Written by: Ferdi Gül

In this week’s Focus Friday, we examine high-impact vulnerabilities affecting Palo Alto Networks PAN-OS, Ivanti Connect Secure, Zimbra Collaboration, and Cacti, all of which pose significant third-party risk concerns. These vulnerabilities range from remote code execution (RCE) flaws to SQL injection attacks that could lead to data breaches, system takeovers, and supply chain risks.

Organizations relying on network security appliances, email collaboration tools, and monitoring frameworks must take proactive measures to assess their exposure and secure their vendor ecosystem against these threats. In this blog, we provide an in-depth Third-Party Risk Management (TPRM) perspective, detailing how these vulnerabilities could impact vendor security postures and what questions security teams should ask to mitigate risks.

Additionally, we highlight how Black Kite’s FocusTags™ provide real-time insights into vendor exposure, helping organizations prioritize remediation efforts and streamline their risk management processes.

CVE-2025-0108, CVE-2025-0110: Authentication Bypass & Command Injection in PAN-OS

What are the PAN-OS Authentication Bypass and Command Injection Vulnerabilities?

Two high-severity vulnerabilities have been identified in Palo Alto Networks PAN-OS, affecting network security devices:

• CVE-2025-0108 (Authentication Bypass – CVSS: 8.8):
  This vulnerability affects the management web interface of PAN-OS. An unauthenticated attacker with network access can bypass authentication and invoke specific PHP scripts. While it does not allow remote code execution, it compromises system integrity and confidentiality.
• CVE-2025-0110 (Command Injection – CVSS: 8.6):
  Found in the OpenConfig plugin, this vulnerability enables an authenticated administrator with gNMI request privileges to inject and execute arbitrary commands. The commands run as the _openconfig user, which has Device Administrator privileges, potentially leading to full system compromise.

Both vulnerabilities were published on February 12, 2025. One proof-of-concept exploit is available on github.com. There is no evidence of active exploitation or inclusion in CISA’s KEV catalog at this time. However, PAN-OS vulnerabilities have been targeted in the past, making proactive mitigation crucial.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

Third-party risk management (TPRM) professionals should be concerned due to the critical role of PAN-OS in enterprise cybersecurity.

• Authentication Bypass (CVE-2025-0108):
  Attackers could exploit this flaw to gain unauthorized access to PAN-OS management functions, leading to potential misconfigurations, unauthorized changes, or exposure of sensitive network settings.
• Command Injection (CVE-2025-0110):
  If the OpenConfig plugin is enabled, an attacker with administrator access could execute arbitrary system commands, escalating privileges or deploying persistent malware on PAN-OS devices.

For vendors relying on PAN-OS for perimeter security, exploitation of these vulnerabilities could lead to network-wide security breaches, data exposure, and compromised firewall configurations.

What Questions Should TPRM Professionals Ask Vendors?

To assess vendor exposure, TPRM professionals should ask:

1. Have you identified any PAN-OS devices in your environment that are running vulnerable versions (before PAN-OS 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, 10.1.14-h9)?
2. Do you use the OpenConfig plugin in PAN-OS? If so, have you verified that it is updated to version 2.1.2 or later?
3. What access controls are in place to restrict exposure of the PAN-OS management web interface to untrusted networks?
4. Have you applied Palo Alto Networks’ recommended mitigations, such as disabling unused plugins and restricting management access?

Remediation Recommendations for Vendors Subject to this Risk

To mitigate the risk associated with these vulnerabilities, vendors should:

✔ Upgrade PAN-OS to patched versions:

• PAN-OS 11.2 → Upgrade to 11.2.4-h4 or later
• PAN-OS 11.1 → Upgrade to 11.1.6-h1 or later
• PAN-OS 10.2 → Upgrade to 10.2.13-h3 or later
• PAN-OS 10.1 → Upgrade to 10.1.14-h9 or later
• If running PAN-OS 11.0 (EoL), upgrade to a supported version.

✔ Update OpenConfig plugin to version 2.1.2 or later (if enabled).
✔ Restrict management interface access to trusted internal IPs only.
✔ Disable the OpenConfig plugin if not in use to reduce the attack surface.
✔ Monitor system logs for unusual access or command execution activity.
✔ Apply Palo Alto Networks’ Threat Prevention rules to block potential exploits (Threat IDs 510000, 510001).

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite has tagged this issue as “PAN-OS – Feb2025” with a VERY HIGH confidence level.

• The FocusTag™ identifies vendors potentially affected by CVE-2025-0108 and CVE-2025-0110.
• Black Kite provides asset intelligence, including IP addresses and subdomains hosting vulnerable PAN-OS instances.

The FocusTag™ was published on February 13, 2025, allowing TPRM teams to take proactive measures before potential exploitation.

CVE-2025-22467, CVE-2024-38657, CVE-2024-10644: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure

What Are the Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure?

Multiple critical vulnerabilities have been identified in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products:

• CVE-2025-22467 (CVSS: 9.9): A stack-based buffer overflow vulnerability in ICS versions prior to 22.7R2.6. This flaw allows a remote authenticated attacker with low privileges to execute arbitrary code, potentially leading to full system compromise.
• CVE-2024-38657 (CVSS: 9.1): An external control of file name or path vulnerability affecting ICS (before 22.7R2.4) and IPS (before 22.7R1.3). A remote authenticated attacker with administrative privileges can write arbitrary files on the system, which may lead to unauthorized file manipulation or system compromise.
• CVE-2024-10644 (CVSS: 9.1): A code injection vulnerability in ICS (before 22.7R2.4) and IPS (before 22.7R1.3). This allows a remote authenticated attacker with administrative privileges to execute arbitrary commands on the system, potentially resulting in complete system control.

These vulnerabilities were publicly disclosed on February 11, 2025. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Other vulnerabilities to be mindful of include CVE-2024-12058 (arbitrary file read), CVE-2024-13842 (sensitive data exposure), and CVE-2024-13843 (cleartext storage of sensitive information), which, despite their lower CVSS scores, should still be carefully considered.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

Third-Party Risk Management (TPRM) professionals should be concerned due to the following reasons:

• Remote Code Execution Risks: Exploitation of these vulnerabilities could allow attackers to execute arbitrary code or commands, leading to unauthorized access, data breaches, and potential lateral movement within the network.
• Privilege Escalation: Attackers with low-level access could exploit these flaws to escalate privileges, gaining administrative control over critical systems.
• Supply Chain Impact: Vendors utilizing vulnerable versions of ICS and IPS may inadvertently expose connected organizations to security risks, emphasizing the importance of assessing third-party security postures.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

To assess vendor exposure, TPRM professionals should inquire:

1. Which versions of Ivanti Connect Secure and Ivanti Policy Secure are currently deployed within your environment?
2. Have the identified vulnerabilities (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644) been remediated by updating to the latest recommended versions?
3. What measures are in place to monitor and detect potential exploitation attempts related to these vulnerabilities?
4. Is multi-factor authentication (MFA) enabled for all administrative access to these systems?

Remediation Recommendations for Vendors Subject to This Risk

To mitigate the risks associated with these vulnerabilities, vendors should:

✔ Update to Patched Versions:

• For Ivanti Connect Secure, upgrade to version 22.7R2.6 or later.
• For Ivanti Policy Secure, upgrade to version 22.7R1.3 or later.

✔ Restrict Administrative Privileges:

• Limit administrative access to essential personnel.
• Enforce principle of least privilege to reduce risk.

✔ Implement Multi-Factor Authentication (MFA):

• Ensure MFA is enabled for all administrative and remote access.

✔ Monitor System Logs:

• Regularly review logs for unusual activities or signs of attempted exploitation.

✔ Apply Security Best Practices:

• Follow Ivanti’s security guidelines to mitigate risks associated with authenticated users.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite has tagged these vulnerabilities under “Ivanti Connect Secure – Feb2025” with a HIGH confidence level.

• The FocusTag™ provides detailed information on vendors potentially affected by these vulnerabilities.
• Black Kite’s asset intelligence helps identify IP addresses and subdomains hosting vulnerable instances.
• This enables TPRM teams to proactively assess and address risks associated with these vulnerabilities.

CVE-2025-25064: Zimbra Collaboration SQL Injection Vulnerability

Zimbra Collaboration (formerly known as Zimbra Collaboration Suite or ZCS) is an open-source and commercial groupware email platform. It includes features such as email, calendaring, contacts, task management, instant messaging, and file sharing, designed for enterprises, government institutions, and service providers.

What is CVE-2025-25064?

CVE-2025-25064 is a critical SQL injection vulnerability affecting Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. This flaw arises from insufficient sanitization of user-supplied parameters in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this vulnerability by manipulating specific request parameters to inject arbitrary SQL queries, potentially allowing unauthorized retrieval of email metadata and other sensitive information. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 0.05%. It was publicly disclosed on February 9, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned About CVE-2025-25064?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-25064 due to its potential impact on email security. Zimbra Collaboration is widely used by organizations for email and collaboration services. Exploitation of this vulnerability could allow attackers to access sensitive email metadata, leading to unauthorized disclosure of confidential information. If a vendor utilizes vulnerable Zimbra Collaboration products, their compromised systems could serve as entry points for attackers, resulting in data breaches and disruptions that may affect connected organizations.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-25064?

To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:

1. Have you updated all instances of Zimbra Collaboration to versions 10.0.12 or 10.1.4, where CVE-2025-25064 has been patched?
2. Can you confirm if you have implemented access restrictions to the ZimbraSync Service SOAP endpoint to trusted networks and users as recommended?
3. Have you deployed Web Application Firewalls (WAFs) to detect and block SQL injection attempts targeting Zimbra Collaboration?
4. Do you regularly monitor server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service?

Remediation Recommendations for Vendors

Vendors using affected Zimbra Collaboration products should:

• Update Software: Upgrade to Zimbra Collaboration versions 10.0.12 or 10.1.4, where this vulnerability has been addressed.
• Restrict Access: Limit access to the ZimbraSync Service SOAP endpoint to trusted networks and users to minimize potential exploitation vectors.
• Implement Web Application Firewalls (WAF): Deploy WAFs to detect and block SQL injection attempts and other malicious activities targeting web applications.
• Monitor Logs: Regularly review server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite has proactively addressed this issue by publishing the “Zimbra – Feb2025” FocusTag™ on February 11, 2025. This tag enables TPRM professionals to identify vendors potentially affected by CVE-2025-25064. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.

CVE-2025-22604: Critical Remote Code Execution Vulnerability in Cacti

Cacti is an open-source network monitoring and graphing tool designed to collect, store, and visualize performance data for IT infrastructure. It is widely used by network administrators and IT professionals to monitor network devices, servers, and applications in real time.

What is the Cacti Remote Code Execution Vulnerability?

CVE-2025-22604 is a critical security flaw in Cacti, an open-source network monitoring and fault management framework. This vulnerability allows authenticated users with device management permissions to execute arbitrary commands on the server by injecting malformed Object Identifiers (OIDs) into SNMP responses. When processed by functions like ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), parts of these OIDs are used as keys in an array that becomes part of a system command, leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.1. It was publicly disclosed on January 26, 2025. There is no evidence of proof of exploitation at the moment.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-22604 because Cacti is widely used by organizations to monitor network performance and availability. A successful exploit of this vulnerability could allow attackers to execute arbitrary commands on the server, potentially compromising system integrity and data security. This could lead to unauthorized access to sensitive information, disruption of network monitoring capabilities, and further exploitation within the organization’s network. Given the critical nature of this vulnerability and the availability of proof-of-concept exploit code, it is imperative for organizations to assess their exposure and ensure that their vendors have addressed this issue.

What Questions Should TPRM Professionals Ask Vendors About CVE-2025-22604?

To assess the risk associated with this vulnerability, TPRM professionals should consider asking vendors the following questions:

1. Have you identified any instances of Cacti within your infrastructure that are affected by CVE-2025-22604?
2. If so, have you updated all affected Cacti installations to version 1.2.29 or later to mitigate this vulnerability?
3. What measures have you implemented to restrict SNMP access to trusted users and networks?
4. Do you regularly monitor system logs and SNMP activity for unusual or unauthorized actions?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to remediate the risk associated with CVE-2025-22604:

• Upgrade Cacti: Update all Cacti installations to version 1.2.29 or later, as this version addresses the vulnerability.
• Restrict SNMP Access: Limit SNMP access to trusted users and networks to reduce potential attack vectors.
• Monitor Systems: Regularly review system logs and SNMP activity for any unusual or unauthorized actions.
• Review Permissions: Ensure that only necessary personnel have device management permissions within Cacti.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite has published a FocusTag™ titled “Cacti – Feb2025” to help organizations identify potential exposure to CVE-2025-22604. TPRM professionals can utilize this tag to assess their vendors’ risk related to this vulnerability. By leveraging Black Kite’s platform, professionals can identify vendors using vulnerable versions of Cacti and take proactive steps to mitigate potential risks. This includes obtaining asset information such as IP addresses and subdomains associated with the vendors’ systems, which is crucial for effective risk assessment and management.

Maximizing TPRM Effectiveness with Black Kite’s FocusTags™

With high-profile vulnerabilities such as PAN-OS authentication bypass (CVE-2025-0108), Ivanti Connect Secure RCE (CVE-2025-22467), Zimbra SQL injection (CVE-2025-25064), and Cacti remote code execution (CVE-2025-22604), organizations must rapidly assess third-party security risks to prevent cascading impacts. Black Kite’s FocusTags™ enable security teams to efficiently identify, analyze, and mitigate these threats by offering:

✅ Real-Time Risk Identification – Instant visibility into which vendors are affected by the latest vulnerabilities, allowing organizations to take immediate action.
✅ Risk Prioritization – Insights into vendor importance and vulnerability severity, helping security teams allocate resources effectively.
✅ Informed Vendor Engagement – Targeted discussions with vendors about their security measures and remediation strategies for identified vulnerabilities.
✅ Comprehensive Security Posture Enhancement – A holistic view of third-party risks, enabling organizations to make data-driven security decisions.

By leveraging Black Kite’s FocusTags™, organizations can stay ahead of evolving cyber threats, ensuring proactive risk mitigation in their third-party ecosystems. These tags provide critical intelligence, transforming complex vulnerability data into actionable insights for better vendor security management.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
• Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra – Feb2025: CVE-2025-25064, SQLi Vulnerability in Zimbra Collaboration.
• Cacti – Feb2025: CVE-2025-22604, Remote Code Execution Vulnerability in Cacti.
• FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.
• QNAP QTS – Jan2025: CVE-2024-53691, CVE-2023-39298, Remote Code Execution Vulnerability, Link Following Vulnerability, Missing Authorization Vulnerability in QNAP QTS.
• Mongoose: CVE-2025-23061, Search Injection Vulnerability in Mongoose.
• W3 Total Cache: CVE-2024-12365, Missing Authorization Vulnerability in WordPress’ W3 Total Cache Plugin.
• Juniper Junos: CVE-2025-21598, Out-of-bounds Read Vulnerability in Juniper’s Junos.
• Rsync: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, Heap-Buffer-Overflow Vulnerability, Remote Code Execution Vulnerability, Information Leak Vulnerability, File Leak Vulnerability, Path Traversal Vulnerability, Race Condition Vulnerability, Privilege Escalation Vulnerability in Rsync.
• SimpleHelp: CVE-2024-57727, CVE-2024-57728, CVE-2024-57726, Unauthenticated Path Traversal Vulnerability, Arbitrary File Upload Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in SimpleHelp.
• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0108

https://nvd.nist.gov/vuln/detail/CVE-2025-0110

https://security.paloaltonetworks.com/CVE-2025-0108

https://security.paloaltonetworks.com/CVE-2025-0110

https://securityonline.info/cve-2025-0108-cve-2025-0110-palo-alto-networks-fixes-high-severity-pan-os-vulnerabilities

https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US

https://forums.ivanti.com/s/article/KB29805?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2025-22467

https://nvd.nist.gov/vuln/detail/CVE-2024-10644

https://securityonline.info/cve-2025-22467-cvss-9-9-ivanti-connect-secure-vulnerability-allows-remote-code-execution

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://nvd.nist.gov/vuln/detail/CVE-2025-25064

https://securityonline.info/cve-2025-25064-cvss-9-8-critical-sql-injection-bug-in-zimbra-collaboration

https://nvd.nist.gov/vuln/detail/CVE-2025-22604

https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36

https://securityonline.info/cve-2025-22604-cvss-9-1-remote-code-execution-flaw-in-cacti-poc-released

The post Focus Friday: Addressing Third-Party Risks in PAN-OS, Ivanti Connect Secure, Zimbra, and Cacti Vulnerabilities appeared first on Black Kite.

Written by: Ferdi Gül

In today’s interconnected digital landscape, the rapid emergence of critical vulnerabilities demands an agile and informed approach to Third-Party Risk Management (TPRM). This week’s Focus Friday blog highlights high-profile incidents involving vulnerabilities in FortiGate firewalls, QNAP NAS systems, Mongoose, and the W3 Total Cache WordPress plugin. Each of these vulnerabilities poses unique challenges, from authentication bypasses enabling unauthorized access to database manipulation and SSRF attacks.

Leveraging Black Kite’s FocusTags™, we delve into the impact of these vulnerabilities from a TPRM perspective. This article offers detailed insights into the risks, remediation strategies, and questions TPRM professionals should be asking vendors to protect their ecosystems against potential breaches.

CVE-2022-40684: FortiGate Authentication Bypass Vulnerability

What is CVE-2022-40684?

CVE-2022-40684 is a critical authentication bypass vulnerability affecting Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager products. This flaw allows unauthenticated attackers to perform administrative operations via specially crafted HTTP or HTTPS requests. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 97.26%, reflecting the significant likelihood of exploitation. First identified in October 2022, this vulnerability has been actively exploited in the wild, with reports of threat actors leveraging it to download device configurations and add unauthorized super_admin accounts. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-40684 to its Known Exploited Vulnerabilities catalog on October 11, 2022. 

As part of Black Kite Research & Intelligence Team (BRITE), we have proactively addressed the exposure of configuration files, IP addresses, and VPN credentials belonging to over 15,000 FortiGate devices identified and analyzed on the dark web.

Why Should TPRM Professionals Be Concerned About CVE-2022-40684?

Third-Party Risk Management (TPRM) professionals should be particularly vigilant regarding CVE-2022-40684 due to its potential impact on network security. The recent leak of configuration files and VPN credentials for over 15,000 FortiGate devices underscores the risk of unauthorized access to sensitive systems. If a vendor utilizes vulnerable FortiGate products, their compromised systems could serve as entry points for attackers, leading to data breaches and disruptions that may cascade to connected organizations. Given the critical role of firewalls in protecting network perimeters, any compromise can have far-reaching consequences.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2022-40684?

To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:

1. Have you updated all instances of FortiOS, FortiProxy, and FortiSwitchManager products to the latest firmware versions where CVE-2022-40684 has been patched?
2. Can you confirm if you have implemented IP restrictions, enhanced network activity monitoring, and deactivated the HTTP/HTTPS administrative interface as recommended in the advisory to mitigate the risk of CVE-2022-40684?
3. Have you reset all VPN and administrative credentials, especially those previously configured, and reviewed your firewall rules and configurations to ensure they align with current security best practices following the FortiGate firewall configuration leak?
4. Have you verified if your FortiGate devices are among the compromised by reviewing the leaked data and taken necessary actions to prevent unauthorized access to sensitive systems.

Remediation Recommendations for Vendors

Vendors using affected Fortinet products should:

• Update Firmware: Upgrade to the latest firmware versions that address CVE-2022-40684.
• Change Credentials: Reset all VPN and administrative credentials, especially those previously configured.
• Review Configurations: Assess and modify firewall rules and configurations to align with current security best practices.
• Disable Administrative Interface: Deactivate the HTTP/HTTPS administrative interface to reduce the attack surface.
• Implement IP Restrictions: Limit access to the administrative interface by allowing only trusted IP addresses.
• Monitor Network Activity: Enhance monitoring to detect any unauthorized access or anomalies.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite has proactively addressed this issue by publishing the “FortiGate Leakage” FocusTag™ on January 17, 2025. This tag enables TPRM professionals to identify vendors potentially affected by the FortiGate data leak. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.

CVE-2024-53691 and CVE-2023-39298 in QNAP QTS and QuTS Hero

What are CVE-2024-53691 and CVE-2023-39298?

CVE-2024-53691 is a link following a vulnerability in QNAP’s QTS and QuTS hero operating systems. It allows remote attackers with user access to traverse the file system to unintended locations, potentially leading to unauthorized access to sensitive files and system compromise. This vulnerability has a CVSS score of 8.7. 

CVE-2023-39298 is a missing authorization vulnerability affecting several QNAP operating system versions. It permits local authenticated users to access data or perform actions they should not be allowed to via unspecified vectors. This vulnerability has a CVSS score of 7.8. As of January 23, 2025, neither vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

QNAP NAS devices are widely used for storing and managing critical business data. Exploitation of these vulnerabilities could lead to unauthorized access, data breaches, and potential system compromises. For Third-Party Risk Management (TPRM) professionals, it’s crucial to assess whether vendors utilize vulnerable QNAP systems, as a compromise could indirectly affect your organization’s data integrity and security.

What Questions Should TPRM Professionals Ask Vendors Regarding These Vulnerabilities?

To evaluate the risk associated with these vulnerabilities, TPRM professionals should inquire:

1. Can you confirm if you have upgraded all instances of QNAP QTS and QuTS hero to versions QTS 5.2.0.2802 build 20240620 and QuTS hero h5.2.0.2802 build 20240620 or later to mitigate the risk of CVE-2024-53691 and CVE-2023-39298?
2. Have you implemented the recommended actions such as monitoring system logs, applying security patches promptly, implementing MFA, and restricting network access to mitigate the risk of unauthorized access due to the link following vulnerability in QNAP QTS and QuTS hero operating systems?
3. Can you confirm if you have taken measures to prevent unauthorized access to sensitive files and potential system compromise due to the link following vulnerability (CVE-2024-53691) in QNAP QTS and QuTS hero operating systems?
4.  Have you taken any additional steps to protect your QNAP devices from data theft, ransomware attacks, or malware deployment that could result from exploiting the vulnerabilities CVE-2024-53691 and CVE-2023-39298?

Remediation Recommendations for Vendors

Vendors utilizing affected QNAP systems should:

• Update Firmware: Upgrade to QTS 5.2.0.2802 build 20240620 or QuTS hero h5.2.0.2802 build 20240620 or later.
• Implement Multi-Factor Authentication (MFA): Enhance account security to prevent unauthorized access.
• Restrict Network Access: Configure firewalls and network settings to allow only trusted IP addresses access to NAS devices.
• Monitor System Logs: Regularly review logs for unusual activity indicating attempted exploitation.
• Apply Security Patches Promptly: Ensure all security patches are applied as soon as they become available.

How Can TPRM Professionals Leverage Black Kite for These Vulnerabilities?

Black Kite released the “QNAP QTS – Jan2025” FocusTag™ on January 23, 2025, to help organizations identify vendors potentially affected by these vulnerabilities. This tag provides detailed information, including the specific assets (IP addresses and subdomains) associated with vulnerable QNAP systems within a vendor’s infrastructure. By utilizing this intelligence, TPRM professionals can prioritize assessments and remediation efforts, ensuring that vendors have addressed these critical vulnerabilities.

CVE-2025-23061 in Mongoose

Mongoose is specifically an Object Data Modeling (ODM) library designed for Node.js, enabling easy interaction with MongoDB databases. It simplifies the management, validation, and modeling of data in MongoDB, providing developers with a more structured and secure working environment.

What is CVE-2025-23061?

CVE-2025-23061 is a critical code injection vulnerability affecting Mongoose, a MongoDB object modeling tool widely used for Node.js and Deno applications. It has a CVSS score of 9.0, emphasizing its severity, while the EPSS score is 0.05%, suggesting a lower probability of exploitation at present. This vulnerability arises from improper handling of nested $where filters used with the populate() function’s match option, enabling attackers to manipulate search queries and access sensitive data.

This flaw is linked to an incomplete fix for CVE-2024-53900, another critical issue involving the $where operator’s improper handling. The vulnerability impacts Mongoose versions prior to 8.9.5. Although PoC exploit code is unavailable and it has not been added to CISA’s Known Exploited Vulnerabilities catalog, its potential impact is significant due to Mongoose’s wide adoption, with over 2.7 million weekly downloads.

Why Should TPRM Professionals Be Concerned About CVE-2025-23061?

TPRM professionals should consider this vulnerability a high-priority concern due to Mongoose’s extensive use in applications that store sensitive data. If a vendor utilizes an unpatched version of Mongoose, their database integrity could be compromised, resulting in data manipulation, unauthorized access, or even larger breaches affecting downstream partners and customers. The prevalence of Mongoose as a dependency in critical systems underscores the potential ripple effect of an exploit.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-23061?

To evaluate vendor risk associated with this vulnerability, consider asking:

1. Have you upgraded Mongoose to version 8.9.5 or later to mitigate the risk of CVE-2025-23061 and the previously related CVE-2024-53900?
2. Can you confirm if you have reviewed your application’s use of the populate() function and $where filters to ensure no unintended exposure exists, as recommended in the advisory?
3. Have you implemented robust input validation and sanitization measures to prevent potential search injection attacks related to the Mongoose vulnerability?
4. Are you regularly auditing and updating all dependencies to incorporate the latest security patches, specifically those related to Mongoose and MongoDB object modeling tools?

Remediation Recommendations for Vendors

Vendors using Mongoose should:

1. Update Mongoose: Upgrade to version 8.9.5 or later to address the vulnerability.
2. Audit Codebase: Review the usage of $where filters and the populate() function to identify and mitigate potential exposure.
3. Implement Input Validation: Enforce robust validation and sanitization mechanisms for all database queries.
4. Monitor Dependencies: Regularly review and update dependencies to ensure all security patches are applied promptly.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite published the “Mongoose” FocusTag™ on January 22, 2025, to help organizations identify vendors potentially affected by this vulnerability. This tag provides high-confidence identification of systems using vulnerable Mongoose versions, offering actionable insights into affected assets, including IP addresses and subdomains. TPRM professionals can leverage this intelligence to prioritize their vendor risk assessments and ensure remediation efforts are effectively targeted.

CVE-2024-12365 in W3 Total Cache Plugin

W3 Total Cache (W3TC) is a well-known and powerful caching and performance optimization plugin designed for WordPress websites. This plugin enhances website speed, reduces loading times, and improves the overall user experience. It is particularly effective in delivering significant performance improvements for high-traffic websites.

What is CVE-2024-12365?

CVE-2024-12365 is a high-severity missing authorization vulnerability in the W3 Total Cache plugin for WordPress, affecting versions up to and including 2.8.1. With a CVSS score of 8.5 and an EPSS score of 0.09%, this vulnerability allows authenticated users with Subscriber-level access to exploit the is_w3tc_admin_page function to retrieve the plugin’s nonce value. Attackers can leverage this to perform unauthorized actions, potentially leading to information disclosure and server-side request forgery (SSRF).

Exploitation of this flaw could allow attackers to query internal services, including metadata on cloud-based applications, and consume service plan limits. While no PoC exploit code is currently available, more than a million WordPress sites using this plugin are at risk. As of January 22, 2025, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned About CVE-2024-12365?

Third-Party Risk Management (TPRM) professionals should be highly attentive to this vulnerability due to its potential to expose sensitive internal data and compromise WordPress-based websites. Many businesses rely on WordPress as their primary web platform, and vulnerabilities in widely-used plugins like W3 Total Cache can create significant risks.

If a vendor’s website is compromised through this flaw, it may lead to:

• Data breaches involving sensitive business or customer information.
• Unintended exposure of internal application data through SSRF attacks.
• Loss of trust and credibility due to website exploitation.

Given the widespread use of WordPress and this specific plugin, the impact of unpatched systems can extend across interconnected organizations and their customers.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2024-12365?

To evaluate vendor risk, TPRM professionals can ask the following targeted questions:

1. Can you confirm if you have updated the W3 Total Cache plugin for WordPress to version 2.8.2 or later, which addresses the CVE-2024-12365 vulnerability?
2.  Have you implemented any additional security measures to monitor for unauthorized access or unusual behavior on your WordPress sites that could indicate exploitation attempts related to the CVE-2024-12365 vulnerability?
3. Have you conducted an audit of user roles and permissions to ensure that only necessary privileges are granted, minimizing potential exploitation by lower-level users as recommended in the advisory for the CVE-2024-12365 vulnerability?
4. Can you confirm if you have taken any steps to mitigate the risk of server-side request forgery, such as implementing security best practices or updating the W3 Total Cache plugin, in response to the CVE-2024-12365 vulnerability?

Remediation Recommendations for Vendors

Vendors using the W3 Total Cache plugin should take the following steps:

1. Update the Plugin: Upgrade to version 2.8.2 or newer, where the vulnerability has been fixed.
2. Audit User Permissions: Review and minimize privileges for users, ensuring Subscriber-level accounts have limited access.
3. Monitor Activity: Regularly review website activity logs for unusual or unauthorized behavior.
4. Enforce Security Best Practices: Maintain strong security protocols for WordPress installations, including strong passwords, regular plugin updates, and security plugins for intrusion detection.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite released the “W3 Total Cache” FocusTag™ on January 22, 2025, to help organizations identify vendors potentially impacted by this vulnerability. By providing very high-confidence information, such as asset-level details (e.g., IP addresses and subdomains), Black Kite enables TPRM professionals to quickly assess and mitigate risks. This FocusTag™ is instrumental in narrowing down affected vendors and ensuring targeted remediation efforts.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are transformative tools designed to empower Third-Party Risk Management (TPRM) professionals with actionable insights in the face of an ever-evolving threat landscape. With this week’s vulnerabilities spanning multiple platforms and industries, the value of these FocusTags™ becomes especially apparent:

• Real-Time Threat Awareness: Instantly pinpoint vendors impacted by vulnerabilities like those in FortiGate firewalls, QNAP NAS systems, Mongoose, and the W3 Total Cache plugin, enabling rapid and targeted action.
• Prioritized Risk Management: Evaluate risks based on the criticality of the vulnerabilities and the vendor’s importance, allowing for efficient allocation of resources to mitigate threats.
• Tailored Vendor Engagement: Facilitate meaningful conversations with vendors, focusing on their exposure to vulnerabilities and the specific actions they’ve taken to address them.
• Enhanced Cybersecurity Posture: Gain a comprehensive view of the threat landscape, supporting the development of robust strategies to defend against future risks.

By translating complex cybersecurity data into practical intelligence, Black Kite’s FocusTags™ help TPRM professionals navigate the complexities of vendor risk management with precision and confidence. These tools are essential for maintaining resilience in today’s fast-paced digital environment, where proactive risk mitigation can mean the difference between security and compromise.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.
• QNAP QTS – Jan2025: CVE-2024-53691, CVE-2023-39298, Remote Code Execution Vulnerability, Link Following Vulnerability, Missing Authorization Vulnerability in QNAP QTS.
• Mongoose: CVE-2025-23061, Search Injection Vulnerability in Mongoose.
• W3 Total Cache: CVE-2024-12365, Missing Authorization Vulnerability in WordPress’ W3 Total Cache Plugin.
• Juniper Junos: CVE-2025-21598, Out-of-bounds Read Vulnerability in Juniper’s Junos.
• Rsync: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, Heap-Buffer-Overflow Vulnerability, Remote Code Execution Vulnerability, Information Leak Vulnerability, File Leak Vulnerability, Path Traversal Vulnerability, Race Condition Vulnerability, Privilege Escalation Vulnerability in Rsync.
• SimpleHelp: CVE-2024-57727, CVE-2024-57728, CVE-2024-57726, Unauthenticated Path Traversal Vulnerability, Arbitrary File Upload Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in SimpleHelp.
• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
• Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
• Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-40684

https://breachforums.st/Thread-FortiGate-15K-Targets-Configs-VPN-Passwords

https://www.bleepingcomputer.com/news/security/hackers-leak-configs-and-vpn-credentials-for-15-000-fortigate-devices

https://securityonline.info/15000-fortigate-firewalls-exposed-massive-leak-includes-vpn-credentials

https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684

https://github.com/horizon3ai/CVE-2022-40684

https://www.qnap.com/en/security-advisory/qsa-24-28

https://nvd.nist.gov/vuln/detail/CVE-2024-53691

https://nvd.nist.gov/vuln/detail/CVE-2023-39298

https://securityonline.info/cve-2024-53691-poc-exploit-released-for-severe-qnap-rce-flaw

https://github.com/C411e/CVE-2024-53691

https://nvd.nist.gov/vuln/detail/CVE-2025-23061

https://github.com/advisories/GHSA-vg7j-7cwx-8wgw

https://github.com/Automattic/mongoose/releases/tag/8.9.5

CVE-2025-2306 (CVSS 9.0): Mongoose Flaw Leaves Millions of Downloads Exposed to Search Injection

https://nvd.nist.gov/vuln/detail/CVE-2024-12365

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/w3-total-cache/w3-total-cache-281-authenticated-subscriber-missing-authorization-to-server-side-request-forgery

https://securityonline.info/cve-2024-12365-popular-wordpress-caching-plugin-exposes-millions-of-sites-to-attack

The post FOCUS FRIDAY: TPRM Insights on FortiGate, QNAP, Mongoose, and W3 Total Cache Vulnerabilities with Black Kite’s FocusTags™ appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we dive into key vulnerabilities impacting widely used technologies. This installment highlights three significant incidents that pose unique challenges to third-party risk management (TPRM) teams. From Juniper Junos OS to Rsync and SimpleHelp, we explore how these vulnerabilities affect the security posture of vendors and their downstream supply chains. By examining these issues, we aim to provide actionable insights and strategies to help organizations mitigate risks and maintain robust third-party relationships.

Juniper Junos CVE-2025-21598

What is the Juniper Junos BGP Vulnerability (CVE-2025-21598)?

CVE-2025-21598 is an out-of-bounds read vulnerability in the routing protocol daemon (rpd) of Junos OS and Junos OS Evolved. When a device is configured with BGP packet receive trace options, an unauthenticated attacker can send malformed BGP packets that cause the rpd process to crash. This vulnerability has a CVSS score of 8.2, making it a high-severity issue. It was first disclosed on January 14, 2025, and there are currently no reports of active exploitation. CISA’s KEV catalog does not yet list this vulnerability. Proof-of-concept (POC) is not available.

CVE-2025-21599 is a critical vulnerability affecting specific versions of Junos OS Evolved. It requires IPv6 to be enabled and involves attackers sending malformed IPv6 packets persistently to exhaust memory. Exploitation does not require authentication but needs network access to the device. The affected versions are:

• From 22.4-EVO: before 22.4R3-S5-EVO
• From 23.2-EVO: before 23.2R2-S2-EVO
• From 23.4-EVO: before 23.4R2-S2-EVO
• From 24.2-EVO: before 24.2R1-S2-EVO, and 24.2R2-EVO.

Versions prior to 22.4R1-EVO are unaffected. This vulnerability was excluded from the FocusTag™ scope due to its limitation to EVO versions and no detection by external clients specific to EVO.

Why should TPRM professionals care about CVE-2025-21598?

This vulnerability impacts network infrastructure devices, which are critical to business operations. If left unpatched, it could result in significant service interruptions, loss of connectivity, and reduced reliability of the affected network environment. Organizations that rely on these devices could face disruptions in their supply chain communications and business operations, making it essential for TPRM professionals to assess the risk and ensure proper mitigation measures are in place.

What questions should TPRM professionals ask vendors about CVE-2025-21598?

1. Have you updated all instances of Junos OS and Junos OS Evolved to the fixed versions mentioned in the advisory to mitigate the risk of CVE-2025-21598?
2. Can you confirm if you have disabled BGP packet receive trace options on your Junos OS and Junos OS Evolved devices to prevent potential exploitation of CVE-2025-21598?
3. Are you regularly inspecting your system logs for any indications of malformed BGP update messages, which may suggest attempted exploitation of CVE-2025-21598?
4. For Junos OS Evolved, have you ensured that all versions from 22.4-EVO before 22.4R3-S5-EVO, from 23.2-EVO before 23.2R2-S2-EVO, from 23.4-EVO before 23.4R2-S2-EVO, from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO have been updated to mitigate the risk of CVE-2025-21599?

Remediation recommendations for vendors subject to this risk

• Upgrade all affected Junos OS and Junos OS Evolved devices to the patched versions.
• Disable BGP packets receive trace options if updating is not immediately possible.
• Implement continuous network monitoring to identify any indications of exploitation attempts.
• Maintain up-to-date logging configurations and review logs for signs of malformed BGP packets.

How can TPRM professionals leverage Black Kite for CVE-2025-21598?

Black Kite published this FocusTag™ to help organizations pinpoint the vendors affected by CVE-2025-21598. By providing detailed asset information—including relevant subdomains and vulnerable IPs—Black Kite enables TPRM professionals to rapidly identify which vendors need immediate attention. This targeted approach reduces time spent on outreach and allows more efficient mitigation efforts.

Rsync Vulnerabilities (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747)

What are the critical Rsync vulnerabilities?

Rsync, a widely-used file synchronization tool, has six significant vulnerabilities in versions 3.3.0 and earlier. These flaws pose risks such as arbitrary code execution, information leakage, and unauthorized system access, particularly for organizations relying on Rsync for backups.

Six vulnerabilities have been identified in Rsync, posing significant security risks. These include a heap-buffer overflow (CVE-2024-12084) in the Rsync daemon that allows attackers to execute code by controlling checksum lengths (s2length) and gaining server access. An information leak vulnerability (CVE-2024-12085) exposes uninitialized memory during file checksum comparisons. Additionally, malicious servers can exploit crafted checksums to extract arbitrary files from clients (CVE-2024-12086). Path traversal is possible due to improper symlink checks with the default –inc-recursive option (CVE-2024-12087), while a –safe-links bypass flaw (CVE-2024-12088) allows arbitrary file writes and further path traversal. Finally, a symbolic-link race condition (CVE-2024-12747) could lead to privilege escalation or data leakage by exploiting timing issues during file transfers. Exploitation of these vulnerabilities requires specific conditions, such as server access or manipulated configurations. 

Currently, no publicly available POC exists, and these vulnerabilities are not listed in CISA’s Known Exploited Vulnerabilities catalog. Affected versions include Rsync ≥3.2.7 and <3.4.0 for CVE-2024-12084, while other CVEs impact Rsync 3.3.0 and earlier. Organizations relying on Rsync for synchronization or backups should apply patches or mitigations promptly to mitigate risks of unauthorized access and data breaches.

Why should TPRM professionals care about Rsync vulnerabilities?

Many organizations rely on Rsync for critical backup operations. Unaddressed vulnerabilities could lead to severe disruptions, including unauthorized data exposure, system compromise, and operational downtime. These risks demand immediate attention from TPRM professionals to ensure that vendors and their supply chain partners have implemented the necessary remediations.

What questions should TPRM professionals ask vendors about the Rsync vulnerabilities?

1. Have you upgraded all instances of Rsync to version 3.4.0 or later to mitigate the risk of CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747?
2. Can you confirm if you have implemented the recommended mitigation measures such as restricting Rsync daemon access to trusted networks and authenticated users, and regularly reviewing and applying security best practices for system and network configurations?
3. Have you reviewed and updated any backup programs utilizing Rsync, such as Rclone, DeltaCopy, and ChronoSync, in response to these vulnerabilities?
4. Are you monitoring for any unusual activities that may indicate exploitation attempts related to these Rsync vulnerabilities, specifically those related to heap-buffer overflow, information leak, file leak, path traversal, safe-links bypass, and symbolic-link race condition?

Remediation recommendations for vendors subject to this risk

• Upgrade Rsync to version 3.4.0 or higher to eliminate known vulnerabilities.
• Disable unused options such as –inc-recursive and –safe-links to minimize exposure.
• Implement strict access controls, allowing only authenticated and trusted connections.
• Conduct regular security audits of your Rsync configuration and logs.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite’s FocusTag™ for Rsync, published in January 2025, helps TPRM professionals identify vendors at risk from these vulnerabilities. By providing detailed information on affected versions, associated IPs, and potentially vulnerable assets, Black Kite enables organizations to narrow their outreach to only those vendors requiring immediate action. This targeted approach not only streamlines risk management processes but also helps protect sensitive data and critical systems from emerging threats.

SimpleHelp Vulnerabilities (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726)

What are the critical SimpleHelp vulnerabilities?

Recent security assessments have uncovered critical vulnerabilities in SimpleHelp, a widely used remote support software.

CVE-2024-57726: A privilege escalation flaw that allows users with technician-level access to elevate their privileges to administrator due to missing backend authorization checks.  This vulnerability has a CVSS score of 8.2, making it a high-severity issue. This vulnerability has a CVSS score of 8.8, making it a high-severity issue.

CVE-2024-57727: A path traversal vulnerability allowing unauthenticated attackers to download arbitrary files, including sensitive configuration files. This vulnerability has a CVSS score of 7.5, making it a high-severity issue.

CVE-2024-57728: An arbitrary file upload vulnerability enabling attackers with administrative privileges to upload malicious files anywhere on the server, potentially leading to remote code execution. This vulnerability has a CVSS score of 8.8, making it a high-severity issue.

These vulnerabilities can be chained to compromise the entire server, leading to sensitive information disclosure and potential remote code execution. They affect SimpleHelp versions 5.5.7 and earlier. Currently, there are no reports of these vulnerabilities being exploited in the wild, no available PoC, and no listing in CISA’s Known Exploited Vulnerabilities catalog.

Why should TPRM professionals care about SimpleHelp vulnerabilities?

SimpleHelp is widely used for remote support, making these vulnerabilities particularly concerning. A compromised SimpleHelp server could expose sensitive client information, provide attackers with persistent remote access, and lead to unauthorized actions such as executing malicious scripts. TPRM professionals must ensure that vendors relying on SimpleHelp have patched their systems and implemented necessary security controls to avoid supply chain disruptions and data breaches.

What questions should TPRM professionals ask vendors about SimpleHelp vulnerabilities?

1. Have you updated all instances of SimpleHelp to versions 5.5.8, 5.4.10, or 5.3.9 to mitigate the risk of CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726?
2. Can you confirm if you have implemented IP access restrictions on your SimpleHelp server to accept technician and administrator logins only from trusted IP addresses, as recommended in the advisory?
3. Have you changed the administrator and technician account passwords after updating SimpleHelp to ensure any previously compromised credentials are invalidated?
4. Are you regularly reviewing your server logs for any unusual or unauthorized activities that may indicate attempted exploitation of these vulnerabilities in SimpleHelp?

Remediation recommendations for vendors subject to this risk

• Update SimpleHelp to the latest secure versions (5.5.8, 5.4.10, or 5.3.9) to address these vulnerabilities.
• Change Administrator Passwords. After updating, change the administrator password of the SimpleHelp server to ensure any previously compromised credentials are invalidated.
• Update Technician Account Passwords. Reset passwords for all technician accounts, especially those not utilizing third-party authentication services.
• Restrict IP Access. Configure the SimpleHelp server to accept technician and administrator logins only from trusted IP addresses to reduce unauthorized access risks.
• Monitor System Logs. Regularly review server logs for any unusual or unauthorized activities that may indicate attempted exploitation.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite provides a detailed FocusTag™ highlighting these vulnerabilities, including a list of affected versions and mitigation steps. By using Black Kite’s asset information—such as associated IP addresses and potentially vulnerable subdomains—TPRM professionals can quickly identify which vendors require immediate attention, streamlining the risk mitigation process.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

As the cyber threat landscape continues to evolve, maintaining a resilient Third-Party Risk Management (TPRM) framework is more crucial than ever. Black Kite’s FocusTags™ provide a unique advantage, allowing organizations to identify and respond to high-profile vulnerabilities quickly and effectively. By incorporating FocusTags into their TPRM processes, organizations gain:

Timely Vendor Risk Identification: Quickly determine which vendors are impacted by emerging threats, enabling prompt and strategic action.
Prioritized Risk Management: Focus on the most critical vulnerabilities and vendors, ensuring that resources are allocated where they’re needed most.
Enhanced Vendor Collaboration: Conduct more informed and productive discussions with vendors, addressing their specific exposure and improving overall security measures.
Broader Security Insight: Gain a comprehensive view of the current threat landscape, helping TPRM teams anticipate future risks and strengthen their cybersecurity defenses.

With Black Kite’s FocusTags™, TPRM professionals have the tools they need to transform complex threat data into actionable intelligence. This capability not only improves risk management efficiency but also helps ensure that organizations can confidently manage their third-party ecosystem in an increasingly unpredictable digital environment.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Juniper Junos: CVE-2025-21598, Out-of-bounds Read vulnerability in Juniper’s Junos.
• Rsync: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, Heap-Buffer-Overflow Vulnerability, Remote Code Execution Vulnerability, Information Leak Vulnerability, File Leak Vulnerability, Path Traversal Vulnerability, Race Condition Vulnerability, Privilege Escalation Vulnerability in Rsync.
• SimpleHelp: CVE-2024-57727, CVE-2024-57728, CVE-2024-57726, Unauthenticated Path Traversal Vulnerability, Arbitrary File Upload Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in SimpleHelp.
• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
• Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
• Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-21598

https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-When-BGP-traceoptions-are-configured-receipt-of-malformed-BGP-packets-causes-RPD-to-crash-CVE-2025-21598?language=en_US

https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos-OS-Evolved-Receipt-of-specifically-malformed-IPv6-packets-causes-kernel-memory-exhaustion-leading-to-Denial-of-Service-CVE-2025-21599?language=en_US

https://securityonline.info/unauthenticated-attackers-can-exploit-junos-vulnerabilities-cve-2025-21598-cve-2025-21599

https://nvd.nist.gov/vuln/detail/CVE-2024-12086

https://nvd.nist.gov/vuln/detail/CVE-2024-12087

https://nvd.nist.gov/vuln/detail/CVE-2024-12747

https://nvd.nist.gov/vuln/detail/CVE-2024-12084

https://nvd.nist.gov/vuln/detail/CVE-2024-12088

https://nvd.nist.gov/vuln/detail/CVE-2024-12085

https://www.openwall.com/lists/oss-security/2025/01/14/3

https://securityonline.info/cve-2024-12084-cvss-9-8-code-execution-risk-rsync-vulnerability-demands-immediate-patching

https://nvd.nist.gov/vuln/detail/CVE-2024-57726

https://nvd.nist.gov/vuln/detail/CVE-2024-57727

https://nvd.nist.gov/vuln/detail/CVE-2024-57728

https://simple-help.com/kb—security-vulnerabilities-01-2025#upgrading-to-v5-5-8

https://thehackernews.com/2025/01/critical-simplehelp-flaws-allow-file.html

https://securityonline.info/simplehelp-urgents-to-patch-critical-security-vulnerabilities

https://thehackernews.com/2023/04/iranian-hackers-using-simplehelp-remote.html

The post FOCUS FRIDAY: Third-Party Risks From Critical Juniper Junos, Rsync, and SimpleHelp Vulnerabilities appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday blog, where we analyze high-profile vulnerabilities and incidents from a Third-Party Risk Management (TPRM) perspective. As organizations grapple with the growing complexities of cybersecurity threats, identifying and addressing vendor-related risks becomes paramount. This week, we had a busy week focusing on vulnerabilities. In this week’s article, we examined critical vulnerabilities in widely used products, including SonicWall SonicOS, Ivanti Connect Secure, Progress WhatsUp Gold, and GoCD. These vulnerabilities underscore the importance of swift action and strategic prioritization in TPRM processes. Read on to explore actionable insights and strategies to mitigate these risks.

Critical Vulnerabilities in SonicWall SonicOS

What are the vulnerabilities affecting SonicWall SonicOS?

The SonicWall SonicOS platform has been found vulnerable to multiple issues that could severely impact network security. Below are the key vulnerabilities:

CVE-2024-40762: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in the SSLVPN authentication token generator. This flaw allows attackers to predict authentication tokens, potentially leading to authentication bypass. (CVSS Score: 7.1)

CVE-2024-53704: Authentication Bypass vulnerability in the SSLVPN mechanism that could enable remote attackers to gain unauthorized system access. (CVSS Score: 8.2)

CVE-2024-53706: Local Privilege Escalation vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions). This allows attackers to escalate privileges to root, potentially leading to arbitrary code execution. (CVSS Score: 7.8)

CVE-2024-53705: Server-Side Request Forgery (SSRF) vulnerability in the SSH management interface. Attackers could establish TCP connections to arbitrary IP addresses and ports, enabling further attacks. (CVSS Score: 6.5, EPSS Score: 0.04%)

These vulnerabilities were disclosed in SonicWall’s security advisory on January 7, 2025. While no active exploitation has been reported yet, similar vulnerabilities have been targeted by Chinese threat actors in the past, raising the likelihood of exploitation in future attack campaigns. As of now, these vulnerabilities are not listed in CISA’s KEV catalog.

Why should TPRM professionals care about these vulnerabilities?

The vulnerabilities in SonicWall SonicOS present significant risks for organizations that rely on these devices for network security:

• Authentication Bypass (CVE-2024-53704): Attackers gaining unauthorized access could compromise sensitive data, introduce malware, or disrupt critical services.
• Local Privilege Escalation (CVE-2024-53706): A successful attack could allow threat actors to execute arbitrary code, potentially leading to full control of the affected systems.
• SSRF (CVE-2024-53705): This could facilitate lateral movement or act as a pivot point for launching further attacks.
• PRNG Vulnerability (CVE-2024-40762): Weak token generation undermines the reliability of authentication mechanisms, posing a significant threat to systems reliant on SSLVPN.

These vulnerabilities directly affect SonicWall Gen6/6.5, Gen7, and TZ80 devices, often used by organizations as a critical part of their perimeter defense. Exploitation could result in compromised networks, data breaches, or service interruptions, which would affect operational and business continuity.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you updated all affected Gen6/6.5, Gen7, and TZ80 series devices to the recommended SonicOS versions (6.5.5.1-6n, 7.1.3-7015, 7.0.1-5165, and 8.0.0-8037 respectively) to mitigate the risk of CVE-2024-40762, CVE-2024-53704, CVE-2024-53705, and CVE-2024-53706?
2. Can you confirm if you have implemented measures to limit SSLVPN and SSH management access to trusted sources or disabled access from the internet entirely to reduce exposure to the vulnerabilities CVE-2024-40762 and CVE-2024-53704?
3. Have you enabled Multi-Factor Authentication (MFA) for all remote access to enhance security against the improper authentication issue in the SSLVPN mechanism (CVE-2024-53704)?
4. How are you monitoring your system logs and network traffic to detect any unusual activity that may indicate attempted exploitation of the server-side request forgery (SSRF) flaw in the SSH management interface (CVE-2024-53705) and the privilege escalation issue in the Gen7 SonicOS Cloud platform NSv (CVE-2024-53706)?

Remediation Recommendations for Vendors

To mitigate the risks associated with these vulnerabilities, vendors should:

1. Update Firmware: Ensure all impacted devices are updated to the fixed versions:
   • Gen6 Firewalls: SonicOS 6.5.5.1-6n or higher
   • Gen7 Firewalls: SonicOS 7.1.3-7015 or higher
   • Gen7 NSv: SonicOS 7.0.1-5165 or higher
   • TZ80 Series: SonicOS 8.0.0-8037 or higher
2. Restrict Access: Limit SSLVPN and SSH management access to trusted sources or disable access from the internet entirely.
3. Enable Multi-Factor Authentication (MFA): Strengthen authentication for all remote access to reduce attack surface.
4. Monitor and Log: Continuously review system logs and monitor network traffic for anomalies that may indicate exploitation attempts.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite published the FocusTag™ SonicWall SonicOS – Jan2025 on January 8, 2025 to help TPRM professionals quickly identify vendors at risk. The tag provides:

• A list of vendors using affected SonicWall devices and their associated assets, such as IP addresses or subdomains.
• Insight into which vulnerabilities may impact vendors’ systems.
• An updated status on exploitation activity or new advisories.

Using this tag, professionals can narrow the scope of their risk assessments, focus efforts on high-priority vendors, and expedite their response to these vulnerabilities.

CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure

What are the vulnerabilities affecting Ivanti Connect Secure?

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateway products are affected by two critical vulnerabilities:

CVE-2025-0282: A Critical Stack-Based Buffer Overflow Vulnerability that permits unauthenticated remote code execution. This vulnerability affects Ivanti Connect Secure versions 22.7R2 through 22.7R2.4, Policy Secure versions 22.7R1 through 22.7R1.2, and Neurons for ZTA Gateways versions 22.7R2 through 22.7R2.3. It has a CVSS score of 9.0, reflecting its high severity, and an EPSS score of 0.83%, indicating a notable likelihood of exploitation.

CVE-2025-0283: A High-Severity Stack-Based Buffer Overflow Vulnerability that enables local authenticated attackers to escalate their privileges. This issue impacts the same product versions as CVE-2025-0282. It has a CVSS score of 7.0 and an EPSS score of 0.04%, suggesting a moderate risk of exploitation.

Both vulnerabilities were disclosed on January 8, 2025. CVE-2025-0282 has been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025, and is being exploited in limited incidents, particularly targeting Connect Secure appliances. Mandiant has attributed these exploitations to UNC5337, a suspected subgroup of the China-based espionage group UNC5221. No exploitation of CVE-2025-0283 has been reported.

Why should TPRM professionals care about these vulnerabilities?

These vulnerabilities present significant risks to organizations using Ivanti products:

• CVE-2025-0282: The ability to achieve unauthenticated remote code execution could enable attackers to gain full control of affected systems, compromising network integrity and exposing sensitive data.
• CVE-2025-0283: Privilege escalation could allow an attacker with local access to execute actions reserved for administrators, further increasing the risk of insider threats or unauthorized system changes.

The active exploitation of CVE-2025-0282 highlights the urgency of addressing these vulnerabilities, particularly for organizations relying on these products for secure remote access and network security.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you identified any systems within your organization running vulnerable versions of Ivanti Connect Secure, Policy Secure, or Neurons for ZTA Gateways?
2. Have you applied the necessary patches for these vulnerabilities, and if so, when was the patching completed?
3. Are you actively monitoring systems for signs of exploitation, particularly regarding CVE-2025-0282?
4. Have you implemented Ivanti’s Integrity Checker Tool (ICT) to detect compromises, and what were the results?

Remediation Recommendations for Vendors

To mitigate the risks associated with these vulnerabilities, vendors should:

1. Apply Patches Immediately: Upgrade to the latest patched versions:
   • Ivanti Connect Secure: Version 22.7R2.5 or higher.
   • Policy Secure: Patched versions available by January 21, 2025.
   • Neurons for ZTA Gateways: Patched versions available by January 21, 2025.
2. Perform Integrity Checks: Use Ivanti’s Integrity Checker Tool (ICT) to detect any signs of compromise in both internal and external systems.
3. Restrict Internet Exposure: Ensure that Policy Secure appliances are not exposed to the internet, reducing the likelihood of exploitation.
4. Factory Reset Compromised Systems: If signs of compromise are detected, perform a factory reset before redeployment.
5. Monitor Activity: Continuously review system logs and network traffic for anomalies that may indicate exploitation attempts.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite’s FocusTag™ Ivanti Connect Secure – Jan2025 enables TPRM professionals to identify vendors at risk of exposure to these vulnerabilities. This tag provides:

• Insight into which vendors utilize affected Ivanti products and their associated assets, such as IP addresses and subdomains.
• Actionable intelligence to prioritize assessments and remediation efforts.
• Updates on exploitation activity and vendor patching status to guide decision-making.

The tag was published on January 9, 2025. Leveraging this tag can streamline risk management efforts and enhance the security posture of third-party ecosystems.

CVE-2024-12108, CVE-2024-12105, and CVE-2024-12106 Vulnerabilities in Progress WhatsUp Gold

What are the vulnerabilities affecting Progress WhatsUp Gold?

The Progress WhatsUp Gold network monitoring software has been identified as vulnerable to the following critical and medium-severity security issues:

The vulnerabilities affecting Progress WhatsUp Gold include the following:

CVE-2024-12108: An Authentication Bypass by Spoofing Vulnerability that allows attackers to gain complete control of the WhatsUp Gold server via the public API. This vulnerability has a CVSS score of 9.6 and an EPSS score of 0.07%, making it critical in severity.

CVE-2024-12106: A Missing Authentication for Critical Function Vulnerability that enables unauthenticated attackers to configure LDAP settings, potentially leading to unauthorized access and data breaches. While this vulnerability is rated Critical with a CVSS score of 9.4 by the CNA, the NIST CVSS score is 7.5. Its EPSS score is 0.05%.

CVE-2024-12105: A Path Traversal Vulnerability that allows authenticated users to extract sensitive information through specially crafted HTTP requests. This vulnerability is rated Medium with a CVSS score of 6.5 and an EPSS score of 0.05%.

These vulnerabilities affect WhatsUp Gold versions prior to 24.0.2. Progress issued a security bulletin on December 12, 2024, urging users to upgrade. While no evidence of active exploitation exists, similar vulnerabilities have historically attracted threat actors targeting network monitoring systems.

Why should TPRM professionals care about these vulnerabilities?

The WhatsUp Gold vulnerabilities present critical risks to network security due to the product’s integral role in monitoring and managing network devices. Exploitation of these vulnerabilities could result in:

• Full System Compromise: CVE-2024-12108 could allow attackers to control the WhatsUp Gold server, compromising all monitored devices and exposing sensitive configurations.
• Data Breaches: CVE-2024-12106 could enable attackers to tamper with LDAP settings, leading to unauthorized access to sensitive data or services.
• Sensitive Information Exposure: CVE-2024-12105 could facilitate information disclosure, which could be leveraged for subsequent attacks.

These risks make these vulnerabilities particularly concerning for third-party risk management (TPRM) professionals monitoring vendor ecosystems. The critical CVSS scores of CVE-2024-12108 and CVE-2024-12106 highlight the need for immediate action.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you identified any systems within your organization running vulnerable versions of WhatsUp Gold prior to 24.0.2?
2. Has your organization implemented the recommended update to version 24.0.2, and when was it completed?
3. Are access controls in place to restrict unauthorized changes to LDAP configurations and prevent exploitation?
4. How do you monitor and address unusual activity that could indicate exploitation attempts related to these vulnerabilities?

Remediation Recommendations for Vendors

To address these vulnerabilities, vendors should:

1. Upgrade Software: Immediately update to WhatsUp Gold version 24.0.2 to patch all identified vulnerabilities.
2. Restrict Access: Limit server access to authorized personnel only and ensure secure configuration of LDAP settings.
3. Monitor Logs: Regularly review server and network logs for anomalies indicative of exploitation attempts.
4. Enhance Security Measures: Implement firewalls, intrusion detection systems, and strong authentication mechanisms to mitigate potential risks.

How can TPRM professionals leverage Black Kite for these vulnerabilities?

Black Kite provides the FocusTag™ Progress WhatsUp Gold, published on January 2, 2025, to help TPRM professionals identify and address potential risks in their vendor ecosystems. This tag allows users to:

1. Determine which vendors utilize affected versions of WhatsUp Gold and the associated assets.
2. Access details on vulnerable IP addresses and subdomains to prioritize risk assessments.
3. Leverage actionable insights to communicate effectively with vendors and ensure timely remediation.

CVE-2024-56320 in GoCD

What is the GoCD Admin Privilege Escalation Vulnerability?

CVE-2024-56320 is a Critical Improper Authorization Vulnerability affecting GoCD versions prior to 24.5.0. This flaw enables authenticated users to persistently escalate their privileges to admin level, compromising the system’s integrity and security. The vulnerability arises from insufficient access controls in the admin “Configuration XML” UI feature and its associated API. The vulnerability has a CVSS score of 9.4 and an EPSS score of 0.05%, and it was published in January 2025.

This vulnerability cannot be exploited without prior authentication, requiring an attacker to have a valid GoCD user account. It poses a significant insider threat but does not currently have publicly available exploit code. As of now, it is not listed in CISA’s Known Exploited Vulnerabilities catalog.

Why should TPRM professionals care about this vulnerability?

The critical nature of CVE-2024-56320 makes it a significant concern for TPRM professionals. As GoCD is a continuous delivery server, its exploitation could:

• Compromise CI/CD Pipelines: Escalated admin privileges could allow attackers to alter build configurations, inject malicious code, or disrupt deployments.
• Sensitive Information Disclosure: Unauthorized access to admin-only data could expose credentials, API keys, and system configurations.
• Operational Risks: Persistent admin-level access increases the risk of prolonged exploitation and unauthorized system changes.

This vulnerability highlights the importance of securing insider accounts and CI/CD environments, both critical for maintaining operational and data security.

What questions should TPRM professionals ask vendors about this vulnerability?

1. Have you upgraded all instances of GoCD to version 24.5.0 or later to mitigate the risk of CVE-2024-56320?
2. Have you implemented the recommended workarounds such as using a reverse proxy or web application firewall (WAF) to block external access to paths with the /go/rails/ prefix, and limiting GoCD user base to trusted individuals?
3. Can you confirm if you have taken steps to review network logs regularly for any unusual or unauthorized activities that could indicate exploitation attempts related to CVE-2024-56320?
4. Have you considered temporarily disabling plugins like the guest-login-plugin that allow limited anonymous access to further secure your GoCD instances from potential exploitation of CVE-2024-56320?

Remediation Recommendations for Vendors

To mitigate the risks of CVE-2024-56320, vendors should:

1. Upgrade to GoCD Version 24.5.0: This version addresses the improper authorization flaw and prevents privilege escalation.
2. Restrict Access: Implement a reverse proxy or web application firewall (WAF) to block access to vulnerable paths with the /go/rails/ prefix. This can mitigate the risk without affecting functionality.
3. Limit User Base: Reduce GoCD access to a smaller group of trusted users. Temporarily disable plugins like the “guest-login-plugin” to prevent anonymous or unauthorized access.
4. Monitor Logs: Regularly review system and application logs for signs of privilege escalation or unauthorized access.

How can TPRM professionals leverage Black Kite for this vulnerability?

Black Kite’s FocusTag™ GoCD provides actionable intelligence to help TPRM professionals identify vendors potentially impacted by CVE-2024-56320. The tag enables users to:

• Pinpoint vendors utilize vulnerable GoCD versions and associated assets such as IP addresses or subdomains.
• Access insights into vendors’ patch management and security practices related to CI/CD environments.
• Expedite risk assessments by narrowing the scope to the most at-risk vendors.

This FocusTag™ was published on January 8, 2025. Black Kite users can operationalize this tag to prioritize remediation efforts and minimize exposure to insider threats.

Maximizing TPRM Effectiveness with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are indispensable tools for refining TPRM strategies in today’s dynamic cybersecurity landscape. This week’s vulnerabilities in SonicWall SonicOS, Ivanti Connect Secure, Progress WhatsUp Gold, and GoCD highlight the critical role of FocusTags™ in proactive risk management. Here’s how these tags empower TPRM professionals:

1. Real-Time Risk Identification: FocusTags™ enable immediate identification of vendors exposed to critical vulnerabilities, such as the authentication bypass issues in SonicWall or the privilege escalation risks in GoCD. This rapid insight ensures a timely response to emerging threats.
2. Strategic Risk Prioritization: By assessing both the severity of vulnerabilities and the importance of affected vendors, FocusTags™ helps allocate resources efficiently, addressing the most pressing risks first.
3. Enhanced Vendor Engagement: Armed with precise information, TPRM teams can initiate targeted discussions with vendors, emphasizing their exposure to vulnerabilities like the stack-based buffer overflow in Ivanti products or the API flaws in WhatsUp Gold.
4. Strengthened Cybersecurity Posture: With a comprehensive overview of the evolving threat landscape, FocusTags™ aid in fortifying an organization’s overall security defenses against vulnerabilities impacting critical vendor systems.

Black Kite’s FocusTags™ simplify the complexity of cybersecurity threats by translating intricate technical data into actionable intelligence. This capability is critical for managing third-party risks effectively and proactively, ensuring that organizations remain one step ahead in mitigating potential threats.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
• Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
• Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
• SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
• PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-40762

https://nvd.nist.gov/vuln/detail/CVE-2024-53704

https://nvd.nist.gov/vuln/detail/CVE-2024-53706

https://nvd.nist.gov/vuln/detail/CVE-2024-53705

https://www.sonicwall.com/support/notices/product-notice-sslvpn-and-ssh-vulnerability-in-sonicos/250107100311877

https://securityonline.info/sonicwall-issues-important-security-advisory-for-multiple-vulnerabilities-in-sonicos

https://nvd.nist.gov/vuln/detail/CVE-2025-0282

https://nvd.nist.gov/vuln/detail/CVE-2025-0283

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html

https://nvd.nist.gov/vuln/detail/CVE-2024-12108

https://nvd.nist.gov/vuln/detail/CVE-2024-12106

https://nvd.nist.gov/vuln/detail/CVE-2024-12105

https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2024

CVE-2024-12108 (CVSS 9.6) and Beyond: Progress Issues Critical Patch for WhatsUp GoldNetwork Monitoring Software

https://research.checkpoint.com/2025/6th-january-threat-intelligence-report

https://nvd.nist.gov/vuln/detail/CVE-2024-56320

https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j

https://securityonline.info/gocd-patches-critical-vulnerability-allowing-user-privilege-escalation

The post Focus Friday: Addressing Critical Vulnerabilities in SonicWall, Ivanti, Progress, and GoCD appeared first on Black Kite.

Written by: Ferdi Gül

Welcome! We’ve come together for the last Focus Friday blog post of 2024. As we close out 2024, I wish everyone a safe, happy, and healthy new year. At the same time, we’ve completed another significant year in cybersecurity. This year, we witnessed important developments in the cybersecurity world and encountered many critical vulnerabilities. Throughout the year, we have explored numerous high-profile vulnerabilities to help organizations manage third-party risks. Today, in this final post of 2024, we will focus on critical security flaws in widely used services like Gogs Server, CrushFTP, and Apache Tomcat. In this post, we will explore what these vulnerabilities mean for Third-Party Risk Management (TPRM) professionals and how Black Kite’s FocusTags™ can provide a more effective approach to managing these risks.

Apache Tomcat Remote Code Execution Vulnerabilities (CVE-2024-50379, CVE-2024-56337)

What are the Apache Tomcat Remote Code Execution (RCE) Vulnerabilities?

Apache Tomcat has been identified with two critical RCE vulnerabilities: CVE-2024-50379 and CVE-2024-56337. These vulnerabilities arise from Time-of-Check to Time-of-Use (TOCTOU) race conditions, allowing attackers to execute unauthorized code on affected systems.

CVE-2024-50379 occurs during JavaServer Pages (JSP) compilation in Apache Tomcat, enabling RCE on case-insensitive file systems when the default servlet is configured with write functionality (non-default configuration). Similarly, CVE-2024-56337 results from the incomplete mitigation of CVE-2024-50379, affecting systems under the same configuration but requiring additional configuration depending on the Java version. Both vulnerabilities have a CVSS score of 9.8, indicating critical severity.

These vulnerabilities were first reported on December 17, 2024. While proof-of-concept (PoC) exploit code is available, no evidence of active exploitation has been reported. They have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and no advisory has been published by CISA.

Why should TPRM professionals care about these vulnerabilities?

Apache Tomcat is widely used to deploy Java-based web applications, making these vulnerabilities highly impactful. The risks associated with these vulnerabilities include:

• Unauthorized Access: Attackers exploiting these vulnerabilities could gain unauthorized access to systems and sensitive data.
• Service Disruption: Successful exploitation could lead to service disruption and potential data loss.
• Reputation Damage: Compromises may damage an organization’s reputation and erode customer trust.

What questions should TPRM professionals ask vendors about these vulnerabilities?

To assess the risk posed by these vulnerabilities, TPRM professionals can ask the following questions:

1. Have you updated all instances of Apache Tomcat to versions 11.0.2, 10.1.34, or 9.0.98 or later to mitigate the risk of CVE-2024-50379 and CVE-2024-56337?
2. Can you confirm that the default servlet’s write functionality has been disabled on your Apache Tomcat servers to prevent the occurrence of the TOCTOU race condition associated with CVE-2024-50379 and CVE-2024-56337?
3. Depending on your Java version, have you adjusted the sun.io.useCanonCaches system property as recommended to fully mitigate the risk of CVE-2024-50379 and CVE-2024-56337?
4. Are you regularly reviewing your system logs and network activity to detect any signs of exploitation attempts related to these Apache Tomcat vulnerabilities?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate these vulnerabilities:

• Upgrade Apache Tomcat: Update to the latest secure versions:
  • Apache Tomcat 11.0.2 or later
  • Apache Tomcat 10.1.34 or later
  • Apache Tomcat 9.0.98 or later
• Configure Java System Properties: Depending on the Java version in use:
  • For Java 8 or Java 11: Explicitly set the sun.io.useCanonCaches system property to false.
  • For Java 17: Ensure sun.io.useCanonCaches is set to false.
  • For Java 21 and later: No additional configuration is required as the property and related cache have been removed.
• Restrict Write Access: Ensure that the default servlet’s write functionality is disabled unless absolutely necessary.
• Regular Monitoring: Continuously review system logs and network activity for signs of exploitation attempts.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite offers a FocusTag titled “Apache Tomcat RCE” which provides the following benefits:

• Vendor Exposure Assessment: Identifies vendors potentially impacted by these vulnerabilities.
• Asset Information: Supplies details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
• Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to these vulnerabilities.

This FocusTag™ ensures efficient vendor management and proactive risk mitigation, empowering TPRM professionals to address critical vulnerabilities effectively.

CrushFTP Account Takeover Vulnerability (CVE-2024-53552)

What is the CrushFTP Account Takeover Vulnerability?

CrushFTP, a widely used file transfer server, has disclosed a critical vulnerability identified as CVE-2024-53552. This flaw affects versions prior to 10.8.3 in the 10.x series and prior to 11.2.3 in the 11.x series. The vulnerability arises from improper handling of password reset functionalities, enabling attackers to craft malicious password reset links. If a user clicks on such a link, their account can be compromised, granting unauthorized access to sensitive data and system controls. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. This issue was first reported on November 11, 2024. While PoC exploit code is not available, there is no evidence of active exploitation in the wild. The vulnerability has not been added to the CISA’s KEV catalog, and no advisory has been published by CISA. 

Why should TPRM professionals care about this vulnerability?

CrushFTP is widely used for secure file transfers in enterprise environments. This vulnerability poses significant risks, including:

• Unauthorized Access: Exploitation can lead to unauthorized access to sensitive data and systems.
• Service Disruption: Successful attacks can disrupt services, leading to downtime and potential data loss.
• Reputation Damage: Compromises can damage an organization’s reputation and erode customer trust.

What questions should TPRM professionals ask vendors about this vulnerability?

To assess the risk posed by this vulnerability, consider asking vendors the following questions:

1. Can you confirm if you have updated all instances of CrushFTP to version 10.8.3 or 11.2.3 to mitigate the risk of CVE-2024-53552?
2. Have you configured the Allowed Domains for Password Resets as recommended in the advisory to prevent unauthorized access through manipulated password reset links?
3. Can you confirm if you have taken measures to educate users about the legitimacy of password reset emails and the risks associated with clicking on malicious links?
4. Have you implemented any additional security measures to monitor and detect unusual activity that could indicate attempted exploitation of the CVE-2024-53552 vulnerability?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate this vulnerability:

• Upgrade CrushFTP: Update to the latest secure versions:
  • CrushFTP 10.8.3 or later
  • CrushFTP 11.2.3 or later
• Configure Allowed Domains for Password Resets:
  • For version 10.x: Navigate to Preferences > WebInterface > MiniURL, and specify a comma-separated list of allowed domains.
  • For version 11.x: Go to Preferences > WebInterface > Login Page, and set a domain pattern that is not a wildcard (‘*’), as wildcards are no longer permitted.
• User Awareness: Inform users to be cautious with password reset emails and to verify the legitimacy of such requests before clicking on any links.
• Regular Monitoring: Regularly review system logs for any unusual activity that could indicate attempted exploitation.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite offers a FocusTag titled “CrushFTP Account Takeover,” which provides:

• Vendor Exposure Assessment: Identifies vendors potentially impacted by this vulnerability.
• Asset Information: Supplies details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
• Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to this vulnerability.

Gogs Server Path Traversal Vulnerabilities (CVE-2024-55947, CVE-2024-54148)

What Are the Gogs Server Path Traversal Vulnerabilities?

Gogs, an open-source self-hosted Git service, has been identified with two critical path traversal vulnerabilities. CVE-2024-55947 is a vulnerability in the file update API of Gogs that allows authenticated users to write files to arbitrary paths on the server. Exploiting this flaw could enable an attacker to gain unauthorized SSH access, compromising the integrity of the server. Similarly, CVE-2024-54148 affects the file editing UI of Gogs, where authenticated users can commit and edit crafted symbolic link (symlink) files within a repository. This manipulation can lead to unauthorized SSH access to the server, posing significant security risks. Both vulnerabilities have a CVSS score of 8.7, indicating high severity, with an EPSS score of 0.05%, suggesting a low likelihood of exploitation. These vulnerabilities were first reported on December 23, 2024. While PoC exploit code is publicly available, there is no evidence of active exploitation in the wild, and the vulnerabilities have not yet been added to the CISA’s KEV catalog. No advisory has been published by CISA at this time.

Why should TPRM professionals care about these vulnerabilities?

Gogs is widely used for managing Git repositories, making it a critical component in many enterprise environments. These vulnerabilities can expose organizations to significant risks. Exploiting these flaws allows attackers to gain unauthorized SSH access to servers, which can lead to unauthorized access to sensitive data, server compromises, or even the manipulation of critical code repositories. Such breaches could lead to service disruption, data loss, and severe reputational damage. Given the high severity of these vulnerabilities and their potential impact on systems that rely on Gogs for version control and collaboration, TPRM professionals should prioritize assessing the exposure of their vendors.

What questions should TPRM professionals ask vendors about these vulnerabilities?

To assess the risk posed by these vulnerabilities, TPRM professionals should ask the following questions:

1. Have you upgraded all instances of Gogs to version 0.13.1 or later to mitigate the risk of CVE-2024-55947 and CVE-2024-54148?
2. Can you confirm if you have inspected your existing repositories for any suspicious symlink files or unauthorized modifications that could indicate exploitation attempts of CVE-2024-54148?
3. Have you restricted repository access to trusted users until the upgrade to Gogs version 0.13.1 or later was completed to mitigate potential exploitation of CVE-2024-55947?
4. Have you implemented regular inspections of server logs for unusual activities, particularly those related to file editing and commits, to detect potential intrusion attempts related to CVE-2024-54148 and CVE-2024-55947?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate the risks posed by these vulnerabilities:

• Upgrade Gogs: Immediately update to version 0.13.1 or later, where these vulnerabilities have been addressed.
• Restrict User Access: Until the upgrade is completed, limit repository access to trusted users only to mitigate potential exploitation.
• Review Repository Contents: Examine existing repositories for any suspicious symlink files or unauthorized modifications that could indicate exploitation attempts.
• Monitor Server Logs: Regularly inspect server logs for unusual activities, particularly those related to file editing and commits, to detect potential intrusion attempts.
• Implement Security Best Practices: Ensure that your Gogs instance follows security best practices, including proper configuration and regular updates, to prevent similar vulnerabilities in the future.

How TPRM professionals can leverage Black Kite for these vulnerabilities

Black Kite offers a FocusTag titled “Gogs Server,” which provides the following benefits:

• Vendor Exposure Assessment: Identifies vendors potentially impacted by these vulnerabilities.
• Asset Information: Provides details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
• Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to these vulnerabilities.

Enhancing TPRM Strategies With Black Kite’s FocusTags™

In the face of increasingly sophisticated cyber threats, Black Kite’s FocusTags™ stand as a beacon for proactive Third-Party Risk Management (TPRM). This week’s vulnerabilities highlight the pressing need for targeted, efficient, and informed risk management strategies. Here’s how FocusTags™ enhance TPRM practices:

• Real-Time Risk Identification: Instantly pinpoint vendors impacted by the latest vulnerabilities, enabling rapid responses that mitigate potential threats.
• Strategic Risk Prioritization: Evaluate risks based on the criticality of vendors and the severity of vulnerabilities, ensuring focused efforts where they matter most.
• Informed Vendor Conversations: Provide the intelligence necessary to engage vendors in detailed discussions about their exposure and response strategies, fostering transparency and collaboration.
• Strengthened Cybersecurity Ecosystems: Deliver a comprehensive view of the evolving threat landscape, empowering organizations to build resilient and adaptive security frameworks.

By transforming complex cybersecurity data into actionable insights, Black Kite’s FocusTags™ revolutionize TPRM, ensuring businesses can protect their supply chains and partners against even the most sophisticated cyber threats. As vulnerabilities continue to emerge, these tags provide the clarity and precision needed for proactive and effective risk management.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
• Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
• Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
• SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
• PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.
• PostgreSQL: CVE-2024-10979, Arbitrary Code Execution Vulnerability in PostgreSQL.
• Apache Airflow: CVE-2024-45784, Debug Messages Revealing Unnecessary Information in Apache Airflow.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-56337

https://nvd.nist.gov/vuln/detail/CVE-2024-50379

https://securityonline.info/cve-2024-56337-apache-tomcat-patches-critical-rce-vulnerability

https://securityonline.info/rce-and-dos-vulnerabilities-addressed-in-apache-tomcat-cve-2024-50379-and-cve-2024-54677

https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp

https://github.com/Alchemist3dot14/CVE-2024-50379

https://nvd.nist.gov/vuln/detail/CVE-2024-53552

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

https://securityonline.info/cve-2024-53552-cvss-9-8-crushftp-flaw-exposes-users-to-account-takeover

https://nvd.nist.gov/vuln/detail/CVE-2024-55947

https://nvd.nist.gov/vuln/detail/CVE-2024-54148

https://github.com/gogs/gogs/releases

The post Focus Friday: TPRM Insights on Apache Tomcat, CrushFTP, and Gogs Server Vulnerabilities appeared first on Black Kite.

Written by: Ferdi Gül

​​Welcome to this week’s Focus Friday, where we delve into high-profile vulnerabilities and provide actionable insights from a Third-Party Risk Management (TPRM) perspective. This edition explores critical vulnerabilities in Cleo File Transfer, BeyondTrust PRA RS, and Ivanti Cloud Services Application. These vulnerabilities, including remote code execution and command injection, could potentially compromise sensitive data and disrupt operations across industries. These vulnerabilities demand immediate attention from TPRM professionals to mitigate risks effectively. Let’s explore the risks, the recommended remediations, and how Black Kite’s FocusTags™ streamline the risk management process for these pressing concerns.

CVE-2024-55956 in Cleo File Transfer Software

What are the critical vulnerabilities in Cleo File Transfer software?

In our Focus Friday blog post last week, we discussed Cleo’s critical vulnerability, CVE-2024-50623. This week, we need to focus on CVE-2024-55956, which affects Cleo File Transfer products, and the systemic risks these vulnerabilities pose.

In our December 18 article titled “CL0P’s Exploitation of Cleo Directly Endangers the Supply Chain,” we detailed how the CL0P ransomware group has been exploiting vulnerabilities in Cleo’s software to threaten supply chains. 

Two critical vulnerabilities have been identified in Cleo Harmony®, Cleo VLTrader®, and Cleo LexiCom® products:

CVE-2024-55956 is the Remote Code Execution Vulnerability in Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.24, enabling unauthenticated users to execute arbitrary Bash or PowerShell commands by exploiting default settings in the Autorun directory. 

Both vulnerabilities have been actively exploited. CVE-2024-50623 was added to CISA’s Known Exploited Vulnerabilities catalog on December 13, 2024.  CISA  CVE-2024-55956 was added on December 17, 2024. Cleo has released patches to address these issues, and users are strongly advised to update to the latest versions to mitigate potential risks. 

Both vulnerabilities have public PoC exploit codes, and exploitation has been observed targeting industries like logistics and shipping. They enable unauthorized file uploads and remote execution of malicious commands.

Why should TPRM professionals care about these vulnerabilities?

These vulnerabilities represent significant risks for organizations relying on Cleo file transfer solutions:

1. Critical Operational Risk: Exploitation could lead to compromised file transfers, impacting supply chain and logistics operations.
2. Sensitive Data Exposure: Malicious actors could access and exfiltrate confidential business data.
3. Unauthorized Access: Successful exploitation provides attackers with system-level access, enabling further attacks on connected systems.

For organizations utilizing Cleo products, timely mitigation is essential to avoid disruption and ensure data security.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you updated all instances of Cleo Harmony, VLTrader, and LexiCom to version 5.8.0.24 or later to mitigate the risk of CVE-2024-50623 and CVE-2024-55956?
2. Have you reviewed and appropriately configured the Autorun directory’s default settings to prevent unauthorized command execution related to CVE-2024-55956?
3. Can you confirm if you have blocked the attacker IPs mentioned in the advisory shared last week, including 176[.]123[.]5[.]126, 5[.]149[.]249[.]226, 185[.]181[.]230[.]103, 209[.]127[.]12[.]38, 181[.]214[.]147[.]164, and 192[.]119[.]99[.]42, to prevent further exploitation of CVE-2024-50623 and CVE-2024-55956?
4. Have you disabled the Autorun functionality in the ‘Configure’ menu of LexiCom, Harmony, or VLTrader to stop processing autorun files and mitigate the risk of CVE-2024-55956?

Remediation recommendations for vendors subject to this risk

To address these vulnerabilities, vendors should:

1. Immediate Software Update: Upgrade all instances of Cleo Harmony, VLTrader, and LexiCom to version 5.8.0.24 or later to mitigate the vulnerability.
2. Review Autorun Directory Settings: Ensure that the Autorun directory’s default settings are appropriately configured to prevent unauthorized command execution.
3. Block Malicious IPs: Consider blocking attacker IPs, including 176.123.5.126, 5.149.249.226, 185.181.230.103, 209.127.12.38, 181.214.147.164, 192.119.99.42.
4. Monitor for Indicators of Compromise (IOCs): Check if suspicious files, such as main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml, healthchecktemplate.txt, or healthcheck.txt, contain encoded malicious commands. The attack also utilizes reconnaissance tools like nltest.exe for Active Directory enumeration.
5. Monitor Updates: Cleo is actively working on a new patch expected soon. Monitor updates from Cleo to ensure you apply the latest mitigations as they are released.
6. Reconfigure Software Settings: Disable the autorun feature by clearing the ‘Autorun Directory’ field in configuration settings to prevent automatic execution of malicious files.
7. Place Systems Behind a Firewall: Ensure internet-facing Cleo systems are placed behind a firewall to limit exposure to potential attacks.
8. Implement Strong Security Practices: Enforce strong, unique passwords and enable multi-factor authentication (MFA) to enhance security.
9. Disable Autorun Functionality: Access the “Configure” menu in LexiCom, Harmony, or VLTrader. Select “Options” and navigate to the “Other” pane. Delete the contents of the “Autorun Directory” field to stop processing autorun files.
10. Address Remaining Exposure: Note that this mitigates part of the attack but does not address the root cause of the vulnerability.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Cleo File Transfer FocusTag™ on December 13, 2024, providing actionable insights for TPRM professionals. This tag identifies vendors using affected versions and details exposed assets like subdomains and IP addresses.

With Black Kite, TPRM professionals can:

• Prioritize vendors requiring urgent remediation based on exposure.
• Streamline risk assessments using targeted questions and vendor-specific intelligence.
• Enhance oversight by monitoring identified vulnerable assets.

This FocusTag™ ensures efficient vendor management and proactive risk mitigation, empowering TPRM professionals to address critical vulnerabilities effectively.

CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773 in Ivanti Cloud Services Application

The Ivanti Cloud Services Appliance (CSA) is an internet-facing device that facilitates secure communication between remote endpoints and the central Ivanti Endpoint Manager core server. It enables organizations to manage devices outside their corporate network, ensuring that endpoints can receive updates, patches, and policies regardless of their location. The key features of the Ivanti Cloud Services Appliance (CSA) include: Secure Remote Management, Certificate-Based Authentication, Support for Multiple Appliances, and Virtual Appliance Option.

What are the critical vulnerabilities in Ivanti Cloud Services Application?

These vulnerabilities impact versions of Ivanti CSA prior to 5.0.3 and include the following:

CVE-2024-11639 is an authentication bypass vulnerability in the admin web console of Ivanti Cloud Services Appliance (CSA) versions before 5.0.3, allowing remote unauthenticated attackers to gain administrative access. 

CVE-2024-11772 is a command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3, enabling remote authenticated attackers with administrative privileges to execute arbitrary code on the server. 

CVE-2024-11773 is an SQL injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3, allowing remote authenticated attackers with administrative privileges to execute arbitrary SQL statements. 

All three vulnerabilities are critical, with CVE-2024-11639 having a CVSS score of 10.0, and both CVE-2024-11772 and CVE-2024-11773 each having a CVSS score of 9.1.

These vulnerabilities were first disclosed on December 10, 2024, with no current evidence of exploitation in the wild. However, considering the history of rapid exploitation of Ivanti vulnerabilities, immediate action is advised. They are not yet listed in CISA’s KEV catalog.

Why should TPRM professionals care about these vulnerabilities?

For TPRM professionals, these vulnerabilities in Ivanti CSA could lead to severe business risks:

• Compromised Administrative Access: Unauthorized access to the admin web console may result in full control of systems managing critical IT infrastructure.
• Arbitrary Code Execution: Attackers could deploy malicious software, escalating risks to other connected systems.
• SQL Injection Risks: Exploited vulnerabilities could enable attackers to manipulate databases, potentially exposing sensitive organizational data.

Organizations leveraging Ivanti CSA for IT management need to ensure their vendors have addressed these risks to prevent potential disruptions and data breaches.

What questions should TPRM professionals ask vendors about these vulnerabilities?

1. Have you updated all instances of Ivanti CSA to version 5.0.3 or later to mitigate the risk of CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773?
2. Can you confirm if you have implemented continuous monitoring for unusual activities in the admin web console to detect potential exploitation of the authentication bypass, command injection, and SQL injection vulnerabilities?
3. Have you enforced strong, unique passwords and enabled multi-factor authentication for all administrative accounts to prevent unauthorized administrative access related to CVE-2024-11639?
4. Can you confirm if you have restricted administrative access to the CSA to only authorized personnel to prevent potential exploitation of CVE-2024-11772 and CVE-2024-11773?

Remediation recommendations for vendors subject to this risk

Vendors using Ivanti CSA should implement the following recommendations:

1. Upgrade to Ivanti CSA version 5.0.3: This update resolves these vulnerabilities and is available via the Ivanti download portal.
2. Restrict Administrative Access: Limit access to authorized personnel only and enforce MFA.
3. Monitor for Unusual Activity: Implement continuous monitoring for signs of exploitation in the admin web console.
4. Review Database Activity: Ensure SQL queries are logged and anomalous activity is flagged.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Ivanti Cloud Services Application FocusTag™ on December 13, 2024, providing actionable insights. This tag identifies vendors potentially exposed to these vulnerabilities, detailing the affected assets, including subdomains and IP addresses.

By leveraging these insights, TPRM professionals can:

• Narrow the scope to vendors with confirmed exposure to affected Ivanti CSA versions.
• Prioritize outreach to these vendors using the specific questions provided.
• Address potential risks more efficiently with the detailed intelligence provided.

Black Kite’s FocusTags™ eliminate the guesswork in identifying vulnerable vendors, streamlining the risk assessment process for TPRM professionals.

CVE-2024-12356 in BeyondTrust PRA and RS

What is the BeyondTrust PRA and RS Command Injection Vulnerability?

CVE-2024-12356 is a critical command injection vulnerability affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions. It allows unauthenticated remote attackers to execute operating system commands as the site user by sending malicious client requests. A vulnerability with a CVSS score of 9.8 has been identified, affecting PRA and RS software versions up to and including 24.3.1. Publicly disclosed on December 16, 2024, this vulnerability poses a significant security risk due to the availability of PoC exploit code, making it a high-priority target for attackers despite no reports of active exploitation thus far. The vulnerability’s critical nature has also led to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog on December 19, 2024. With an EPSS score of 0.05%, organizations using the affected versions are urged to address this issue promptly to mitigate potential risks.

The vulnerability stems from improper neutralization of special elements used in commands, making it exploitable via a low-complexity attack. BeyondTrust has released patches for all supported versions (22.1.x and above).

Why should TPRM professionals care about this vulnerability?

BeyondTrust’s PRA and RS solutions are widely used for privileged remote access and IT support, making them an attractive target for attackers. Exploitation of this vulnerability could:

1. Compromise Sensitive Systems: Grant unauthorized access to critical infrastructure and systems.
2. Enable Further Attacks: Attackers could escalate privileges, deploy malware, or steal sensitive information.
3. Disrupt Operations: Unauthorized access to IT management systems could lead to downtime or operational disruption.

Organizations using BeyondTrust products need to address this vulnerability urgently to protect against potential exploitation.

What questions should TPRM professionals ask vendors about this vulnerability?

1. Can you confirm if you have upgraded all instances of BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products to a version higher than 24.3.1 to mitigate the risk of CVE-2024-12356?
2. If you are operating on a version older than 22.1, have you upgraded to a supported version to access the patches for the command injection vulnerability identified as CVE-2024-12356?
3. Have you applied the appropriate patch (BT24-10-ONPREM1 or BT24-10-ONPREM2, depending on the version) via the /appliance interface to address the CVE-2024-12356 vulnerability in BeyondTrust’s PRA and RS products?
4. Have you implemented continuous monitoring systems to detect any unusual activity that may indicate attempted exploitation of the CVE-2024-12356 vulnerability in BeyondTrust’s PRA and RS products?

Remediation recommendations for vendors subject to this risk

To mitigate the risks associated with CVE-2024-12356, vendors should:

1. Apply the Patch: Install BT24-10-ONPREM1 or BT24-10-ONPREM2 for versions 22.1.x or above.
2. Upgrade Older Versions: For unsupported versions (older than 22.1), upgrade to a supported version before applying the patch.
3. Verify Patch Application: Ensure successful deployment of the patch, particularly for on-premise instances.
4. Monitor for Indicators: Regularly review logs for suspicious activity tied to command injection attempts.
5. Implement Security Best Practices: Enforce multi-factor authentication (MFA) and use strong, unique passwords to secure administrative accounts.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite released the BeyondTrust PRA RS FocusTag™ on December 19, 2024, offering detailed insights into vendors potentially impacted by CVE-2024-12356. The tag provides:

• Identification of affected vendors with PRA and RS deployments.
• Details on exposed assets, including IP addresses and subdomains.

TPRM professionals can use these insights to:

• Narrow down their scope to vendors with confirmed exposure.
• Prioritize outreach to affected vendors and provide actionable guidance.
• Leverage asset data to enhance risk assessments and address vulnerabilities proactively.

ENHANCING TPRM STRATEGIES WITH BLACK KITE’S FocusTags™

In the face of increasingly sophisticated cyber threats, Black Kite’s FocusTags™ stand as a beacon for proactive Third-Party Risk Management (TPRM). This week’s vulnerabilities—spanning critical systems like Cleo File Transfer, BeyondTrust PRA RS, and Ivanti Cloud Services Application—highlight the pressing need for targeted, efficient, and informed risk management strategies. Here’s how FocusTags™ enhance TPRM practices:

• Real-Time Risk Identification: Instantly pinpoint vendors impacted by the latest vulnerabilities, enabling rapid responses that mitigate potential threats.
• Strategic Risk Prioritization: Evaluate risks based on the criticality of vendors and the severity of vulnerabilities, ensuring focused efforts where they matter most.
• Informed Vendor Conversations: Provide the intelligence necessary to engage vendors in detailed discussions about their exposure and response strategies, fostering transparency and collaboration.
• Strengthened Cybersecurity Ecosystems: Deliver a comprehensive view of the evolving threat landscape, empowering organizations to build resilient and adaptive security frameworks.

By transforming complex cybersecurity data into actionable insights, Black Kite’s FocusTags™ revolutionize TPRM, ensuring businesses can protect their supply chains and partners against even the most sophisticated cyber threats. As vulnerabilities continue to emerge, these tags provide the clarity and precision needed for proactive and effective risk management.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
• Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
• Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
• SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
• PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.
• PostgreSQL: CVE-2024-10979, Arbitrary Code Execution Vulnerability in PostgreSQL.
• Apache Airflow: CVE-2024-45784, Debug Messages Revealing Unnecessary Information in Apache Airflow.
• Atlassian Jira: CVE-2021-26086, Path Traversal Vulnerability in Atlassian Jira Server and Data Center.
• Ivanti Connect Secure: CVE-2024-9420, CVE-2024-47906, CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-11007, CVE-2024-11006, CVE-2024-11005, and CVE-2024-11004, Use-After-Free, Stack-Based Buffer Overflow, Argument Injection, and Reflected XSS Vulnerabilities in Ivanti Connect Secure.

References

https://blackkite.com/blog/focus-friday-tprm-insights-on-qlik-sense-cleo-file-transfer-and-sap-netweaver-java-vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2024-55956

https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956

https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2024-11639

https://nvd.nist.gov/vuln/detail/CVE-2024-11772

https://nvd.nist.gov/vuln/detail/CVE-2024-11773

https://securityonline.info/cve-2024-11639-cvss-10-critical-flaw-in-ivanti-cloud-services-application-immediate-patch-recommended

https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

https://nvd.nist.gov/vuln/detail/CVE-2024-12356

https://www.helpnetsecurity.com/2024/12/18/beyondtrust-fixes-critical-vulnerability-in-remote-access-support-solutions-cve-2024-12356

https://securityonline.info/cve-2024-12356-cvss-9-8-critical-vulnerability-in-beyondtrust-pra-and-rs-enables-remote-code-execution

The post Focus Friday: TPRM Insights On Cleo File Transfer, BeyondTrust PRA and RS, and Ivanti Cloud Services Application Vulnerabilities appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s Focus Friday blog! As the cybersecurity landscape evolves, organizations are tasked with managing an ever-growing array of threats, especially within their vendor ecosystems. Third-Party Risk Management (TPRM) professionals play a crucial role in safeguarding operations against vulnerabilities that could ripple through the supply chain. This week, we delve into three critical vulnerabilities affecting Qlik Sense Enterprise, Cleo File Transfer software, and SAP NetWeaver JAVA. Each of these incidents highlights the importance of proactive risk management and showcases how Black Kite’s FocusTags™ empower organizations to stay ahead of emerging threats.

CVE-2024-55579 and CVE-2024-55580: Critical Vulnerabilities in Qlik Sense Enterprise

What are the vulnerabilities in Qlik Sense Enterprise?

Qlik Sense Enterprise for Windows has been identified with two critical vulnerabilities:

CVE-2024-55579 vulnerability allows unprivileged users with network access to create connection objects that can trigger the execution of arbitrary executable files on the Qlik Sense server. It has a CVSS score of 8.8, indicating high severity. CVE-2024-55580: This flaw enables unprivileged users with network access to execute remote commands, potentially causing significant impacts on system availability, integrity, and confidentiality. It carries a CVSS score of 7.5.

Both vulnerabilities were publicly disclosed on December 8, 2024. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities catalog. Qlik has released security patches to address these issues and strongly advises immediate application to mitigate associated risks.

Why should TPRM professionals be concerned about these vulnerabilities?

Third-Party Risk Management (TPRM) professionals should be vigilant regarding these vulnerabilities due to the following reasons:

• Data Compromise: Exploitation could lead to unauthorized access and manipulation of sensitive data, undermining data integrity and confidentiality.
• Operational Disruption: Successful attacks may disrupt business intelligence operations, affecting decision-making processes and overall business performance.
• Supply Chain Risk: If vendors or partners utilize Qlik Sense Enterprise, their vulnerabilities could cascade, impacting your organization’s security posture.

What questions should TPRM professionals ask vendors regarding these vulnerabilities?

To assess and mitigate risks associated with these vulnerabilities, consider posing the following questions to your vendors:

1. Have you updated all instances of Qlik Sense Enterprise for Windows to the latest patched version to mitigate the risk of CVE-2024-55579 and CVE-2024-55580?
2. Can you confirm if you have implemented the workaround provided in Qlik’s advisory to ensure proper functionality of all extensions and visualizations post-update?
3. Have you restricted network access to trusted users to minimize unauthorized exploitation of the vulnerabilities CVE-2024-55579 and CVE-2024-55580?
4. Are you continuously monitoring your network traffic to detect unusual activity and mitigate potential exploitation attempts related to the vulnerabilities CVE-2024-55579 and CVE-2024-55580?

Remediation recommendations for vendors affected by these vulnerabilities

Vendors utilizing Qlik Sense Enterprise should implement the following remediation steps:

1. Immediate Patching: Apply the latest security patches released by Qlik for Qlik Sense Enterprise for Windows.
2. Access Control Review: Ensure that only authorized users have network access to Qlik Sense servers, adhering to the principle of least privilege.
3. Monitoring and Detection: Implement monitoring solutions to detect any anomalous activities indicative of exploitation attempts.
4. Incident Response Preparedness: Develop and test incident response plans specifically addressing potential exploitation of these vulnerabilities.

How can TPRM professionals leverage Black Kite’s FocusTags^TM regarding these vulnerabilities?

Black Kite has issued a FocusTag™ for Qlik Sense Enterprise, enabling TPRM professionals to:

• Identify At-Risk Vendors: Determine which vendors may be affected by these vulnerabilities.
• Access Vulnerable Asset Information: Obtain details about specific assets, such as IP addresses and subdomains, that could be compromised.
• Prioritize Risk Mitigation: Focus efforts on vendors with the highest risk exposure, streamlining the remediation process.

CVE-2024-50623: Remote Code Execution Vulnerability in Cleo File Transfer Software

What is the Remote Code Execution Vulnerability in Cleo File Transfer Software?

CVE-2024-50623 is a high-severity unrestricted file upload and download vulnerability affecting Cleo’s file transfer products: Harmony®, VLTrader®, and LexiCom®, in versions prior to 5.8.0.21. This flaw allows attackers to upload malicious files to the software’s autorun directory, which are then automatically executed, enabling remote code execution. The vulnerability has a CVSS score of 8.8. It was publicly disclosed on December 10, 2024. PoC exploit code is available, and active exploitation has been observed in the wild, notably by the Termite ransomware group targeting sectors such as logistics, shipping, and consumer products. As of now, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.

We published an article on December 11, 2024, stating that the Cleo vulnerability (CVE-2024-50623) was actively exploited by ransomware groups. You can find more details in the related blog post.

Why should TPRM professionals be concerned about this vulnerability?

Third-Party Risk Management (TPRM) professionals should be attentive to this vulnerability due to its potential impact on data integrity and operational continuity. Exploitation can lead to unauthorized access and control over systems, resulting in data breaches, service disruptions, and propagation of malware across networks. Given the widespread use of Cleo’s file transfer solutions among vendors and partners, this vulnerability poses a significant supply chain risk, potentially affecting interconnected systems and data exchanges.

What questions should TPRM professionals ask vendors regarding this vulnerability?

To assess and mitigate risks associated with CVE-2024-50623, TPRM professionals should inquire:

1. Have you identified any instances of CVE-2024-50623 within your systems?
2. Have you applied the security patches provided by Cleo to address this vulnerability?
3. What measures are in place to detect and prevent exploitation attempts related to this vulnerability?
4. How do you ensure that your use of Cleo’s file transfer software does not introduce security risks to our organization?

Remediation recommendations for vendors affected by this vulnerability

Vendors utilizing Cleo’s file transfer products should implement the following remediation steps:

1. Immediate Software Update: Upgrade all instances of Cleo Harmony®, VLTrader®, and LexiCom® to version 5.8.0.21 or later to mitigate the vulnerability.
2. Disable Autorun Functionality: Access the “Configure” menu in the software, select “Options,” navigate to the “Other” pane, and clear the contents of the “Autorun Directory” field to prevent automatic execution of files.
3. Place Systems Behind a Firewall: Ensure internet-facing Cleo systems are placed behind a firewall to limit exposure to potential attacks.
4. Monitor for Indicators of Compromise (IOCs): Check for suspicious IPs and suspicious files, such as main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml, which may contain encoded malicious commands.
5. Block Malicious IPs: Consider blocking attacker IPs, including 176[.]123[.]5[.]126, 5[.]149[.]249[.]226, 185[.]181[.]230[.]103, 209[.]127[.]12[.]38, 181[.]214[.]147[.]164, 192[.]119[.]99[.]42
6. Implement Strong Security Practices: Enforce strong, unique passwords and enable multi-factor authentication (MFA) to enhance security.

How can TPRM professionals leverage Black Kite’s FocusTags^TM regarding this vulnerability?

Black Kite has issued a FocusTag™ for Cleo File Transfer, enabling TPRM professionals to:

• Identify At-Risk Vendors: Determine which vendors may be affected by CVE-2024-50623.
• Access Vulnerable Asset Information: Obtain details about specific assets, such as IP addresses and subdomains, that could be compromised.
• Prioritize Risk Mitigation: Focus efforts on vendors with the highest risk exposure, streamlining the remediation process.

CVE-2024-47578: Server-Side Request Forgery Vulnerability in SAP NetWeaver AS for JAVA

What is the SAP NetWeaver AS for JAVA SSRF Vulnerability?

CVE-2024-47578 is a critical Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for JAVA, specifically within the Adobe Document Services component. An attacker with administrator privileges can exploit this flaw by sending crafted requests from a vulnerable web application, targeting internal systems behind firewalls that are typically inaccessible from external networks. Successful exploitation enables the attacker to read or modify any file and potentially render the entire system unavailable. It has a CVSS score of 9.1, indicating critical severity. SAP has released a security patch addressing this vulnerability and strongly recommends immediate application to mitigate associated risks.

Why should TPRM professionals be concerned about this vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2024-47578 due to its potential to compromise data confidentiality, integrity, and availability. Exploitation of this vulnerability can lead to unauthorized access to sensitive information and disruption of critical business operations. Given the widespread use of SAP NetWeaver AS for JAVA among vendors, this vulnerability poses a significant risk to the supply chain, potentially affecting interconnected systems and data exchanges.

What questions should TPRM professionals ask vendors regarding this vulnerability?

To assess and mitigate risks associated with CVE-2024-47578, TPRM professionals should inquire:

1. Have you updated all instances of SAP NetWeaver AS for JAVA (Adobe Document Services) to the latest version as per SAP Security Note 3536965 to mitigate the risk of CVE-2024-47578, CVE-2024-47579, and CVE-2024-47580?
2. Can you confirm if you have restricted administrative access to essential personnel only and enforced the principle of least privilege to prevent potential exploitation of the Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for JAVA?
3. What specific measures have you implemented to monitor network traffic and detect suspicious activities that could indicate an exploitation of the vulnerabilities CVE-2024-47579 and CVE-2024-47580, which allow access to sensitive server files through exposed web services?
4. Can you confirm if you have reviewed and updated your firewall configurations to ensure that internal systems are appropriately segmented and protected from unauthorized access, specifically in relation to the SSRF vulnerability CVE-2024-47578 in SAP NetWeaver AS for JAVA?

Remediation recommendations for vendors affected by this vulnerability

Vendors utilizing SAP NetWeaver AS for JAVA should implement the following remediation steps:

1. Immediate Software Update: Apply the security patch provided by SAP as per SAP Security Note 3536965 to address the vulnerability.
2. Restrict Administrative Access: Limit administrative privileges to essential personnel and enforce the principle of least privilege.
3. Monitor Network Traffic: Implement monitoring to detect and respond to suspicious activities promptly.
4. Review Firewall Configurations: Ensure that internal systems are appropriately segmented and protected from unauthorized access.

How can TPRM professionals leverage Black Kite’s FocusTags^TM regarding this vulnerability?

Black Kite has issued a FocusTag™ for SAP NetWeaver, enabling TPRM professionals to:

• Identify At-Risk Vendors: Determine which vendors may be affected by CVE-2024-47578.
• Access Vulnerable Asset Information: Obtain details about specific assets, such as IP addresses and subdomains, that could be compromised.
• Prioritize Risk Mitigation: Focus efforts on vendors with the highest risk exposure, streamlining the remediation process.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

In today’s dynamic cybersecurity environment, managing third-party risks requires precision and timely intelligence. Black Kite’s FocusTags™ are an indispensable tool for organizations navigating critical vulnerabilities like those in Qlik Sense Enterprise, Cleo File Transfer, and SAP NetWeaver JAVA. These tags are designed to provide:

• Real-Time Risk Insights: Quickly identify vendors impacted by specific vulnerabilities, enabling immediate action.
• Targeted Prioritization: Focus efforts on high-severity vulnerabilities and vendors most critical to your operations.
• Tailored Vendor Communication: Facilitate targeted discussions with vendors, addressing their specific security measures and vulnerabilities.
• Comprehensive Threat Visibility: Gain a holistic view of the threat landscape, empowering more strategic decision-making.

Black Kite’s FocusTags™ transform complex cybersecurity challenges into actionable intelligence, allowing TPRM professionals to mitigate risks efficiently and strengthen overall security. By leveraging these insights, organizations can proactively address vulnerabilities, ensuring resilience in an ever-evolving threat landscape.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
• Cleo File Transfer: Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
• SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
• PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.
• PostgreSQL: CVE-2024-10979, Arbitrary Code Execution Vulnerability in PostgreSQL.
• Apache Airflow: CVE-2024-45784, Debug Messages Revealing Unnecessary Information in Apache Airflow.
• Atlassian Jira: CVE-2021-26086, Path Traversal Vulnerability in Atlassian Jira Server and Data Center.
• Ivanti Connect Secure: CVE-2024-9420, CVE-2024-47906, CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-11007, CVE-2024-11006, CVE-2024-11005, and CVE-2024-11004, Use-After-Free, Stack-Based Buffer Overflow, Argument Injection, and Reflected XSS Vulnerabilities in Ivanti Connect Secure.
• Nostromo nhttpd: CVE-2019-16278, Path Traversal Vulnerability, RCE Vulnerability in Nostromo nhttpd.
• LiteSpeed Cache: CVE-2024-50550, Privilege Escalation Vulnerability iin LiteSpeed Cache plugin.
• RICOH Web Image Monitor: CVE-2024-47939, Buffer Overflow Vulnerability in RICOH Web Image Monitor.
• Squid Proxy: CVE-2024-45802, DoS Vulnerability in Squid Proxy Servers.
• XLight FTP: CVE-2024-46483, Integer Overflow and RCE Vulnerabilities in XLight FTP Servers.
• Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.

References

https://blackkite.com/blog/when-ransomware-ruins-the-supply-chain-lessons-from-blue-yonder-and-the-rise-of-termite-ransomware-group

https://nvd.nist.gov/vuln/detail/CVE-2024-55579

https://nvd.nist.gov/vuln/detail/CVE-2024-55580

https://community.qlik.com/t5/Official-Support-Articles/High-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows-CVEs/tac-p/2496004

https://securityonline.info/cve-2024-55579-cve-2024-55580-qlik-sense-users-face-serious-security-risk

https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-50623

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

https://securityonline.info/cve-2024-50623-critical-vulnerability-in-cleo-software-actively-exploited-in-the-wild

https://github.com/watchtowrlabs/CVE-2024-50623

https://nvd.nist.gov/vuln/detail/CVE-2024-47578

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2024.html

https://securityonline.info/cve-2024-47578-cvss-9-1-sap-issues-critical-patch-for-netweaver-as-for-java

The post Focus Friday: TPRM Insights on Qlik Sense, Cleo File Transfer, And SAP NetWeaver JAVA Vulnerabilities appeared first on Black Kite.