The post Focus Friday: TPRM Perspectives On Ivanti Connect Secure, FortiSwitch, and MinIO Vulnerabilities appeared first on Black Kite.
]]>Welcome to this week’s Focus Friday, where we examine three high‑profile vulnerabilities through a Third‑Party Risk Management (TPRM) lens. Today, we’ll dive into the critical remote code execution flaw in Ivanti Connect Secure (CVE‑2025‑22457), the unauthenticated password‑change vulnerability in FortiSwitch (CVE‑2024‑48887), and the signature‑validation bypass in MinIO Server (CVE‑2025‑31489). For each, we’ll outline the technical details, TPRM implications, vendor questions, and remediation best practices—equipping you to engage your third‑party ecosystem with precision and confidence.
A stack-based buffer overflow in Ivanti Connect Secure versions prior to 22.7R2.6 allows a remote, unauthenticated attacker to execute arbitrary code on the appliance, potentially leading to full system compromise. Rated Critical, it carries a CVSS 3.1 base score of 9.8 and, per Black Kite’s FocusTag, an EPSS probability of 24.07%. First published on April 3, 2025, this flaw was added to CISA’s Known Exploited Vulnerabilities Catalog on April 4, 2025. POC exploit code is not available for now. Since mid‑March 2025, the Chinese state‑sponsored group UNC5221 has exploited CVE‑2025‑22457 in the wild, deploying custom malware families Trailblaze (an in‑memory dropper) and Brushfire (a passive backdoor) while abusing Ivanti’s Integrity Checker Tool to evade detection.
Ivanti Connect Secure appliances provide critical VPN access for employees and third parties. A successful exploit can grant attackers persistent, high‑privilege entry to a vendor’s network edge, enabling data exfiltration, lateral movement, and the implantation of backdoors. For organizations relying on vendors’ VPN infrastructure, an unpatched Ivanti appliance represents a direct attack path into sensitive environments, amplifying supply chain risk.
To gauge exposure and preparedness, consider asking:
Black Kite published the CVE‑2025‑22457 FocusTag on April 4, 2025. Customers can automatically identify which vendors use affected Ivanti versions via asset discovery and continuous scanning. By integrating FocusTags™ into TPRM workflows, teams can filter out low‑risk vendors, concentrate outreach on those truly exposed, and retrieve detailed intelligence—such as IP addresses, subdomains, and configuration metadata—for rapid risk assessment. Non‑customers can request a demo to see how FocusTags™ streamline vulnerability‑driven vendor prioritization.
This flaw arises from an unverified password change vulnerability (CWE‑620) in the FortiSwitch GUI’s set_password endpoint. A remote, unauthenticated attacker can send crafted HTTP/HTTPS requests to modify administrative credentials. It carries a CVSS 3.1 base score of 9.8 (Critical) and an EPSS probability of 0.09% (per Black Kite FocusTag text). There is no public PoC exploitation, and to date no evidence of active exploitation has been observed. As of April 10, 2025, CVE‑2024‑48887 is not listed in CISA’s Known Exploited Vulnerabilities catalog, nor has CISA issued an advisory for it.
FortiSwitch appliances enforce network segmentation, VLANs, and policy enforcement at the edge. Unauthorized password changes grant attackers full control over switch configurations—enabling policy bypass, traffic interception, and lateral movement into critical environments. For organizations depending on third‑party network infrastructure, an unpatched FortiSwitch represents a direct supply chain threat that can lead to data exposure, operational disruption, and reputational damage.
To assess vendor readiness and exposure, consider:
Vendors should take the following actions immediately:
Black Kite published the FortiSwitch [Suspected] FocusTag on April 8, 2025. By integrating FocusTags™, TPRM teams can automatically pinpoint vendors running vulnerable FortiSwitch versions, retrieve detailed asset information (IP addresses, subdomains, version metadata), and concentrate outreach on those truly at risk. This focused approach reduces workload, minimizes vendor questionnaire fatigue, and accelerates remediation. Interested organizations can request a demo to see how FocusTags™ streamline vulnerability‑driven vendor prioritization.
This flaw in MinIO’s Go module permits clients with prior WRITE permissions to bypass cryptographic signature checks on unsigned‑trailer uploads (CWE‑347), by sending requests with x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER. It carries a High severity rating, with a CVSS 3.x score of 8.7 and an EPSS probability of 0.02%. First disclosed via NVD and the GitHub Advisory Database on April 3, 2025, it was subsequently covered by SecurityOnline on April 7, 2025. There is no public PoC exploitation, and to date no active exploitation has been reported. As of April 2025, CVE‑2025‑31489 is not listed in CISA’s Known Exploited Vulnerabilities catalog, nor has CISA issued an advisory for it.
MinIO is widely deployed as an S3‑compatible object storage solution by vendors to host and serve critical data. A successful bypass of signature validation allows unauthorized uploads of arbitrary objects—potentially enabling data poisoning, malware distribution, or covert exfiltration channels. Any vendor relying on MinIO for customer-facing or internal storage faces elevated supply chain risk: malicious content could be served to downstream systems or used to conceal illicit activity within trusted buckets.
To evaluate vendor exposure and controls, consider asking:
Vendors should implement the following measures without delay:
Black Kite’s FocusTags™ offer a fast and simple way to track high‑profile cyber events and pinpoint which vendors are affected. By integrating the MinIO Server FocusTag, TPRM teams can automatically discover vendors running vulnerable MinIO versions, retrieve detailed asset metadata (bucket endpoints, version info), and focus outreach on truly at‑risk third parties—streamlining risk assessments and accelerating remediation. Non‑customers can request a demo to see how FocusTags™ drive efficient vendor risk prioritization.
Black Kite FocusTags™ transform complex vulnerability data into targeted TPRM action by:
By integrating FocusTags™ into your TPRM workflows, you’ll streamline assessments, minimize vendor fatigue, and accelerate mitigation. Request a demo today to see how Black Kite’s FocusTags™ can sharpen your third‑party risk program.
One unpatched vulnerability in a vendor can have a cascading impact. But traditional vulnerability management doesn’t work for external risks. That’s why we’re ushering in a new era of Third-Party Cyber Risk Management (TPCRM) where third-party risk professionals can understand these external risks and effectively work with their vendors to mitigate them.
Both of these resources are available to everyone, not just Black Kite customers, as part of our mission to improve the health and safety of the entire planet’s cyber ecosystem.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2025-22457
https://cyberscoop.com/china-espionage-group-ivanti-vulnerability-exploits
https://nvd.nist.gov/vuln/detail/CVE-2024-48887
https://fortiguard.fortinet.com/psirt/FG-IR-24-435
https://thehackernews.com/2025/04/fortinet-urges-fortiswitch-upgrades-to.html
https://nvd.nist.gov/vuln/detail/CVE-2025-31489
https://github.com/advisories/GHSA-wg47-6jq2-q2hh
The post Focus Friday: TPRM Perspectives On Ivanti Connect Secure, FortiSwitch, and MinIO Vulnerabilities appeared first on Black Kite.
]]>The post Why You Want Human Experts Behind Your TPRM Data: Black Kite Research & Intelligence Team (BRITE) appeared first on Black Kite.
]]>Raw data, even from powerful sources, lacks the contextual intelligence needed for effective third-party cyber risk management (TPCRM). It’s this human element, the ability to connect the dots and discern patterns, that transforms data into actionable intelligence. The Black Kite Research & Intelligence Team (BRITE) conducts in-depth research to provide the critical context needed for Chief Information Security Officers (CISOs) and Third-Party Risk Managers to make informed decisions and proactively mitigate risks.
The team’s fingerprint can be found on Black Kite’s most impactful products and resources. That includes the Ransomware Susceptibility Index® (RSI™), FocusTags™, the artificial intelligence (AI) engines that power our products, and our many in-depth research reports.
As our own Chief Security Officer, Bob Maley says:
“What truly sets Black Kite apart is the BRITE team. They’re not just running scans; they’re researchers digging into the data, revealing the critical connections that automated tools miss. That’s the real game-changer.”
BRITE is a team within Black Kite that provides research led by Black Kite’s Chief Research and Intelligence Officer, Ferhat Dikbiyik. Ferhat has 15 years of experience as a researcher in the risk-centered studies space, which he now applies to studying threat actors, the hacker mindset, cyber risk, and cyber attacks.
BRITE is made up of a few dozen people who work in the following verticals:
We’ve seen the forum chatter out there where security professionals complain about security rating service providers being slow, inaccurate, and opaque with its ratings methodology. It can take up to a month for a vendor to see their security rating score change from these providers, even on the simplest of issues.
We don’t want to be in that camp. Do you know how long they have to wait on Black Kite? One day at most.
At Black Kite, we take pride in providing our customers with accurate, transparent, and fast risk intelligence, so teams can easily make informed risk decisions and bring cyber resilience into their supply chains. In other words, our goal is to provide teams with targeted, tailored risk intelligence they can easily act on that stays updated in near real-time. The work that BRITE does makes this possible.
Black Kite’s RSI™ helps teams understand the likelihood that an organization in their ecosystem will experience a ransomware attack. Rather than looking at indicators of compromise after an event, the RSI is a proactive measurement of near-future incidents.
RSI follows a process of inspecting, transforming, and modeling data collected from a variety of OSINT sources, such as internet-wide scanners, hacker forums, the deep/dark web, and more. Using machine learning (ML), RSI then identifies critical indicators correlated with an attack. Companies then receive a score that reflects their susceptibility to an attack.
BRITE collects and analyzes data that goes into RSI, and frequently verifies that the RSI is accurate.
Black Kite FocusTags™ automatically flag vendors impacted by cyber events, such as data breaches, ransomware attacks, known exploitable vulnerabilities, and security incident disclosures/filings.
Many threat intelligence vendors struggle to report on critical events in a timely way. For example, some security rating providers may take weeks to months to log a new mass event. Comparatively, Black Kite applied a FocusTag to 82.4% of OSINT-discoverable vulnerabilities before or within 24 hours of being added to CISA’s Known Exploited Vulnerability (KEV) catalog last year. One of our customers told us they waiting two months for intelligence on a vulnerability from another provider. By that time, any exploitation can wreak havoc.
In short, BRITE focuses on relevant data, rather than all available information. Consider this: In 2024, more than 40,000 CVEs were published (as shown by the light gray circle in the diagram below). No team has the bandwidth to investigate every single one of these vulnerabilities. Even if you investigate vulnerabilities with a CVSS score of 7.0 or higher, that’s 20,000 CVEs (as shown by the dark gray circle in the diagram below), or if you just look at vulnerabilities with a CVSS score of 9.0 or higher, that’s still 4,000 CVEs (as shown by the blue circle in the diagram below). Still too many.
But what really matters are the CVEs that will be exploited. Last year, 768 CVEs were exploited in the wild (as shown by the purple oval in the diagram below). A proactive approach to TPCRM will address that subsest of vulnerabilities. And last year. BRITE identified and analyzed 780 high-priority CVEs (as shown by the green oval in the diagram below).
BRITE takes it a step further by looking at vulnerabilities that our customers need to focus on – those that are discoverable by open-source intelligence (OSINT), the same resources bad actors use to find vulnerabilities to exploit. So of the 780 high-priority CVEs analyzed by BRITE last year, 295 are discoverable by OSINT. In one customer’s supply chain, there may be about a dozen of these vulnerabilities present. This is a much more manageable number to manage. And with the research BRITE offers on each of these vulnerabilities, our customers can go to their vendors with actual intelligence – not questionnaires – for faster remediation.
BRITE publishes several reports each year that share our data and analysis on the cyber threat landscape and what those insights mean for customers and beyond.
These reports include:
Each spring, we publish a report that analyzes all third-party breaches from the previous year to explore trends in attack vectors, attack targets, and actionable tips to improve third-party security. Check out our sixth annual report, “2025 Third-Party Breach Report: The Silent Breach, How Third Parties Became the Biggest Cyber Threat in 2024.”
BRITE’s annual State of Ransomware Report provides in-depth analysis of ransomware trends, dissecting attack patterns, vulnerable industries, and emerging threat actor tactics, empowering organizations to proactively strengthen their defenses. Check out our latest report, “State of Ransomware 2024: A Year of Surges and Shuffling.” (And keep an eye out for our 2025 Ransomware Report coming in May.)
New this year, the 2025 Supply Chain Vulnerability Report confronts the challenge of ‘vulnerability overload’ by revealing the shortcomings of applying traditional vulnerability management to third-party cyber risk management and introducing a framework that prioritizes vulnerabilities in the supply chain.
In addition to broad landscape reports, we also publish industry-specific reports, such as “Healthcare Under Ransomware Attack: Why Healthcare Is Now the 3rd Most Targeted Industry in the Ransomware Cybercrime Ecosystem,” to provide TPRM leaders with more granular insights relevant to their specific industries.
We offer our reports with no registration required and strings attached to make sure our learnings are accessible to anyone who wants to learn more.
When a cyber event occurs, time is of the essence. Black Kite customers can access accurate, transparent, and highly tailored intelligence at a remarkable speed.
If you’re interested in experiencing the impact of BRITE on your threat intelligence operations, request a free demo.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The post Why You Want Human Experts Behind Your TPRM Data: Black Kite Research & Intelligence Team (BRITE) appeared first on Black Kite.
]]>The post Infographic: Takeaways from the 8 Most Noteworthy Cyber Incidents of 2024 appeared first on Black Kite.
]]>Last year, several cyber incidents made headlines for their cascading impacts on devices, companies, industries, and individuals around the world. The CrowdStrike outage caused blue-screen chaos for more than 8.5 million devices, and the Snowflake attack campaign rippled into disruptions at giants like Ticketmaster and AT&T, among others.
In our 2025 Third-Party Breach Report, The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024, the Black Kite Research and Intelligence Team (BRITE) dug beyond general statistics to find the stories behind nearly 100 major cyber incidents from last year. From those, we identified eight incidents that we believe had the biggest impact on global industries and the cyber risk landscape:
Check out the infographic below to learn more about each incident, its cascading effects, and key takeaways for security teams. You can also read on for commonalities and trends we identified among our top eight incidents.
Last year’s most significant cyber incidents saw new targets, known bad actor priorities, and some old tricks. Here are three trends we identified among last year’s most noteworthy cyber events:
The interconnected nature of the world today can be a boon for business innovation, but it also creates room for bigger risks. Increasingly in 2024, we saw how attacks on individual organizations can ripple downstream, exposing the fragility of entire supply chains. Consider the following examples:
Bad actors’ fixation on industries rich in sensitive data isn’t new—but it is persistent. In 2024, the lure of sensitive data in healthcare still proved especially tempting for bad actors. Three of the companies involved in our top incidents from last year operate in the healthcare space:
Despite ongoing concerns about the impacts of AI on the cyber landscape, some threat actors found that old tricks and techniques still work just fine. Consider the following incidents from our list that used known attack vectors and vulnerabilities to exploit entire supply chains:
Dig into the details of each incident by downloading our infographic:
The incidents of 2024 exposed the “silent breaches” lurking within our interconnected ecosystems. These breaches often went unnoticed until their cascading effects wreaked havoc on industries such as healthcare, retail, and logistics.
What does that mean for cybersecurity teams? Now, more than ever, there’s an urgent need for proactive risk management, robust defense, and greater visibility into vendor ecosystems.
CTA: Want to learn more about the biggest cyber incidents of 2024 and what you can do to protect your organization? Download our full 2025 Third-Party Breach Report, The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 (no download required).
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The post Infographic: Takeaways from the 8 Most Noteworthy Cyber Incidents of 2024 appeared first on Black Kite.
]]>The post Infographic: Key Stats from the 2025 Third-Party Breach Report appeared first on Black Kite.
]]>Last year saw no shortage of headline-grabbing cybersecurity incidents. At Black Kite, we dove into these events and analyzed the threat landscape for emerging trends to inform our annual Third-Party Breach Report.
What did we find? We’re calling 2024 the year of the “silent breach,” as unnoticed vulnerabilities within third-party networks repeatedly exposed the fragility of online ecosystems.
Read on for some of our biggest takeaways from the past 12 months and how to apply those learnings to 2025.
These days, the damage caused by a cyber incident is no longer constrained to a single company. As our world becomes more interconnected, we’re seeing the cascading impacts of a breach cause widespread impacts across industries, geographies, and consumers.
We’ve all heard the maxim that the threat landscape is constantly evolving. While this is true, with new bad actors emerging regularly, many of 2024’s cyber incidents were caused by tried and true attack methods, such as ransomware, persistent vulnerabilities, and credential misuse.
The security practices of a single company can impact millions of individuals. Moving forward, we’ll need proactive, cross-industry collaboration to address the systemic risks of third-party vulnerabilities.
Last year taught us that more often than not, our greatest security weaknesses are just out of sight. Fortunately, the challenges of 2024 also reveal a clear path forward. Adopting a proactive, collaborative approach to third-party security can lead to more resilient supply chains and better position organizations to mitigate risk.
If you’d like to read more actionable recommendations for your cybersecurity strategy in 2025, read our full report, 2025 Third-Party Breach Report, The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 (no download required).
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The post Infographic: Key Stats from the 2025 Third-Party Breach Report appeared first on Black Kite.
]]>The post Focus Friday: TPRM Implications of Kubernetes Ingress NGINX, Synology DSM, and Synapse Server Vulnerabilities appeared first on Black Kite.
]]>We can say that March has been one of the critical months in terms of vulnerabilities. In addition to the critical vulnerabilities this month, another major topic in the news this week was the Oracle data breach. You can read the article we shared yesterday on this topic: “Oracle Cloud Breach: Claims, Denials, and the Reality of Cloud Security Risks in TPRM.”
This week’s Focus Friday blog explores three high-profile vulnerabilities affecting widely used systems: Kubernetes Ingress NGINX Controller, Synology DiskStation Manager (DSM), and the Synapse Server. From critical unauthenticated remote code execution risks to denial-of-service vulnerabilities actively exploited in the wild, these flaws not only pose technical threats but also carry deep implications for third-party risk management (TPRM) programs.
For organizations managing complex digital supply chains, knowing which vendors are affected and how they are impacted is critical for prioritizing response and minimizing downstream risk. In this post, we provide in-depth analysis of each vulnerability, highlight questions TPRM professionals should ask their vendors, and demonstrate how Black Kite’s FocusTags™ help streamline risk identification and vendor engagement.
CVE-2025-1974 is a critical vulnerability in the Ingress NGINX Controller for Kubernetes that permits unauthenticated remote code execution (RCE), potentially leading to full cluster compromise. This flaw arises from improper isolation and compartmentalization within the admission controller component. With a CVSS score of 9.8 and an EPSS score of 75.73%, it underscores a significant security risk. Discovered by Wiz Research, the vulnerability was publicly disclosed on March 24, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.
‘IngressNightmare’ is a multi-step attack targeting the Ingress NGINX Controller’s admission controller, which is often exposed over the network without authentication by default. The following flow illustrates how attackers exploit this weak point to achieve full cluster compromise.
The Ingress NGINX Controller is widely used to manage external access to Kubernetes services. A successful exploit of CVE-2025-1974 could allow attackers to execute arbitrary code within the controller’s pod, leading to unauthorized access to all secrets across namespaces and potential full control over the Kubernetes cluster. This poses severe risks, including data breaches, service disruptions, and unauthorized lateral movement within the network.
Black Kite has issued a FocusTag™ titled “Kubernetes Ingress NGINX,” highlighting organizations potentially exposed to the ‘IngressNightmare’ vulnerabilities, including CVE-2025-1974. Released on March 25, 2025, this tag enables TPRM professionals to identify and prioritize vendors at risk. Black Kite provides detailed asset information, such as IP addresses and subdomains, associated with the vulnerable products within a vendor’s infrastructure. This intelligence allows for targeted risk assessments and informed decision-making, streamlining the remediation process and enhancing overall supply chain security.
CVE-2024-10441 is a critical vulnerability identified in Synology’s DiskStation Manager (DSM) and BeeStation Manager (BSM). This flaw arises from improper encoding or escaping of output within the system plugin daemon, allowing remote attackers to execute arbitrary code without authentication. The vulnerability has been assigned a CVSS score of 9.8, indicating its severity. It was publicly disclosed on March 19, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Synology DSM and BSM are widely used for network-attached storage (NAS) solutions, often housing sensitive organizational data. A successful exploit of this vulnerability could lead to unauthorized access, data exfiltration, or deployment of malicious payloads, compromising data integrity and confidentiality. Third-Party Risk Management (TPRM) professionals must assess the potential impact on their supply chain, especially if vendors utilize Synology products, to prevent cascading security breaches.
Black Kite has issued a FocusTag™ titled “Synology DSM” to assist in identifying potential exposures to CVE-2024-10441.This tag, published on March 28, 2025, enables TPRM professionals to pinpoint vendors with vulnerable Synology devices. By utilizing this tag, professionals can access detailed asset information, including IP addresses and subdomains, facilitating targeted risk assessments and remediation efforts. This proactive approach aids in safeguarding the supply chain against threats associated with this critical vulnerability.
CVE-2025-30355 is a high-severity improper input validation vulnerability in Synapse, an open-source Matrix homeserver implementation. This flaw allows a malicious server to craft specific events that, when received by a vulnerable Synapse server (versions up to 1.127.0), prevent it from federating with other servers, effectively isolating it from the broader Matrix network. The vulnerability has a CVSS score of 7.1 and an EPSS score of 0.06%. It was publicly disclosed on March 26, 2025, and has been exploited in the wild. As of now, it has not been added to CISA’s Known Exploited Vulnerabilities catalog, and no CISA advisory has been published regarding this issue.
Synapse servers are integral to organizations relying on Matrix for secure, real-time communication. A successful exploitation of CVE-2025-30355 can disrupt inter-server communication, leading to potential isolation from the Matrix network. This disruption can result in significant operational downtime and hinder collaboration, posing substantial risks to business continuity and data integrity.
Black Kite has published a FocusTag™ titled “Synapse Server” on March 27, 2025, to assist in identifying vendors potentially exposed to CVE-2025-30355. This tag provides detailed information about the vulnerability, including affected versions and remediation steps. TPRM professionals can utilize Black Kite to:
In an era where vulnerabilities like IngressNightmare, critical flaws in Synology DSM, and zero-day DoS risks in Synapse servers emerge with growing frequency, Black Kite’s FocusTags™ serve as a pivotal asset for Third-Party Risk Management (TPRM) teams.
Here’s how these tags elevate TPRM outcomes:
By integrating Black Kite’s FocusTags™ into their workflows, TPRM professionals can reduce analysis time, minimize uncertainty, and focus their remediation efforts where it matters most—on the vendors and systems that pose real-world risk.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
https://nvd.nist.gov/vuln/detail/CVE-2025-1974
https://nvd.nist.gov/vuln/detail/CVE-2025-24514
https://nvd.nist.gov/vuln/detail/CVE-2025-1098
https://nvd.nist.gov/vuln/detail/CVE-2025-1097
https://github.com/sandumjacob/IngressNightmare-POCs/blob/main/CVE-2025-1974/README.md
https://nvd.nist.gov/vuln/detail/CVE-2024-10441
https://nvd.nist.gov/vuln/detail/CVE-2025-30355
https://www.synology.com/en-global/security/advisory/Synology_SA_24_20
https://www.synology.com/en-global/security/advisory/Synology_SA_24_23
https://securityonline.info/synapse-servers-at-risk-zero-day-dos-in-the-wild
https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
The post Focus Friday: TPRM Implications of Kubernetes Ingress NGINX, Synology DSM, and Synapse Server Vulnerabilities appeared first on Black Kite.
]]>The post Oracle Cloud Breach: Claims, Denials, and the Reality of Cloud Security Risks in TPRM appeared first on Black Kite.
]]>In March 2025, a threat actor known by the alias “rose87168” publicly claimed responsibility for a large-scale cybersecurity incident targeting Oracle Cloud. Posting on the hacker forum BreachForums, the actor asserted that they had compromised Oracle’s traditional login servers (login.(region-name).oraclecloud.com) and exfiltrated approximately 6 million sensitive records, potentially impacting over 140,000 Oracle Cloud tenants globally. Oracle officially denied any breach, stating explicitly that no Oracle Cloud customers experienced data loss or compromise.
However, independent cybersecurity analyses, particularly investigations by BleepingComputer, provided credible evidence contradicting Oracle’s statements. Several Oracle customers confirmed the authenticity of data samples provided by the hacker, thereby validating the alleged data breach. Moreover, emails allegedly exchanged between the threat actor and Oracle—especially Oracle’s attempts to redirect communications through external channels like ProtonMail—suggest that the company is actively attempting to contain information related to this incident
Additionally, Oracle’s infrastructure (login.us2.oraclecloud.com) was discovered to be running Oracle Fusion Middleware version 11g as recently as February 2025, a version vulnerable to the critical flaw tracked as CVE-2021-35587. The threat actor claims to have exploited this specific vulnerability to compromise Oracle’s servers.
These findings reveal significant discrepancies between Oracle’s official claims and independent verifications, raising serious doubts about the accuracy of the company’s statements. Such contradictions pose a considerable risk to Oracle’s brand credibility and undermine its security assurances, underscoring the critical importance of proactive security measures, robust vulnerability management, and preparedness in today’s interconnected digital landscape.
According to the threat actor, the stolen data included:
This breach is believed to potentially affect over 140,000 Oracle Cloud tenants, posing serious security and reputational risks. The actor stated that companies could pay to have their employees’ data removed from the dataset before it was sold. They also shared sample data and tenant domain lists to back their claims.
On March 21, 2025, Oracle responded in a statement to Bleeping Computer:
“There has been no breach of Oracle Cloud. The published credentials are not for Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
Despite this denial, independent cybersecurity firms including CloudSEK, Orca Security, and eSecurityPlanet shared analyses suggesting otherwise. CloudSEK pointed to the potential exploitation of a known vulnerability in misconfigured or outdated Oracle login infrastructure.
The vulnerability in question is CVE-2021-35587 — a critical flaw in Oracle Access Manager that allows unauthenticated attackers to gain remote access over HTTP, potentially leading to full system compromise. It carries:
The Black Kite Research & Intelligence Team (BRITE) responded with a dedicated FocusTag, ‘Oracle Cloud Data Breach,’ providing insight into the incident’s potential impact on third-party ecosystems.
While Oracle has denied the breach, the confidence level for this FocusTag has been classified as Medium by Black Kite’s BRITE team. This assessment is based on the credibility of the threat actor’s claims, the nature of the leaked data, and supporting indicators from independent research. However, due to the lack of direct access to all data samples provided by the actor, the confidence level remains below ‘ High’. This level may be reevaluated if further data is verified.
Rather than relying solely on CVE-based tagging (which can produce false positives), this FocusTag leverages the leaked tenant domain list provided by the threat actor to deliver precision targeting. It helps identify over 140,000 potentially impacted organizations, empowering TPRM teams to act decisively.
Black Kite’s FocusTag™ for the Oracle Cloud Data Breach empowers TPRM professionals to proactively manage risks arising from the alleged breach. By utilizing the leaked tenant domain list, this FocusTag identifies over 140,000 potentially impacted organizations, enabling targeted risk assessment and mitigation.
Q: What exactly was compromised in the alleged Oracle Cloud breach?
A: The threat actor claims to have exfiltrated approximately 6 million sensitive user records, including Java KeyStore (JKS) files, encrypted Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) credentials, OAuth2 access keys, Enterprise Manager JPS keys, and tenant domain lists.
Q: The involved company denies the breach occurred. Why should we still be concerned?
A: Independent cybersecurity researchers have provided credible analyses indicating otherwise. Evidence such as leaked data samples, verified production environments, and real customer domains substantiates the threat actor’s claims, suggesting significant potential risk despite the company’s denial. Customer confirmations of the data sample validity also increase this concern.
Q: Which vulnerability was likely exploited?
A: The breach appears linked to CVE-2021-35587, a critical vulnerability in Oracle Access Manager allowing unauthenticated remote attackers to gain full system access. This vulnerability affects Oracle Access Manager versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.
Q: Is there a tool to check if my organization is affected?
A: Yes, tools have been released enabling organizations to verify if their domain appears in the threat actor’s leaked tenant list, helping to quickly identify potential impact.
Q: Could this data be fabricated or from a test environment?
A: While some data could be misconstrued as test data, extensive verification indicates that the compromised data includes real tenant domains and active OAuth2 interactions. This significantly reduces the likelihood that the data is fabricated or solely from a testing environment. Customer validation of the data samples also reduces this possibility.
Q: What immediate actions should affected organizations take?
A: Affected organizations should immediately reset all LDAP and administrative passwords, enable multi-factor authentication (MFA), regenerate all potentially compromised certificates and secrets, conduct thorough log auditing, and strengthen overall cloud security posture.
Q: What is the organization’s Oracle Cloud Data Breach Focus Tag?
A: BRITE Team created the “Oracle Cloud Data Breach” Focus Tag to identify organizations potentially impacted by this incident using the threat actor’s leaked tenant domain list. This Focus Tag helps third-party risk management teams efficiently identify, assess, and mitigate related risks.
Q: How confident is the organization about this breach?
A: This vulnerability currently classifies confidence in this breach as MEDIUM. This assessment could be updated to High upon further verification of additional leaked data.
Q: Will there be collaboration with Oracle on this matter?
A: Critical, sensitive details have been proactively shared with Oracle, and collaborative efforts aimed at thorough investigation and mitigation remain open.
Q: Why are cloud vulnerabilities particularly critical for supply chain security?
A: Cloud vulnerabilities can cascade quickly due to interconnected cloud environments, making organizations vulnerable to wide-reaching supply chain attacks. This breach underscores the importance of proactive cloud security measures, continuous monitoring, and rapid incident response capabilities.
Q: What do we know about how Oracle handled communication regarding the breach?
A: Communications shared by the threat actor indicate that someone claiming to be from the company insisted that all communication be conducted through a specific platform. This suggests efforts to contain information about a possible breach. Furthermore, the company’s initial denials contradict customer confirmations of the data sample authenticity, raising questions about transparency.
Q: Why is Oracle so strongly denying the breach?
A: The company may be attempting to maintain confidence in its cloud security and protect its reputation. Especially given the company’s public assertions regarding cloud security and AI surveillance systems, acknowledging a data breach could weaken its market position. However, customer verification of the data samples complicates the company’s stance.
The Oracle Cloud breach – alleged or not – is a reminder of the cascading risk potential in third-party ecosystems. Even patched CVEs like CVE-2021-35587 can be exploited if misconfigurations remain.
If you want to learn where to start when it comes to responding to a data breach in your supply chain, we recommend beginning with our blog post, “How to Respond a Data Breach in Your Supply Chain”. This blog post focuses on the impact of ransomware attacks on businesses and outlines the steps organizations should take during and after a data breach within their supply chain.
Effectively handling such an incident requires a well-prepared, coordinated response plan—both technically and communicatively. By using Black Kite’s FocusTagsTM, your TPRM team can stay proactive, precise, and protected. At this point, partnering with Black Kite can provide critical value by helping you strengthen your defenses with a supply chain–focused perspective.
Black Kite’s FocusTags™ turn complex cybersecurity data into actionable insights, enabling TPRM professionals to manage vendor risk with clarity and confidence. In today’s fast-paced digital world, they’re key to staying resilient and ahead of threats.
https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com
https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/
https://www.webpronews.com/oracle-customers-throw-cold-water-on-companys-claim-it-was-not-hacked
https://blackkite.com/blog/how-to-respond-to-a-data-breach-in-your-supply-chain
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The post Oracle Cloud Breach: Claims, Denials, and the Reality of Cloud Security Risks in TPRM appeared first on Black Kite.
]]>The post Focus Friday: Fortifying TPRM Against Kernel Compromise, Buffer Overflow, and Directory Traversal Vulnerabilities appeared first on Black Kite.
]]>Welcome to this week’s Focus Friday, where we delve into the critical realm of Third-Party Risk Management (TPRM) in the face of emerging cyber threats. This edition addresses three significant vulnerabilities that demand immediate attention from TPRM professionals: a kernel compromise in Juniper Junos OS, a buffer overflow in the MongoDB C driver, and a directory traversal vulnerability in SAP NetWeaver AS Java. Each of these vulnerabilities presents unique challenges and risks, and we’ll explore how Black Kite’s FocusTags™ can empower organizations to effectively mitigate these threats.
CVE-2025-21590 is a medium-severity improper isolation or compartmentalization vulnerability within the Juniper Junos OS kernel. This flaw allows an attacker with shell access to inject malicious code silently, thereby compromising the integrity and persistence of Juniper MX routers. The vulnerability has a CVSS score of 6.7 and an EPSS score of 5.75%. This issue was first published in March 2025 and has been actively exploited in the wild by the Chinese nation-state threat group UNC3886. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on March 13, 2025. Juniper has released an out-of-cycle security bulletin, JSA93446, addressing this issue.
Host-Based Indicators | ||
Malware Family | Filename | [MD5] [SHA1] [SHA256] |
TINYSHELL | appid | [2c89a18944d3a895bd6432415546635e][50520639cf77df0c15cc95076fac901e3d04b708][98380ec6bf4e03d3ff490cdc6c48c37714450930e4adf82e6e14d244d8373888] |
TINYSHELL | irad | [aac5d83d296df81c9259c9a533a8423a][1a6d07da7e77a5706dd8af899ebe4daa74bbbe91][5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2] |
TINYSHELL | jdosd | [8023d01ffb7a38b582f0d598afb974ee][06a1f879da398c00522649171526dc968f769093][c0ec15e08b4fb3730c5695fb7b4a6b85f7fe341282ad469e4e141c40ead310c3] |
TINYSHELL | lmpad | [5724d76f832ce8061f74b0e9f1dcad90][f8697b400059d4d5082eee2d269735aa8ea2df9a][5995aaff5a047565c0d7fe3c80fa354c40e7e8c3e7d4df292316c8472d4ac67a] |
TINYSHELL | oemd | [e7622d983d22e749b3658600df00296d][cf7af504ef0796d91207e41815187a793d430d85][905b18d5df58dd6c16930e318d9574a2ad793ec993ad2f68bca813574e3d854b] |
TINYSHELL | to | [b9e4784fa0e6283ce6e2094426a02fce][01735bb47a933ae9ec470e6be737d8f646a8ec66][e1de05a2832437ab70d36c4c05b43c4a57f856289224bbd41182deea978400ed] |
TINYSHELL | oemd | [bf80c96089d37b8571b5de7cab14dd9f][cec327e51b79cf11b3eeffebf1be8ac0d66e9529][3751997cfcb038e6b658e9180bc7cce28a3c25dbb892b661bcd1065723f11f7e] |
TINYSHELL | lmpad | [3243e04afe18cc5e1230d49011e19899][2e9215a203e908483d04dfc0328651d79d35b54f][7ae38a27494dd6c1bc9ab3c02c3709282e0ebcf1e5fcf59a57dc3ae56cfd13b4] |
Network Indicators | ||
Description | Indicator | |
TINYSHELL Command and Control server | 129[.]126[.]109[.]50:22 | |
TINYSHELL Command and Control server | 116[.]88[.]34[.]184:22 | |
TINYSHELL Command and Control server | 223[.]25[.]78[.]136:22 | |
TINYSHELL Command and Control server | 45[.]77[.]39[.]28:22 | |
TINYSHELL Command and Control server | 101[.]100[.]182[.]122:22 | |
TINYSHELL Command and Control server | 118[.]189[.]188[.]122:22 | |
TINYSHELL Command and Control server | 158[.]140[.]135[.]244:22 | |
TINYSHELL Command and Control server | 8[.]222[.]225[.]8:22 | |
Other Relevant Artifacts and Indicators | ||
Category | Indicator/Value | Description |
Malware Configuration | UPRT (Port) , Default Port: 45678 | Environment variable containing the port to bind to |
Malware Configuration | RTS (Routing Addresses) | Environment variable containing routing addresses to bind to |
Malware Configuration | INTFS (Network Interfaces) | Environment variable containing network interface names to bind to |
Encryption Keys | Boolean (e.g., “true”, “false”) | DAEMON [Environment variable indicating whether to run the sample in the background] |
Encryption Keys | 4fd37426-65dd-4a8d-8ba6-1382a011dae9 | RC4 Encryption Key (jdosd) [Key used for RC4 encryption in jdosd] |
Encryption Keys | 0b3330c0b41d1ae2 | RC4 Encryption Key (lmpad) [Key used for RC4 encryption in lmpad] |
Encryption Keys | 0x86 | XOR Encryption Key (irad) [Key used for XOR encryption in irad] |
Encryption Keys | WZtOTig2m42gXB6U | AES and HMAC Encryption Key (irad) [Key used for AES and HMAC encryption in irad] |
Authentication and Protocol | 58 90 AE 86 F1 B9 1C F6 29 83 95 71 1D DE 58 0D | Authentication Token (irad) [Token used for authentication in irad] |
Authentication and Protocol | 26 e7 2b 3a 1c a2 16 2d 61 89 57 a9 cd 4c e7 3c | UDP Message Verification Bytes (lmpad) [Hex bytes used to verify UDP messages in lmpad] |
Authentication and Protocol | 0xDEADBEEF | Magic Value (jdosd) [Magic value used to initiate connection to jdosd] |
Authentication and Protocol | uSarguuS62bKRA0J | Magic String (irad) [Magic string used to activate backdoor capabilities in irad] |
Authentication and Protocol | ek63a21km7WSWkfk | Response Start String (irad) [String expected at the beginning of a response from the target host in irad] |
Authentication and Protocol | 1spCq0BMbJwCoeZn | Listening Termination String (irad) [String used to terminate the listening process in irad] |
lmpad Patch Addresses | 0x8601328 | snmpd Patch Address [Memory address patched in the snmpd process by lmpad] |
lmpad Patch Addresses | 0x84E90D8 | mgd Patch Address [Memory address patched in the mgd process by lmpad] |
lmpad Patch Addresses | 57E58955 | mgd Original Bytes [Original bytes at the mgd patch address] |
lmpad Patch Addresses | C3D08990 | mgd Patch Bytes [Bytes used to patch the mgd process] |
Compromised Juniper MX routers, often found in critical infrastructure like telecom and ISP networks, pose a significant risk. These devices, when compromised, can lead to substantial data breaches, service disruptions, and the potential for persistent backdoors. Given that these routers manage critical network traffic, a successful attack could result in the exfiltration of sensitive data, manipulation of network traffic, and potential disruption of essential services. The fact that threat actors have replaced critical binaries, such as TACACS+, and bypassed security protections demonstrates the sophistication and potential impact of this vulnerability.
To assess the risk posed by CVE-2025-21590, TPRM professionals should ask vendors:
Vendors should take the following actions to mitigate the risk:
Black Kite released the “Juniper Junos OS – Mar2025” FocusTag to help organizations identify vendors potentially exposed to CVE-2025-21590. This tag, published in March 2025, allows TPRM professionals to quickly identify vendors using vulnerable Juniper MX routers. Black Kite provides asset information, including IP addresses and subdomains, that may be affected, enabling targeted remediation efforts. By leveraging this FocusTag, organizations can efficiently prioritize vendor outreach and mitigation efforts, reducing the time and resources required for risk assessment. Black Kite’s ability to pinpoint specific vulnerable assets within a vendor’s infrastructure is a key differentiator, providing actionable intelligence for effective TPRM.
CVE-2017-12637 is a high-severity directory traversal vulnerability found in the scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS component of SAP NetWeaver Application Server Java 7.5. This flaw allows remote attackers to read arbitrary files on the server by exploiting a “.. (dot dot)” sequence in the query string. The vulnerability has been actively exploited in the wild since August 2017. Although systems might have applied the initial patch from SAP Security Note 2486657, the vulnerability can still be triggered through specific URLs. This issue affects SAP NetWeaver AS for JAVA, version ADSSSAP 7.50. The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog on March 19, 2025. The CVSS score for the vulnerability is 7.5, and the EPSS score is 80.11%.
A directory traversal vulnerability in SAP NetWeaver AS Java can lead to the unauthorized disclosure of sensitive files, potentially exposing critical business data. Given that SAP NetWeaver is widely used in enterprise environments, a successful exploit could result in significant data breaches and compromise sensitive information. The ability of attackers to read arbitrary files on the server poses a substantial risk to data confidentiality. Therefore, TPRM professionals must ensure that vendors using SAP NetWeaver AS Java have implemented the necessary security measures to mitigate this vulnerability.
To assess the risk posed by CVE-2017-12637, TPRM professionals should ask vendors:
Vendors should take the following actions to mitigate the risk:
Black Kite released the “SAP NetWeaver JAVA – Mar2025” FocusTag to help organizations identify vendors potentially exposed to CVE-2017-12637. This tag, published on March 20, 2025, allows TPRM professionals to quickly identify vendors using vulnerable versions of SAP NetWeaver AS Java 7.5. Black Kite provides asset information, including IP addresses and subdomains, that may be affected. By leveraging this FocusTag, organizations can efficiently prioritize vendor outreach and mitigation efforts, reducing the time and resources required for risk assessment. Black Kite’s ability to pinpoint specific vulnerable assets within a vendor’s infrastructure is a key differentiator, providing actionable intelligence for effective TPRM.
CVE-2025-0755 is a high-severity buffer overflow vulnerability found in the bson_append functions of the MongoDB C driver library (libbson). This vulnerability arises from inadequate memory overflow protection when creating BSON documents that exceed the maximum allowable size (INT32_MAX). Exploitation of this flaw can lead to application crashes. The vulnerability has a CVSS score of 8.4 and an EPSS score of 0.01%. This vulnerability was first disclosed on July 21, 2024. Currently, there is no public proof-of-concept (PoC) exploit code available, and CVE-2025-0755 has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Affected versions include libbson prior to 1.27.5, MongoDB Server versions prior to 8.0.1 (8.0 line), and MongoDB Server versions prior to 7.0.16 (7.0 line).
A buffer overflow within the MongoDB C driver can lead to application instability and potential service disruptions. Given that MongoDB is widely used for data storage in various applications, a crash could impact critical business operations. The vulnerability’s presence in the underlying libbson library means that numerous applications relying on MongoDB are potentially at risk. This can lead to data integrity issues and potential denial-of-service scenarios. Therefore, TPRM professionals should ensure that vendors using MongoDB have applied the necessary patches to mitigate this risk.
To assess the risk posed by CVE-2025-0755, TPRM professionals should ask vendors:
Vendors should take the following actions to mitigate the risk:
Black Kite released the “SAP NetWeaver JAVA – Mar2025” FocusTag to assist organizations in identifying vendors potentially exposed to CVE-2025-0755. This tag, published on July 21, 2024, enables TPRM professionals to quickly identify vendors using vulnerable versions of MongoDB. Black Kite provides asset information, including IP addresses and subdomains, that may be affected. By leveraging this FocusTag, organizations can efficiently prioritize vendor outreach and mitigation efforts, reducing the time and resources required for risk assessment. Black Kite’s ability to pinpoint specific vulnerable assets within a vendor’s infrastructure is a key differentiator, providing actionable intelligence for effective TPRM.
In the dynamic landscape of cybersecurity, maintaining robust Third-Party Risk Management (TPRM) strategies is paramount. Black Kite’s FocusTags™ serve as an essential tool, offering real-time insights and actionable data to effectively manage emerging threats. This week’s vulnerabilities in Juniper Junos OS, MongoDB, and SAP NetWeaver highlight the necessity of proactive risk assessment and mitigation.
Here’s how Black Kite’s FocusTags™ enhance TPRM:
Black Kite’s FocusTags™ transform complex cybersecurity data into actionable intelligence, enabling TPRM professionals to proactively address vulnerabilities and strengthen their defense against evolving cyber threats. By providing specific asset information, including IP addresses and subdomains, Black Kite enables precision in risk mitigation, a critical advantage in today’s threat landscape.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2025-21590
https://nvd.nist.gov/vuln/detail/CVE-2017-12637
https://github.com/advisories/GHSA-5p56-56jf-wfv2
https://userapps.support.sap.com/sap/support/knowledge/en/3476549
https://nvd.nist.gov/vuln/detail/CVE-2025-0755
https://jira.mongodb.org/browse/SERVER-94461
The post Focus Friday: Fortifying TPRM Against Kernel Compromise, Buffer Overflow, and Directory Traversal Vulnerabilities appeared first on Black Kite.
]]>The post Focus Friday: Third-Party Risks In DrayTek Vigor Routers, VMware ESXi, Apache Tomcat, and Axios HTTP Client Vulnerabilities appeared first on Black Kite.
]]>This week’s Focus Friday highlights critical vulnerabilities impacting widely used technologies: DrayTek Vigor routers, VMware ESXi, Apache Tomcat, and Axios HTTP Client. These vulnerabilities expose organizations to severe risks, ranging from remote code execution and authentication weaknesses to credential leakage and denial-of-service (DoS) attacks. Third-Party Risk Management (TPRM) professionals must stay ahead by identifying affected vendors, mitigating threats, and enforcing security best practices. With Black Kite’s FocusTags™, organizations can proactively assess vendor exposure and prioritize remediation efforts to safeguard their supply chains.
A comprehensive security audit by the Faraday Team has uncovered multiple critical vulnerabilities in DrayTek Vigor routers, commonly used in small office/home office (SOHO) environments. These vulnerabilities range from remote code execution (RCE) flaws to authentication weaknesses and denial-of-service (DoS) risks. If exploited, attackers can gain complete control over affected devices, extract sensitive information, and disrupt network services.
The table below lists the affected versions of the relevant vulnerable products.
Currently, there is no publicly available proof-of-concept (PoC) exploit for these vulnerabilities. Additionally, they have not yet been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
These vulnerabilities pose significant risks to organizations relying on DrayTek Vigor routers for connectivity. The exploitation of these flaws can result in:
TPRM professionals should engage their vendors with the following questions to assess exposure:
Vendors using affected DrayTek Vigor routers should take the following remediation steps:
Last week, after completing our work and adding VMware ESXi to FocusTag™, three vulnerabilities were published for the product.
Broadcom has disclosed multiple vulnerabilities affecting VMware ESXi, Workstation, and Fusion, with confirmed active exploitation in the wild.
POC is not available, and all vulnerabilities were published in CISA’s Known Exploited Vulnerabilities (KEV) catalog on March 4, 2025. Reports confirm that these vulnerabilities are actively exploited in the wild, increasing the urgency for remediation. In the past, similar ESXi vulnerabilities have been targeted by ransomware operators such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. Therefore, it is strongly recommended to urgently upgrade to the latest versions.
Third-Party Risk Management (TPRM) professionals should be concerned because these vulnerabilities can lead to:
TPRM professionals should inquire:
Vendors should:
CVE-2025-24813 is a critical security vulnerability identified in Apache Tomcat, a widely used open-source web server and servlet container. This flaw stems from improper handling of partial PUT requests, potentially leading to remote code execution (RCE), information disclosure, or data corruption under specific conditions. The vulnerability has been assigned a CVSS score of 8.6, indicating high severity. However, it is currently listed with a CVSS score of 5.5 (medium) in the NVD, while some customer portals, such as Red Hat, have assigned it a score of 8.6. The vulnerability affects the following Apache Tomcat versions: 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, 9.0.0.M1 through 9.0.98. A PoC exploit is not available, and the vulnerability has not yet been listed in CISA’s Known Exploited Vulnerabilities catalog. However, it remains a significant threat, as it could enable attackers to fully compromise the affected system.
Exploitation scenarios include:
As of March 13, 2025, there are no reports of this vulnerability being exploited in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-24813 due to its potential to compromise the integrity, confidentiality, and availability of systems running vulnerable versions of Apache Tomcat. Successful exploitation could lead to unauthorized access, data breaches, and system compromises, affecting both the organization and its stakeholders.
To assess the risk associated with this vulnerability, TPRM professionals should inquire:
Vendors should take the following actions to mitigate the risks associated with CVE-2025-24813:
Axios is a promise-based HTTP client for JavaScript, commonly used for making HTTP requests in Node.js and browser-based applications. It provides a simple API to send asynchronous HTTP requests to REST endpoints and handle responses.
CVE-2025-27152 is a high-severity vulnerability identified in Axios, a widely used JavaScript HTTP client for both browsers and Node.js environments. The flaw, rated CVSS 7.7, stems from improper handling of absolute URLs in requests, which could lead to Server-Side Request Forgery (SSRF) and credential leakage in applications relying on Axios for HTTP requests.
The vulnerability affects all Axios versions up to and including 1.7.9. Attackers can exploit this flaw to:
A publicly available Proof-of-Concept (PoC) exploit exists for this vulnerability, but it has not been listed in CISA’s Known Exploited Vulnerabilities catalog. There is no public evidence of active exploitation of CVE-2025-27152 by threat actors. However, given Axios’s widespread use, with over 251 million downloads per month, the potential impact is significant.
This vulnerability arises because Axios prioritizes absolute URLs over the configured baseURL. If an application dynamically generates URLs, an attacker could override the request destination and send it to an external malicious server, leading to data exfiltration.
For example, consider the following Axios implementation with javascript:
Despite defining a baseURL, the request is sent to http://malicious.com/ along with the authorization token, leaking sensitive credentials.
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-27152 because:
To assess the impact of this vulnerability on vendor infrastructure, TPRM professionals should ask:
Vendors using Axios in their applications should take the following steps to mitigate CVE-2025-27152:
Black Kite has issued multiple FocusTags™ to help organizations quickly identify and mitigate risks associated with critical vulnerabilities affecting their supply chain. These FocusTags™ provide actionable intelligence on affected assets, such as IP addresses, subdomains, and software versions linked to vulnerable systems.
By leveraging these FocusTags™, TPRM professionals can:
Black Kite’s FocusTags™ for these vulnerabilities—including “DrayTek Vigor Routers – Mar2025,” “VMware ESXi – Mar2025,” “Apache Tomcat – Mar2025,” and “Axios HTTP Client – Mar2025″—are regularly updated as new intelligence emerges. Organizations are encouraged to integrate these insights into their risk management workflows to strengthen resilience against third-party cyber threats.
In today’s evolving cybersecurity landscape, proactive risk management is essential. Black Kite’s FocusTags™ equip TPRM professionals with actionable intelligence to streamline security assessments and mitigate third-party risks. These tags provide:
By leveraging Black Kite’s FocusTags™, organizations can transform complex vulnerability data into precise, strategic actions—enhancing resilience against supply chain risks and emerging cyber threats.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2024-41334
https://nvd.nist.gov/vuln/detail/CVE-2024-41335
https://nvd.nist.gov/vuln/detail/CVE-2024-41336
https://nvd.nist.gov/vuln/detail/CVE-2024-41338
https://nvd.nist.gov/vuln/detail/CVE-2024-41339
https://nvd.nist.gov/vuln/detail/CVE-2024-41340
https://nvd.nist.gov/vuln/detail/CVE-2024-51138
https://nvd.nist.gov/vuln/detail/CVE-2024-51139
https://nvd.nist.gov/vuln/detail/CVE-2025-22224
https://nvd.nist.gov/vuln/detail/CVE-2025-22225
https://nvd.nist.gov/vuln/detail/CVE-2025-22226
https://nvd.nist.gov/vuln/detail/CVE-2025-24813
https://access.redhat.com/security/cve/cve-2025-24813
https://www.openwall.com/lists/oss-security/2025/03/10/5
https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
https://nvd.nist.gov/vuln/detail/CVE-2025-27152
https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69×6
The post Focus Friday: Third-Party Risks In DrayTek Vigor Routers, VMware ESXi, Apache Tomcat, and Axios HTTP Client Vulnerabilities appeared first on Black Kite.
]]>The post Ransomware Review February 2025: Clop’s CLEO Attack Pushes Victim Count to Historic High appeared first on Black Kite.
]]>Welcome to the February 2025 ransomware update, highlighting the latest trends, threat actors, and significant events in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.The Black Kite Research & Intelligence Team (BRITE) tracked 809 ransomware incidents in February 2025, marking the highest monthly victim count ever recorded. Previously, the peak stood at around 590 victims, making this month’s figure especially alarming.
The United States once again topped the list with 513 incidents, followed by Canada with 51 and the United Kingdom with 23.
Manufacturing remained the hardest-hit sector with 193 victims, followed by Professional and Technical Services with 118, and Wholesale with 82. The gap between Manufacturing and Technical Services continues to widen as attacks intensify.
Clop dominated February with 283 disclosed victims, retaining its leadership for the second consecutive month. RansomHub maintained its consistent presence, following with 98 victims. The Akira group kept up its recent momentum, placing third with 50 victims, closely followed by Play with 48 victims. Additionally, Qilin, Lynx, Cactus, and Medusa collectively disclosed numerous victims, contributing significantly to the month’s total.
The unprecedented surge of ransomware attacks in February demands attention. Throughout 2024, we occasionally reached numbers around 500 and had grown somewhat accustomed to them. But surpassing the previous all-time high of around 590, this surge significantly, especially at the beginning of 2025, highlights the disturbing trajectory of ransomware attacks and underscores the need for critical insights into the evolving ransomware landscape.
Clop started February by gradually revealing victims, initially disclosing 50, followed shortly by another batch of 50. Just when it seemed they would continue this incremental approach, the group unexpectedly released over 180 remaining victims in a single batch, suggesting they’ve now exhausted their CLEO-related victim pool.
Since the CLEO vulnerability emerged, Clop has publicly disclosed over 400 victims, confirming earlier predictions of potentially reaching around 450. In February alone, the United States (185 victims) and Canada (24 victims) were the primary targets. Manufacturing was again the hardest-hit sector with 89 victims, followed by Wholesale with 49 and Transportation and Warehousing with 35.
Yet, despite these substantial victim numbers, Clop doesn’t seem to be achieving the impact it desires. Increasingly strict ransom payment policies by companies and governments have meant organizations often prefer to absorb short-term reputational damage rather than financial loss. Clearly, media attention around Clop’s CLEO attacks is significantly lower than their previous MoveIT campaign, visibly affecting the group’s morale and possibly frustrating their ambitions.
Whether Clop will innovate its methods or shift entirely to new attack strategies remains uncertain. Still, one thing remains clear: Clop excels at ransomware operations, and its future moves will undoubtedly remain closely watched.
The 8Base ransomware group, which had been showing sporadic activity following the arrest of Russian citizen Evgenii Ptitsyn last year, attempted a comeback in January with 25 victims. However, a significant international law enforcement operation in early February shut down 8Base’s leak site completely, resulting in the arrest of four European suspects (two women and two men) in Phuket, Thailand.
The dismantling of such a major ransomware operation, which had evolved from Phobos into a sophisticated and professionally managed group, underscores the effectiveness of global collaboration against cybercrime. This event offers a hopeful reminder of what coordinated efforts can achieve against ransomware threats.
Another notable event in February was the leak of roughly 50MB of internal chat logs from the Black Basta ransomware group, revealing insights into their operations, target selection strategies, internal vulnerabilities, and organizational dysfunction. The leaked messages include numerous RDP, VPN, and proxy credentials, along with internal debates highlighting serious trust and coordination issues within the group.
Critically, the leak exposed discussions about technical shortcomings compared to rival ransomware groups, internal conflicts, and the presence of former Conti members seeking to improve operational strategies. Such leaks provide valuable insights for defenders and underscore how ransomware groups are vulnerable to internal collapse.
February’s unprecedented ransomware activity is a clear indicator of where the ecosystem is heading. The aggressive exploitation of the CLEO vulnerability by Clop, the emergence of new ransomware groups, and a surge in activity across the board have set a troubling precedent. Unless organizations and governments adopt radical security measures soon, it’s unrealistic to expect any slowdown in ransomware attacks in the foreseeable future.
Although law enforcement operations, such as the takedown of 8Base, offer some hope, the continuous emergence and rebranding of ransomware groups emphasize that defense measures must continually evolve. Collaboration, resilience, and proactive defense have never been more critical.
To keep an eye on potential ransomware targets in your cyber ecosystem, check out Black Kite’s Ransomware Susceptibility Index® (RSITM). It allows third-party risk managers to identify high-risk vendors before an attack strikes, prioritize remediation efforts, and ultimately safeguard your organization against the escalating threat.
Stay tuned for more monthly Ransomware Reviews on our blog and LinkedIn Newsletter.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The post Ransomware Review February 2025: Clop’s CLEO Attack Pushes Victim Count to Historic High appeared first on Black Kite.
]]>The post Top 3 Actions to Take After Reading the 2025 Third-Party Breach Report appeared first on Black Kite.
]]>If you’ve been in the information security field as long as I have, you’re probably feeling a sense of déjà vu after reading the 2025 Third-Party Breach Report when it comes to the prevalence of ransomware in third-party breaches. Ransomware has been around for decades. It first showed up on 5.25” floppy disks that someone handed out at a healthcare conference. The ransomware fee was just $200 back then, a far cry from the record-breaking $75 million ransom that was reported in 2024. You’d think we wouldn’t be dealing with this kind of threat after all this time.
The most frustrating part? Ransomware is preventable. If organizations had stopped it—and they could have—the bad guys would have moved onto something new. But over my years spent in law enforcement and cyber security, I’ve learned that bad actors will go where the money is. Organizations haven’t made enough progress in stopping ransomware attacks, so bad actors have no reason to stop using this tried-and-true form of attack.
If anything, they’re getting better at it. Google just issued a report claiming that threat actors are using Gemini to launch even more effective ransomware attacks. Generative AI comes in handy for them doing vulnerability research, scripting and development, and crafting phishing campaigns, among other things. If organizations don’t up their game, particularly when it comes to third-party risk management (TPRM), the situation is only going to get worse.
The findings in our 2025 Third-Party Breach Report make this clear. But rather than just ringing another alarm bell, I will share three concrete steps you can take now to protect yourself from hidden vendor threats, such as ransomware. Because although criminals are becoming more sophisticated, the fundamentals of prevention haven’t changed—CISOs just need to get better at executing on them.
When I was in law enforcement working the midnight shift, one of our regular tasks was to drive around closed businesses looking for unlocked doors and windows. We were thinking like criminals, looking for exactly the same kinds of opportunities they might use to find a way in. Today’s CISOs need to apply this same mindset to their broader vendor ecosystem, but at a much larger scale.
Take the Colonial Pipeline ransomware attack as an example. Their breach didn’t happen because of one wide-open vulnerability. It came from a combination of small failures that, when properly exploited, created the perfect opportunity for bad actors to wreak havoc. In this case, they had remote access ports open to the public due to a legitimate business need, but they didn’t have multi-factor authentication protecting this access. The attackers were able to use leaked network credentials to get in. And once they did, they were able to move laterally throughout the network.
Most people don’t realize that the Colonial Pipeline attack didn’t actually shut down the gas pipeline. It hit their billing system. But since the bad actors could have gained access to the company’s operational systems, Colonial Pipeline proactively shut everything down. A $5 million ransom and major East Coast fuel disruptions all started because of a few small gaps in their security.
Of course, figuring out which third-party vendors could be putting your company at risk of an attack like this could be like finding a needle in a haystack using traditional methods. This is why we developed our Ransomware Susceptibility Index® (RSITM). It analyzes billions of data points the way an attacker would, helping you figure out which vendors represent your weakest link before an attack happens.
Take the Change Healthcare ransomware attack, which disrupted healthcare operations nationwide in 2024. Our RSI solution identified the vulnerabilities involved seven months before the attack occurred. Healthcare organizations with access to this early warning had the opportunity to address these vulnerabilities before they could be exploited, potentially preventing millions in damages and widespread service disruptions.
I’ve seen plenty of vendor security questionnaires over the years. In fairness, they were designed with an admirable goal in mind—helping CISOs identify and address potential risks in their third-party ecosystems. The problem is that they’re not nearly agile enough to handle today’s threats.
A typical questionnaire might have well-meaning questions like, “Do you have multi-factor authentication in place?” or “Are your remote access protocols secure?” The problem is that the answers vendors give are often aspirational at best. A vendor might really believe they’re following security best practices, but if you can’t verify their responses, you’re building your risk management program on trust alone.
Here, too, thinking like a criminal will serve you well. Are threat actors sending long questionnaires to their targets asking them about their security measures? Obviously not. They don’t need to. They’re using automated tools and AI capabilities to probe for vulnerabilities they can exploit. Unfortunately, the security field hasn’t caught up with the bad guys yet.
So, just like your would-be attackers do, take advantage of current technology instead of relying on lengthy assessments that take weeks or months to complete and likely won’t give you an accurate view of the threats you face. When a vendor claims that they’re using MFA to protect their remote access ports, wouldn’t you rather verify that claim right away instead of taking it at face value a few weeks or months from now?
An advanced TPRM solution can help you get this done in record time. At Black Kite, our platform can pre-answer almost all standard security questionnaires by collecting actual evidence of a vendor’s controls and compliance measures. This way, instead of chasing paper trails, you can focus on addressing the gaps that matter most to your business.
Most security teams can show you a dashboard full of red, green, and yellow indicators that are supposed to highlight the most important risks. But what happens when everything is marked red? Let’s say you’ve discovered ten vendors in your environment that have serious security issues requiring your attention. One of them might cost your company $10 million in damages if a breach happens, while the others might run you $50,000 each. When you use this lens to decide which risks to deal with first, your decision about where to invest your limited resources becomes a lot easier.
This is why, at Black Kite, we’ve integrated the Open FAIR™ model into our platform. Open FAIR™ can fundamentally transform how you manage vendor risk. Many security professionals still conflate vulnerabilities or system outages with risk, but real risk is about impact—specifically, the financial impact to your business. If you can’t convert a security threat into dollars and cents, then you’re missing the bottom-line perspective that your board and executive team need to make the right call.
Determining the financial impact of your vendor risks isn’t just helpful for getting budget approval. It can also help you build a more innovative and more strategic security program over the long term. When you understand the actual financial stakes involved with each vendor relationship, you can make smarter decisions about everything from the security requirements you include in your vendor contracts to how much time your team spends on assessments and monitoring.
As the 2025 Third-Party Breach Report makes clear, when it comes to ransomware and other major threats, the wake-up call has come and gone. As a community, CISOs haven’t yet answered it. On the other hand, there’s never been a better time to do so. We have proven processes and great tools to make the necessary changes and make them stick.
These three actions—thinking like a bad actor, moving beyond static questionnaires, and putting a dollar value on your risks—might seem straightforward. But they require a fundamental shift in how to think about TPRM. Organizations have to stop defaulting to familiar low-entropy approaches from years gone by that don’t address modern threats and start building the kind of agility adversaries have already employed for some time now.
For more insights on the current third-party cyber risk landscape, read our 2025 Third-Party Breach Report, The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024. No downloads required.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The post Top 3 Actions to Take After Reading the 2025 Third-Party Breach Report appeared first on Black Kite.
]]>