.
The FocusTag™ provides detailed information on vendors potentially affected by these vulnerabilities.
Black Kite’s asset intelligence helps identify IP addresses and subdomains hosting vulnerable instances.
This enables TPRM teams to proactively assess and address risks associated with these vulnerabilities.
Black Kite’s Ivanti Connect Secure – Feb2025 FocusTagTM details critical insights on the event for TPRM professionals.
Zimbra Collaboration (formerly known as Zimbra Collaboration Suite or ZCS) is an open-source and commercial groupware email platform. It includes features such as email, calendaring, contacts, task management, instant messaging, and file sharing, designed for enterprises, government institutions, and service providers.
What is CVE-2025-25064?
CVE-2025-25064 is a critical SQL injection vulnerability affecting Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. This flaw arises from insufficient sanitization of user-supplied parameters in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this vulnerability by manipulating specific request parameters to inject arbitrary SQL queries, potentially allowing unauthorized retrieval of email metadata and other sensitive information. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 0.05%. It was publicly disclosed on February 9, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Why Should TPRM Professionals Be Concerned About CVE-2025-25064?
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-25064 due to its potential impact on email security. Zimbra Collaboration is widely used by organizations for email and collaboration services. Exploitation of this vulnerability could allow attackers to access sensitive email metadata, leading to unauthorized disclosure of confidential information. If a vendor utilizes vulnerable Zimbra Collaboration products, their compromised systems could serve as entry points for attackers, resulting in data breaches and disruptions that may affect connected organizations.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-25064?
To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:
Have you updated all instances of Zimbra Collaboration to versions 10.0.12 or 10.1.4, where CVE-2025-25064 has been patched?
Can you confirm if you have implemented access restrictions to the ZimbraSync Service SOAP endpoint to trusted networks and users as recommended?
Have you deployed Web Application Firewalls (WAFs) to detect and block SQL injection attempts targeting Zimbra Collaboration?
Do you regularly monitor server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service?
Remediation Recommendations for Vendors
Vendors using affected Zimbra Collaboration products should:
Update Software: Upgrade to Zimbra Collaboration versions 10.0.12 or 10.1.4, where this vulnerability has been addressed.
Restrict Access: Limit access to the ZimbraSync Service SOAP endpoint to trusted networks and users to minimize potential exploitation vectors.
Implement Web Application Firewalls (WAF): Deploy WAFs to detect and block SQL injection attempts and other malicious activities targeting web applications.
Monitor Logs: Regularly review server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service.
How Can TPRM Professionals Leverage Black Kite for This Vulnerability?
Black Kite has proactively addressed this issue by publishing the “Zimbra – Feb2025” FocusTag™ on February 11, 2025. This tag enables TPRM professionals to identify vendors potentially affected by CVE-2025-25064. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.
Black Kite’s Zimbra – Feb2025 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-22604: Critical Remote Code Execution Vulnerability in Cacti
Cacti is an open-source network monitoring and graphing tool designed to collect, store, and visualize performance data for IT infrastructure. It is widely used by network administrators and IT professionals to monitor network devices, servers, and applications in real time.
What is the Cacti Remote Code Execution Vulnerability?
CVE-2025-22604 is a critical security flaw in Cacti, an open-source network monitoring and fault management framework. This vulnerability allows authenticated users with device management permissions to execute arbitrary commands on the server by injecting malformed Object Identifiers (OIDs) into SNMP responses. When processed by functions like ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), parts of these OIDs are used as keys in an array that becomes part of a system command, leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.1. It was publicly disclosed on January 26, 2025. There is no evidence of proof of exploitation at the moment.
Why Should TPRM Professionals Be Concerned About This Vulnerability?
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-22604 because Cacti is widely used by organizations to monitor network performance and availability. A successful exploit of this vulnerability could allow attackers to execute arbitrary commands on the server, potentially compromising system integrity and data security. This could lead to unauthorized access to sensitive information, disruption of network monitoring capabilities, and further exploitation within the organization’s network. Given the critical nature of this vulnerability and the availability of proof-of-concept exploit code, it is imperative for organizations to assess their exposure and ensure that their vendors have addressed this issue.
What Questions Should TPRM Professionals Ask Vendors About CVE-2025-22604?
To assess the risk associated with this vulnerability, TPRM professionals should consider asking vendors the following questions:
Have you identified any instances of Cacti within your infrastructure that are affected by CVE-2025-22604?
If so, have you updated all affected Cacti installations to version 1.2.29 or later to mitigate this vulnerability?
What measures have you implemented to restrict SNMP access to trusted users and networks?
Do you regularly monitor system logs and SNMP activity for unusual or unauthorized actions?
Remediation Recommendations for Vendors Subject to This Risk
Vendors should take the following actions to remediate the risk associated with CVE-2025-22604:
Upgrade Cacti: Update all Cacti installations to version 1.2.29 or later, as this version addresses the vulnerability.
Restrict SNMP Access: Limit SNMP access to trusted users and networks to reduce potential attack vectors.
Monitor Systems: Regularly review system logs and SNMP activity for any unusual or unauthorized actions.
Review Permissions: Ensure that only necessary personnel have device management permissions within Cacti.
How TPRM Professionals Can Leverage Black Kite for This Vulnerability
Black Kite has published a FocusTag™ titled “Cacti – Feb2025” to help organizations identify potential exposure to CVE-2025-22604. TPRM professionals can utilize this tag to assess their vendors’ risk related to this vulnerability. By leveraging Black Kite’s platform, professionals can identify vendors using vulnerable versions of Cacti and take proactive steps to mitigate potential risks. This includes obtaining asset information such as IP addresses and subdomains associated with the vendors’ systems, which is crucial for effective risk assessment and management.
Black Kite’s Cacti – Feb2025 FocusTagTM details critical insights on the event for TPRM professionals.
Maximizing TPRM Effectiveness with Black Kite’s FocusTags™
With high-profile vulnerabilities such as PAN-OS authentication bypass (CVE-2025-0108), Ivanti Connect Secure RCE (CVE-2025-22467), Zimbra SQL injection (CVE-2025-25064), and Cacti remote code execution (CVE-2025-22604), organizations must rapidly assess third-party security risks to prevent cascading impacts. Black Kite’s FocusTags™ enable security teams to efficiently identify, analyze, and mitigate these threats by offering:
✅ Real-Time Risk Identification – Instant visibility into which vendors are affected by the latest vulnerabilities, allowing organizations to take immediate action. ✅ Risk Prioritization – Insights into vendor importance and vulnerability severity, helping security teams allocate resources effectively. ✅ Informed Vendor Engagement – Targeted discussions with vendors about their security measures and remediation strategies for identified vulnerabilities. ✅ Comprehensive Security Posture Enhancement – A holistic view of third-party risks, enabling organizations to make data-driven security decisions.
By leveraging Black Kite’s FocusTags™, organizations can stay ahead of evolving cyber threats, ensuring proactive risk mitigation in their third-party ecosystems. These tags provide critical intelligence, transforming complex vulnerability data into actionable insights for better vendor security management.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
Plus: Apple’s visionOS 2.4 makes it easier for guests to use the Vision Pro, Eero has two new Wi-Fi 7 routers, Oppo’s folding phone is the slimmest yet, and Omega drops a bronze Bond watch.
Every breach tells a story. In 2024, that story was about third-party vulnerabilities becoming the preferred entry point for attackers. From ransomware attacks that threatened supply chains to credential misuse that compromised entire industries, third-party breaches surged in both scale and sophistication.
Black Kite’s 2025 Third-Party Breach Report takes a deep dive into these incidents, analyzing the most significant third-party breaches of 2024 to identify the key trends shaping the future of cybersecurity. This year’s findings highlight critical shifts in the third-party risk landscape: ransomware affiliates are becoming more aggressive, unauthorized network access remains the most exploited attack vector, and regulatory frameworks are driving improvements — but not evenly across industries.
5 Takeaways from the 2025 Third-Party Breach Report
For cybersecurity leaders looking to adapt their strategies for the year ahead, here are a few notable findings from this year’s report — and what they mean for your approach to third-party risk management.
Read Black Kite’s 2025 Third-Party Breach Report, no download required.
1. A shift to continuous risk monitoring
In 2024, the Cleo File Transfer ransomware attack was a wake-up call that exposed the shortcomings of traditional third-party risk management. Attackers exploited unpatched vulnerabilities in widely used file transfer software, impacting dozens of organizations across industries. Traditional security assessments failed to catch these risks, but proactive monitoring tools could have flagged these vulnerabilities before attackers did.
For example, for too long, third-party risk management (TPRM) has relied on security questionnaires. Organizations track response rates, completion metrics, and compliance checklists — but breaches keep happening. The problem? These assessments measure vendor effort, not actual security posture, and for one point in time at that..
Meanwhile, ransomware groups aren’t wasting time with paperwork. They’re studying supply chains, buying marketing intelligence, and doing everything they can to learn more about their victims and their supply chains. Questionnaires are no defense against this kind of sophisticated, intentional approach.
Organizations need to move beyond static assessments and embrace real-time risk intelligence to detect vulnerabilities before they’re exploited. Instead of relying solely on vendors’ self-reported security measures, organizations should implement continuous monitoring tools that provide real-time visibility into third-party risks. During the Cleo File Transfer ransomware campaign, for example, Black Kite’s FocusTags™ helped organizations identify at-risk vendors and implement rapid mitigation strategies to prevent further breaches.
2. Affiliates are changing the rules of ransomware
Ransomware operations underwent a major shift in 2024, driven by changes in the underground cybercrime economy. The February attack on Change Healthcare didn’t just impact pharmacies, doctors, and hospitals — it reshaped the entire ransomware market. A payment dispute between an affiliate and a major ransomware group led to a structural change, where affiliates gained greater control and financial incentives.
This affiliate-led model has fueled a spike in ransomware activity. Now, instead of centralized ransomware groups leading the charge, affiliates are operating with more autonomy, deploying multiple types of ransomware and significantly increasing the frequency of attacks.
Healthcare bore the brunt of these attacks in 2024, accounting for over 40% of all third-party breaches. And unlike ransomware groups that historically followed an informal “twisted code of conduct” — where healthcare organizations were considered off-limits — modern affiliates have no such boundaries. They prioritize financial gain over all else, choosing targets based on likelihood to pay. The Cencora ransomware attack, for instance, allegedly resulted in a $75 million ransom payment, exposing sensitive patient data and revealing the cascading impact of third-party breaches.
This shift in ransomware tactics means organizations can no longer rely on past attack patterns to predict future threats. With financially motivated affiliates now driving attacks, businesses must invest in tools designed to proactively monitor and manage third-party risks to ensure a rapid response to disruptive events.
3. Regulations are driving cybersecurity improvements
Regulatory frameworks like DORA, HIPAA, and GDPR have been catalysts for critical risk management improvements, particularly in industries with strict compliance mandates. According to our findings, among vendors that experienced a breach and subsequently improved their cyber rating by at least 3 points, 72% serve the healthcare industry — an indication that regulatory enforcement is driving significant improvements in incident response and vendor risk management practices.
However, not all industries are keeping pace. Only 14% of vendors with improved scores following a breach support the financial services sector. Similarly, only 14% of vendors in the manufacturing sector showed progress in enhancing their cyber ratings.
The progress observed in sectors like healthcare, where regulations drove notable improvements, serves as a model for other industries to follow. But regulations aren’t enough on their own either. While regulatory frameworks establish baseline security standards, they must be backed by proactive risk management strategies. Organizations that implement continuous third-party risk monitoring, leverage real-time threat intelligence tools, and enforce vendor accountability through contractual security requirements are significantly better positioned to identify and mitigate emerging threats.
4. Defining unauthorized network access
Unauthorized network access accounted for over 50% of publicly disclosed third-party breaches in 2024. But what does that really mean? Too often, “unauthorized access” is used as a vague, catch-all explanation when organizations lack clarity on the root cause of an attack or choose not to disclose specific details. This makes it difficult to determine whether breaches were caused by stolen credentials, misconfigurations, or unpatched vulnerabilities.
The lack of transparency in incident reporting presents a serious challenge for CISOs. Without a clear picture of how attackers infiltrated a system, security teams struggle to remediate vulnerabilities and prevent future breaches. Instead of driving meaningful improvements, these incidents often fuel blame games and reactive security postures.
Given the sheer volume of breaches attributed to unauthorized access, security leaders must push for deeper analysis and clearer reporting. Creating a culture of transparency in incident reporting can help security teams better understand the root causes of unauthorized network access breaches, enabling more effective prevention strategies.
5. Building a resilient third-party risk management strategy
While we can’t predict exactly what’s next, there’s a lot we can learn from last year’s third-party breaches. By analyzing the trends, cybersecurity leaders can fine-tune their strategies to stay ahead of emerging threats. What’s clear from this year’s 2025 Third-Party Breach Report is that a proactive, collaborative approach to third-party risk management is now essential.
As we move into 2025, relying on reactive measures is no longer enough. Organizations must embrace real-time risk assessments, improve vendor communication using tools like Black Kite Bridge™, and invest in actionable remediation intelligence. Cyber threats are evolving fast, and so must the tools and strategies used to combat them. By adapting to these changes in the third-party risk landscape, companies can build a stronger, more resilient security posture and better protect themselves against the next wave of cyber threats.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
Google is among the first companies to rename maps from Gulf of Mexico to Gulf of America. Other software leaders, like Apple Maps, are starting to follow suit.
An interactive learning series designed to highlight critical interactions and various engagements across all GSFC locations, Facilities, and Institutes that lead to mission success. Themes include: strategic goals, current developments, mission success critical topics
Instructional Strategy:
•Facilitated panel discussions
•Leadership engagements
•One-on-one interactions
•Facilitated case studies
BBEME Workshops have been previously offered at GISS, Katherine Johnson IV&V, and Goddard’s Earth Science Division. The workshop targets groups of around 30 participants for a 1-2 day session.
A spate of tech-titan glow-ups has won plaudits from fashion pundits and trend-watchers, but everyone missed that they were dressing for the job they really wanted—supervillain.
Plus: Sonos’ next play is a streaming box, Amazon’s souped-up Alexa may land this month, VW’s cheapest ever EV, and Comcast adds Dolby support to its 4K Super Bowl stream.
President Donald Trump blamed DEI efforts at the FAA for the tragedy. But experts and investigators say open minds are critical to finding out what really happened.
Welcome to the December 2024 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.
The Black Kite Research & Intelligence Team (BRITE) tracked 535 ransomware incidents in December 2024. While it didn’t surpass the record-breaking 595 victims in November, December still proved to be a significant month. Of these incidents, an overwhelming 244 were in the United States and 27 in Canada, highlighting North America’s ongoing struggle as a primary target for ransomware attacks.
Top Threat Actors in December 2024
1. FunkSec Emerges as a Major Player with 87 Victims
December marked a turning point in the ransomware landscape as FunkSec dethroned RansomHub to become the leading threat actor with 87 victims. What makes FunkSec’s rise particularly remarkable is that it is a relatively new group in the ecosystem. Their operations have not been limited to ransomware; the group has been actively selling admin access and super access for various companies, offering a troubling range of services to their buyers. FunkSec primarily targeted the information sector and public administration industries this month, demonstrating a calculated focus on critical and data-heavy sectors. Their rapid ascent highlights their aggressive strategies and growing influence in the ransomware ecosystem.
FunkSec Ransom Note
2. RansomHub Maintains Stability with 57 Victims
After dominating the leaderboard since July, RansomHub dropped to the second spot with 57 victims in December. Despite losing its leadership position, RansomHub maintained its reputation as a consistent player in the ransomware space, continuing to target high-value organizations globally.
Akira Surges with 46 Victims
The Akira group surged to the third position this month with 46 victims, showcasing one of its most active and aggressive months of the year. Akira’s operations this month highlighted their ability to capitalize on vulnerabilities and expand their victim pool, signaling their intent to climb higher in the ransomware hierarchy.
They Hate Being Forgotten: Clop (Cl0p) Is Back Again
The Clop group added a chaotic twist to the month. Exploiting the CLEO vulnerability in December, they initially promised to release victim data “within 48 hours.” Then they postponed to December 30, only to announce they were “taking a holiday break” and would publish data after their return.
Clop’s statement about CLEO victims
In total, Clop announced 66 victims, but BRITE believes the actual number is higher. Their erratic behavior has left many wondering if the group is losing its grip or simply playing for attention. Regardless, Clop’s actions remind us of the unpredictable nature of threat actors and the challenges of staying ahead of them.
One thing is clear: Clop, despite its chaotic actions, refuses to be forgotten and remains a noteworthy player in the ransomware ecosystem.
LockBit 4.0 Introduces RaaS Pricing Model for Just $777
LockBit, once the industry leader, seems to be struggling to reclaim its former prominence. December saw the launch of LockBit 4.0, a move that many interpreted as an attempt to stay relevant. Along with this update, the group introduced a Ransomware-as-a-Service (RaaS) pricing model for just $777, making their tools accessible to smaller players in the ecosystem.
Payment page for access to the LockBit panel
This shift has raised eyebrows across the cybersecurity world. Is it a sign of innovation or desperation? Many believe this move reflects LockBit’s declining influence after facing increased law enforcement pressure and internal challenges.
What stands out most is that LockBit’s struggles highlight a harsh reality: nothing in the ransomware world is unbreakable. Even the strongest groups can fall, showing how unpredictable and tough this space can be.
At the same time, their collapse shows how much it affects the whole ecosystem. It’s also a reminder of how hard it is to keep a group running steadily and stay on top in such a challenging environment.
RaaS Revolutionized Cybercrime in December 2024
The rise of Ransomware-as-a-Service (RaaS) has been one of the defining trends of December.
LockBit’s pricing model set off a ripple effect, inspiring other groups like FunkSec to adopt similar strategies.
Smaller threat actors are now able to access sophisticated ransomware tools at lower costs, democratizing cybercrime and complicating defense efforts.
Example RaaS sharing
RaaS not only increases the number of attacks but also lowers the barrier for entry, making it easier for less experienced actors to enter the game. This trend, if it continues, could make 2025 an even more challenging year for cybersecurity professionals.
2024: A Record-Breaking Year for Ransomware
2024 was a record-breaking year for ransomware. As groups continue to grow, tactics evolve, and victims are added to the lists, we can expect more records to be set in the coming months.
At Black Kite, the BRITE team remains committed to tracking threat actors in real time, analyzing their movements, and staying aware of emerging threats. As we enter 2025, staying one step ahead has never been more critical.For weekly updates on emerging cyber threats, please follow our Focus Friday blog series and LinkedIn account.
Learn more about the rising ransomware attacks in the full 2025 Healthcare Ransomware Report — accessible instantly, no download required.
Eight years after the original Pebble smartwatch fizzled, a new team is working on a modern reboot using open source software. The e-paper screen is coming back too.
The tech exists, and vehicles on the road already have it, yet a consortium of carmakers doesn’t want to make this lifesaving equipment standard. The reason is as old as the hills—money.
The healthcare sector is under attack, and the numbers paint a stark picture of the growing ransomware crisis. Our latest infographic, drawn from the 2025 Healthcare Ransomware Report, uncovers the alarming rise in ransomware incidents targeting healthcare organizations and the reasons behind this surge.
Key insights from the infographic:
Healthcare is now the 3rd most targeted industry for ransomware.
Rising from 7th place in just one year, the sector now accounts for 8% of all ransomware attacks—up from 5% in 2023. Overall, ransomware incidents in healthcare surged by 32.16% in the last year.
High-stakes operations make healthcare a lucrative ransomware target.
Ransomware groups are drawn to healthcare’s sensitive patient data and the urgency to restore disrupted services. Ransom demands in the sector can reach as high as $20 million, with both large hospitals and small practices feeling the impact.
Ransomware groups have evolved to target healthcare.
Disruptions in the ransomware ecosystem, including the takedown of groups like LockBit and AlphV (BlackCat), and the growth in affiliates’ power, have led to the emergence of aggressive new players who don’t consider healthcare off-limits. For example, RansomHub offered affiliates a 90% payout with greater control over targets.
Patient safety is at risk from ransomware attacks.
These attacks are not just financial concerns—they jeopardize patient care and trust. Delayed surgeries, blocked medical records, and spillover effects on supply chains are just a few of the devastating consequences.
An early ransomware warning system is critical.
Black Kite’s Ransomware Susceptibility Index® (RSI™) offers healthcare organizations vital insights into ransomware risks, enabling them to prioritize and address vulnerabilities before attackers strike.
This infographic provides a detailed look at how ransomware attackers are zeroing in on the healthcare sector, from the tactics they use to the far-reaching impacts of their attacks. Whether you’re part of a major hospital system or a small clinic, the stakes are too high to ignore.
In today’s interconnected digital landscape, the rapid emergence of critical vulnerabilities demands an agile and informed approach to Third-Party Risk Management (TPRM). This week’s Focus Friday blog highlights high-profile incidents involving vulnerabilities in FortiGate firewalls, QNAP NAS systems, Mongoose, and the W3 Total Cache WordPress plugin. Each of these vulnerabilities poses unique challenges, from authentication bypasses enabling unauthorized access to database manipulation and SSRF attacks.
Leveraging Black Kite’s FocusTags™, we delve into the impact of these vulnerabilities from a TPRM perspective. This article offers detailed insights into the risks, remediation strategies, and questions TPRM professionals should be asking vendors to protect their ecosystems against potential breaches.
Filtered view of companies with FortiGate Leakage FocusTag™ on the Black Kite platform.
CVE-2022-40684 is a critical authentication bypass vulnerability affecting Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager products. This flaw allows unauthenticated attackers to perform administrative operations via specially crafted HTTP or HTTPS requests. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 97.26%, reflecting the significant likelihood of exploitation. First identified in October 2022, this vulnerability has been actively exploited in the wild, with reports of threat actors leveraging it to download device configurations and add unauthorized super_admin accounts. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-40684 to its Known Exploited Vulnerabilities catalog on October 11, 2022.
As part of Black Kite Research & Intelligence Team (BRITE), we have proactively addressed the exposure of configuration files, IP addresses, and VPN credentials belonging to over 15,000 FortiGate devices identified and analyzed on the dark web.
Why Should TPRM Professionals Be Concerned About CVE-2022-40684?
Third-Party Risk Management (TPRM) professionals should be particularly vigilant regarding CVE-2022-40684 due to its potential impact on network security. The recent leak of configuration files and VPN credentials for over 15,000 FortiGate devices underscores the risk of unauthorized access to sensitive systems. If a vendor utilizes vulnerable FortiGate products, their compromised systems could serve as entry points for attackers, leading to data breaches and disruptions that may cascade to connected organizations. Given the critical role of firewalls in protecting network perimeters, any compromise can have far-reaching consequences.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2022-40684?
To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:
Have you updated all instances of FortiOS, FortiProxy, and FortiSwitchManager products to the latest firmware versions where CVE-2022-40684 has been patched?
Can you confirm if you have implemented IP restrictions, enhanced network activity monitoring, and deactivated the HTTP/HTTPS administrative interface as recommended in the advisory to mitigate the risk of CVE-2022-40684?
Have you reset all VPN and administrative credentials, especially those previously configured, and reviewed your firewall rules and configurations to ensure they align with current security best practices following the FortiGate firewall configuration leak?
Have you verified if your FortiGate devices are among the compromised by reviewing the leaked data and taken necessary actions to prevent unauthorized access to sensitive systems.
Remediation Recommendations for Vendors
Vendors using affected Fortinet products should:
Update Firmware: Upgrade to the latest firmware versions that address CVE-2022-40684.
Change Credentials: Reset all VPN and administrative credentials, especially those previously configured.
Review Configurations: Assess and modify firewall rules and configurations to align with current security best practices.
Disable Administrative Interface: Deactivate the HTTP/HTTPS administrative interface to reduce the attack surface.
Implement IP Restrictions: Limit access to the administrative interface by allowing only trusted IP addresses.
Monitor Network Activity: Enhance monitoring to detect any unauthorized access or anomalies.
How Can TPRM Professionals Leverage Black Kite for This Vulnerability?
Black Kite has proactively addressed this issue by publishing the “FortiGate Leakage” FocusTag™ on January 17, 2025. This tag enables TPRM professionals to identify vendors potentially affected by the FortiGate data leak. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.
Black Kite’s FortiGate Leakage FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2024-53691 and CVE-2023-39298 in QNAP QTS and QuTS Hero
What are CVE-2024-53691 and CVE-2023-39298?
CVE-2024-53691 is a link following a vulnerability in QNAP’s QTS and QuTS hero operating systems. It allows remote attackers with user access to traverse the file system to unintended locations, potentially leading to unauthorized access to sensitive files and system compromise. This vulnerability has a CVSS score of 8.7.
CVE-2023-39298 is a missing authorization vulnerability affecting several QNAP operating system versions. It permits local authenticated users to access data or perform actions they should not be allowed to via unspecified vectors. This vulnerability has a CVSS score of 7.8. As of January 23, 2025, neither vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog.
Why Should TPRM Professionals Be Concerned About These Vulnerabilities?
QNAP NAS devices are widely used for storing and managing critical business data. Exploitation of these vulnerabilities could lead to unauthorized access, data breaches, and potential system compromises. For Third-Party Risk Management (TPRM) professionals, it’s crucial to assess whether vendors utilize vulnerable QNAP systems, as a compromise could indirectly affect your organization’s data integrity and security.
What Questions Should TPRM Professionals Ask Vendors Regarding These Vulnerabilities?
To evaluate the risk associated with these vulnerabilities, TPRM professionals should inquire:
Can you confirm if you have upgraded all instances of QNAP QTS and QuTS hero to versions QTS 5.2.0.2802 build 20240620 and QuTS hero h5.2.0.2802 build 20240620 or later to mitigate the risk of CVE-2024-53691 and CVE-2023-39298?
Have you implemented the recommended actions such as monitoring system logs, applying security patches promptly, implementing MFA, and restricting network access to mitigate the risk of unauthorized access due to the link following vulnerability in QNAP QTS and QuTS hero operating systems?
Can you confirm if you have taken measures to prevent unauthorized access to sensitive files and potential system compromise due to the link following vulnerability (CVE-2024-53691) in QNAP QTS and QuTS hero operating systems?
Have you taken any additional steps to protect your QNAP devices from data theft, ransomware attacks, or malware deployment that could result from exploiting the vulnerabilities CVE-2024-53691 and CVE-2023-39298?
Remediation Recommendations for Vendors
Vendors utilizing affected QNAP systems should:
Update Firmware: Upgrade to QTS 5.2.0.2802 build 20240620 or QuTS hero h5.2.0.2802 build 20240620 or later.
Restrict Network Access: Configure firewalls and network settings to allow only trusted IP addresses access to NAS devices.
Monitor System Logs: Regularly review logs for unusual activity indicating attempted exploitation.
Apply Security Patches Promptly: Ensure all security patches are applied as soon as they become available.
How Can TPRM Professionals Leverage Black Kite for These Vulnerabilities?
Black Kite released the “QNAP QTS – Jan2025” FocusTag™ on January 23, 2025, to help organizations identify vendors potentially affected by these vulnerabilities. This tag provides detailed information, including the specific assets (IP addresses and subdomains) associated with vulnerable QNAP systems within a vendor’s infrastructure. By utilizing this intelligence, TPRM professionals can prioritize assessments and remediation efforts, ensuring that vendors have addressed these critical vulnerabilities.
Black Kite’s QNAP QTS – Jan2025 FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2025-23061 in Mongoose
Mongoose is specifically an Object Data Modeling (ODM) library designed for Node.js, enabling easy interaction with MongoDB databases. It simplifies the management, validation, and modeling of data in MongoDB, providing developers with a more structured and secure working environment.
What is CVE-2025-23061?
CVE-2025-23061 is a critical code injection vulnerability affecting Mongoose, a MongoDB object modeling tool widely used for Node.js and Deno applications. It has a CVSS score of 9.0, emphasizing its severity, while the EPSS score is 0.05%, suggesting a lower probability of exploitation at present. This vulnerability arises from improper handling of nested $where filters used with the populate() function’s match option, enabling attackers to manipulate search queries and access sensitive data.
This flaw is linked to an incomplete fix for CVE-2024-53900, another critical issue involving the $where operator’s improper handling. The vulnerability impacts Mongoose versions prior to 8.9.5. Although PoC exploit code is unavailable and it has not been added to CISA’s Known Exploited Vulnerabilities catalog, its potential impact is significant due to Mongoose’s wide adoption, with over 2.7 million weekly downloads.
Why Should TPRM Professionals Be Concerned About CVE-2025-23061?
TPRM professionals should consider this vulnerability a high-priority concern due to Mongoose’s extensive use in applications that store sensitive data. If a vendor utilizes an unpatched version of Mongoose, their database integrity could be compromised, resulting in data manipulation, unauthorized access, or even larger breaches affecting downstream partners and customers. The prevalence of Mongoose as a dependency in critical systems underscores the potential ripple effect of an exploit.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-23061?
To evaluate vendor risk associated with this vulnerability, consider asking:
Have you upgraded Mongoose to version 8.9.5 or later to mitigate the risk of CVE-2025-23061 and the previously related CVE-2024-53900?
Can you confirm if you have reviewed your application’s use of the populate() function and $where filters to ensure no unintended exposure exists, as recommended in the advisory?
Have you implemented robust input validation and sanitization measures to prevent potential search injection attacks related to the Mongoose vulnerability?
Are you regularly auditing and updating all dependencies to incorporate the latest security patches, specifically those related to Mongoose and MongoDB object modeling tools?
Remediation Recommendations for Vendors
Vendors using Mongoose should:
Update Mongoose: Upgrade to version 8.9.5 or later to address the vulnerability.
Audit Codebase: Review the usage of $where filters and the populate() function to identify and mitigate potential exposure.
Implement Input Validation: Enforce robust validation and sanitization mechanisms for all database queries.
Monitor Dependencies: Regularly review and update dependencies to ensure all security patches are applied promptly.
How Can TPRM Professionals Leverage Black Kite for This Vulnerability?
Black Kite published the “Mongoose” FocusTag™ on January 22, 2025, to help organizations identify vendors potentially affected by this vulnerability. This tag provides high-confidence identification of systems using vulnerable Mongoose versions, offering actionable insights into affected assets, including IP addresses and subdomains. TPRM professionals can leverage this intelligence to prioritize their vendor risk assessments and ensure remediation efforts are effectively targeted.
Black Kite’s Mongoose FocusTagTM details critical insights on the event for TPRM professionals.
CVE-2024-12365 in W3 Total Cache Plugin
W3 Total Cache (W3TC) is a well-known and powerful caching and performance optimization plugin designed for WordPress websites. This plugin enhances website speed, reduces loading times, and improves the overall user experience. It is particularly effective in delivering significant performance improvements for high-traffic websites.
What is CVE-2024-12365?
CVE-2024-12365 is a high-severity missing authorization vulnerability in the W3 Total Cache plugin for WordPress, affecting versions up to and including 2.8.1. With a CVSS score of 8.5 and an EPSS score of 0.09%, this vulnerability allows authenticated users with Subscriber-level access to exploit the is_w3tc_admin_page function to retrieve the plugin’s nonce value. Attackers can leverage this to perform unauthorized actions, potentially leading to information disclosure and server-side request forgery (SSRF).
Exploitation of this flaw could allow attackers to query internal services, including metadata on cloud-based applications, and consume service plan limits. While no PoC exploit code is currently available, more than a million WordPress sites using this plugin are at risk. As of January 22, 2025, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Why Should TPRM Professionals Be Concerned About CVE-2024-12365?
Third-Party Risk Management (TPRM) professionals should be highly attentive to this vulnerability due to its potential to expose sensitive internal data and compromise WordPress-based websites. Many businesses rely on WordPress as their primary web platform, and vulnerabilities in widely-used plugins like W3 Total Cache can create significant risks.
If a vendor’s website is compromised through this flaw, it may lead to:
Data breaches involving sensitive business or customer information.
Unintended exposure of internal application data through SSRF attacks.
Loss of trust and credibility due to website exploitation.
Given the widespread use of WordPress and this specific plugin, the impact of unpatched systems can extend across interconnected organizations and their customers.
What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-12365?
To evaluate vendor risk, TPRM professionals can ask the following targeted questions:
Can you confirm if you have updated the W3 Total Cache plugin for WordPress to version 2.8.2 or later, which addresses the CVE-2024-12365 vulnerability?
Have you implemented any additional security measures to monitor for unauthorized access or unusual behavior on your WordPress sites that could indicate exploitation attempts related to the CVE-2024-12365 vulnerability?
Have you conducted an audit of user roles and permissions to ensure that only necessary privileges are granted, minimizing potential exploitation by lower-level users as recommended in the advisory for the CVE-2024-12365 vulnerability?
Can you confirm if you have taken any steps to mitigate the risk of server-side request forgery, such as implementing security best practices or updating the W3 Total Cache plugin, in response to the CVE-2024-12365 vulnerability?
Remediation Recommendations for Vendors
Vendors using the W3 Total Cache plugin should take the following steps:
Update the Plugin: Upgrade to version 2.8.2 or newer, where the vulnerability has been fixed.
Audit User Permissions: Review and minimize privileges for users, ensuring Subscriber-level accounts have limited access.
Monitor Activity: Regularly review website activity logs for unusual or unauthorized behavior.
Enforce Security Best Practices: Maintain strong security protocols for WordPress installations, including strong passwords, regular plugin updates, and security plugins for intrusion detection.
How Can TPRM Professionals Leverage Black Kite for This Vulnerability?
Black Kite released the “W3 Total Cache” FocusTag™ on January 22, 2025, to help organizations identify vendors potentially impacted by this vulnerability. By providing very high-confidence information, such as asset-level details (e.g., IP addresses and subdomains), Black Kite enables TPRM professionals to quickly assess and mitigate risks. This FocusTag™ is instrumental in narrowing down affected vendors and ensuring targeted remediation efforts.
Black Kite’s W3 Total Cache FocusTagTM details critical insights on the event for TPRM professionals.
Enhancing TPRM Strategies with Black Kite’s FocusTags™
Black Kite’s FocusTags™ are transformative tools designed to empower Third-Party Risk Management (TPRM) professionals with actionable insights in the face of an ever-evolving threat landscape. With this week’s vulnerabilities spanning multiple platforms and industries, the value of these FocusTags™ becomes especially apparent:
Real-Time Threat Awareness: Instantly pinpoint vendors impacted by vulnerabilities like those in FortiGate firewalls, QNAP NAS systems, Mongoose, and the W3 Total Cache plugin, enabling rapid and targeted action.
Prioritized Risk Management: Evaluate risks based on the criticality of the vulnerabilities and the vendor’s importance, allowing for efficient allocation of resources to mitigate threats.
Tailored Vendor Engagement: Facilitate meaningful conversations with vendors, focusing on their exposure to vulnerabilities and the specific actions they’ve taken to address them.
Enhanced Cybersecurity Posture: Gain a comprehensive view of the threat landscape, supporting the development of robust strategies to defend against future risks.
By translating complex cybersecurity data into practical intelligence, Black Kite’s FocusTags™ help TPRM professionals navigate the complexities of vendor risk management with precision and confidence. These tools are essential for maintaining resilience in today’s fast-paced digital environment, where proactive risk mitigation can mean the difference between security and compromise.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.
QNAP QTS – Jan2025: CVE-2024-53691, CVE-2023-39298, Remote Code Execution Vulnerability, Link Following Vulnerability, Missing Authorization Vulnerability in QNAP QTS.
Mongoose: CVE-2025-23061, Search Injection Vulnerability in Mongoose.
W3 Total Cache: CVE-2024-12365, Missing Authorization Vulnerability in WordPress’ W3 Total Cache Plugin.
Juniper Junos: CVE-2025-21598, Out-of-bounds Read Vulnerability in Juniper’s Junos.
Login
