Welcome to this week’s Focus Friday, where we examine three high‑profile vulnerabilities through a Third‑Party Risk Management (TPRM) lens. Today, we’ll dive into the critical remote code execution flaw in Ivanti Connect Secure (CVE‑2025‑22457), the unauthenticated password‑change vulnerability in FortiSwitch (CVE‑2024‑48887), and the signature‑validation bypass in MinIO Server (CVE‑2025‑31489). For each, we’ll outline the technical details, TPRM implications, vendor questions, and remediation best practices—equipping you to engage your third‑party ecosystem with precision and confidence.

CVE-2025-22457 – Ivanti Connect Secure

What is the CVE-2025-22457 vulnerability in Ivanti Connect Secure?

A stack-based buffer overflow in Ivanti Connect Secure versions prior to 22.7R2.6 allows a remote, unauthenticated attacker to execute arbitrary code on the appliance, potentially leading to full system compromise. Rated Critical, it carries a CVSS 3.1 base score of 9.8 and, per Black Kite’s FocusTag, an EPSS probability of 24.07%. First published on April 3, 2025, this flaw was added to CISA’s Known Exploited Vulnerabilities Catalog on April 4, 2025. POC exploit code is not available for now. Since mid‑March 2025, the Chinese state‑sponsored group UNC5221 has exploited CVE‑2025‑22457 in the wild, deploying custom malware families Trailblaze (an in‑memory dropper) and Brushfire (a passive backdoor) while abusing Ivanti’s Integrity Checker Tool to evade detection.

Why should TPRM professionals care about CVE-2025-22457?

Ivanti Connect Secure appliances provide critical VPN access for employees and third parties. A successful exploit can grant attackers persistent, high‑privilege entry to a vendor’s network edge, enabling data exfiltration, lateral movement, and the implantation of backdoors. For organizations relying on vendors’ VPN infrastructure, an unpatched Ivanti appliance represents a direct attack path into sensitive environments, amplifying supply chain risk.

What questions should TPRM professionals ask vendors about this vulnerability?

To gauge exposure and preparedness, consider asking:

1. Have you updated all instances of Ivanti Connect Secure to version 22.7R2.6, Ivanti Policy Secure to version 22.7R1.4, and Ivanti ZTA Gateways to version 22.8R2.2 to mitigate the risk of CVE-2025-22457?
2. Can you confirm if you have discontinued the use of Pulse Connect Secure 9.1x, which reached End-of-Support and does not receive patches, and migrated to a supported platform like Ivanti Connect Secure?
3. Are you actively monitoring VPN logs for anomalies, unusual crash behavior, or configuration changes that could indicate exploitation of the CVE-2025-22457 vulnerability?
4. Are you using Ivanti’s Integrity Checker Tool (ICT) to detect signs of compromise related to the CVE-2025-22457 vulnerability, and if indicators are present, are you performing a factory reset and redeploying the appliance using version 22.7R2.6?

Remediation Recommendations for Vendors subject to this risk

• Patch immediately: Upgrade Ivanti Connect Secure to 22.7R2.6 (released February 11, 2025) and apply Policy Secure (22.7R1.4, April 21, 2025) and ZTA Gateways (22.8R2.2, April 19, 2025) patches.
• Discontinue unsupported versions: Migrate off Pulse Connect Secure 9.1x (end‑of‑support December 31, 2024).
• Use ICT scans: Run Ivanti’s Integrity Checker Tool to hunt for post‑exploitation artifacts; if compromise is confirmed, perform a factory reset and redeploy from a known‑clean image.
• Harden deployments: Restrict management interfaces to trusted networks, enforce multi‑factor authentication, and segment VPN infrastructure.
• Monitor logs: Continuously review VPN and system logs for anomalies, crashes, or unauthorized configuration changes.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the CVE‑2025‑22457 FocusTag on April 4, 2025. Customers can automatically identify which vendors use affected Ivanti versions via asset discovery and continuous scanning. By integrating FocusTags™ into TPRM workflows, teams can filter out low‑risk vendors, concentrate outreach on those truly exposed, and retrieve detailed intelligence—such as IP addresses, subdomains, and configuration metadata—for rapid risk assessment. Non‑customers can request a demo to see how FocusTags™ streamline vulnerability‑driven vendor prioritization.

CVE-2024-48887 – Fortinet FortiSwitch

What is the FortiSwitch Unverified Password Change Vulnerability?

This flaw arises from an unverified password change vulnerability (CWE‑620) in the FortiSwitch GUI’s set_password endpoint. A remote, unauthenticated attacker can send crafted HTTP/HTTPS requests to modify administrative credentials. It carries a CVSS 3.1 base score of 9.8 (Critical) and an EPSS probability of 0.09% (per Black Kite FocusTag text). There is no public PoC exploitation, and to date no evidence of active exploitation has been observed. As of April 10, 2025, CVE‑2024‑48887 is not listed in CISA’s Known Exploited Vulnerabilities catalog, nor has CISA issued an advisory for it.

Why should TPRM professionals care about this vulnerability?

FortiSwitch appliances enforce network segmentation, VLANs, and policy enforcement at the edge. Unauthorized password changes grant attackers full control over switch configurations—enabling policy bypass, traffic interception, and lateral movement into critical environments. For organizations depending on third‑party network infrastructure, an unpatched FortiSwitch represents a direct supply chain threat that can lead to data exposure, operational disruption, and reputational damage.

What questions should TPRM professionals ask vendors about this vulnerability?

To assess vendor readiness and exposure, consider:

1. Have you upgraded all instances of FortiSwitch to the recommended versions (7.6.1, 7.4.5, 7.2.9, 7.0.11, 6.4.15) or later to mitigate the risk of CVE-2024-48887?
2. Have you implemented the recommended workarounds such as disabling HTTP/HTTPS access from administrative interfaces and configuring trusted hosts to limit access to the device’s admin interface using the FortiSwitch CLI?
3. Can you confirm if you have enhanced your network monitoring to continuously monitor network traffic and FortiSwitch system logs for any anomalous activities that could indicate attempted exploitation of this vulnerability?
4. Have you updated your incident response plans to include measures for rapid patch deployment and emergency password reset procedures, should any compromise be detected due to this vulnerability?

Remediation Recommendations for Vendors subject to this risk

Vendors should take the following actions immediately:

• Apply patches: Upgrade all FortiSwitch devices to the fixed versions:
  • 7.6.x → 7.6.1 or later
  • 7.4.x → 7.4.5 or later
  • 7.2.x → 7.2.9 or later
  • 7.0.x → 7.0.11 or later
  • 6.4.x → 6.4.15 or later.
• Disable direct admin access: If you cannot patch immediately, remove HTTP/HTTPS from the management interface and restrict admin access to trusted networks. For example:

• Enhance monitoring: Continuously review logs for authentication failures, unexpected configuration changes, or unusual admin sessions.
• Update incident response: Incorporate rapid patching, emergency password resets, and configuration integrity checks into your response plans.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the FortiSwitch [Suspected] FocusTag on April 8, 2025. By integrating FocusTags™, TPRM teams can automatically pinpoint vendors running vulnerable FortiSwitch versions, retrieve detailed asset information (IP addresses, subdomains, version metadata), and concentrate outreach on those truly at risk. This focused approach reduces workload, minimizes vendor questionnaire fatigue, and accelerates remediation. Interested organizations can request a demo to see how FocusTags™ streamline vulnerability‑driven vendor prioritization.

CVE-2025-31489 – MinIO Server

What is the Incomplete Signature Validation Vulnerability in MinIO?

This flaw in MinIO’s Go module permits clients with prior WRITE permissions to bypass cryptographic signature checks on unsigned‑trailer uploads (CWE‑347), by sending requests with x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER. It carries a High severity rating, with a CVSS 3.x score of 8.7 and an EPSS probability of 0.02%. First disclosed via NVD and the GitHub Advisory Database on April 3, 2025, it was subsequently covered by SecurityOnline on April 7, 2025. There is no public PoC exploitation, and to date no active exploitation has been reported. As of April 2025, CVE‑2025‑31489 is not listed in CISA’s Known Exploited Vulnerabilities catalog, nor has CISA issued an advisory for it.

Why should TPRM professionals care about this vulnerability?

MinIO is widely deployed as an S3‑compatible object storage solution by vendors to host and serve critical data. A successful bypass of signature validation allows unauthorized uploads of arbitrary objects—potentially enabling data poisoning, malware distribution, or covert exfiltration channels. Any vendor relying on MinIO for customer-facing or internal storage faces elevated supply chain risk: malicious content could be served to downstream systems or used to conceal illicit activity within trusted buckets.

What questions should TPRM professionals ask vendors about this vulnerability?

To evaluate vendor exposure and controls, consider asking:

1. Have you updated all instances of MinIO’s Go module to the patched release (RELEASE.2025‑04‑03T14‑56‑28Z) or later to mitigate the risk of CVE‑2025‑31489?
2. Have you implemented the recommended workaround of rejecting any requests with header x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at your load balancer or API gateway?
3. Are you actively monitoring for suspicious uploads and unexpected object additions on your MinIO server to detect potential exploitation of the incomplete signature validation vulnerability?
4. Have you audited and minimized which principals have WRITE access to critical buckets and rotated any access keys that may have been exposed or misused due to the vulnerability?

Remediation Recommendations for Vendors subject to this risk

Vendors should implement the following measures without delay:

• Upgrade MinIO: Apply the patched release (RELEASE.2025‑04‑03T14‑56‑28Z) or later to fully remediate CVE‑2025‑31489.
• Block unsigned‑trailer uploads: At your load balancer or API gateway, reject any requests with x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER.
• Harden WRITE access: Restrict WRITE permissions to only those principals that require it and enforce the principle of least privilege.
• Enable anomaly logging: Configure MinIO server and your monitoring stack to alert on unexpected object uploads or signature‑validation failures.
• Rotate credentials: After patching, rotate any access keys that may have been exposed or misused.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite’s FocusTags™ offer a fast and simple way to track high‑profile cyber events and pinpoint which vendors are affected. By integrating the MinIO Server FocusTag, TPRM teams can automatically discover vendors running vulnerable MinIO versions, retrieve detailed asset metadata (bucket endpoints, version info), and focus outreach on truly at‑risk third parties—streamlining risk assessments and accelerating remediation. Non‑customers can request a demo to see how FocusTags™ drive efficient vendor risk prioritization.

Enhancing TPRM With Black Kite FocusTags™

Black Kite FocusTags™ transform complex vulnerability data into targeted TPRM action by:

• Accelerated Vendor Discovery: Automatically pinpoint which third parties run affected Ivanti, FortiSwitch, or MinIO versions—eliminating guesswork and reducing outreach scope.
• Risk‑Driven Prioritization: Align vendor criticality and vulnerability severity to focus resources on the highest‑impact exposures first.
• Tailored Vendor Dialogues: Leverage asset‑level intelligence (IP addresses, subdomains, bucket endpoints) to ask precise questions and validate remediation steps.
• Holistic Threat Visibility: Combine multiple FocusTags™ in a unified dashboard, giving TPRM teams a consolidated view of emerging risks across VPN appliances, network switches, and object storage platforms.

By integrating FocusTags™ into your TPRM workflows, you’ll streamline assessments, minimize vendor fatigue, and accelerate mitigation. Request a demo today to see how Black Kite’s FocusTags™ can sharpen your third‑party risk program.

Stay Informed With Related Vulnerability Resources

One unpatched vulnerability in a vendor can have a cascading impact. But traditional vulnerability management doesn’t work for external risks. That’s why we’re ushering in a new era of Third-Party Cyber Risk Management (TPCRM) where third-party risk professionals can understand these external risks and effectively work with their vendors to mitigate them.

• The 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties dives deep into the problem and provides a new framework for understanding and prioritizing external vulnerabilities.
• CVE Database: Find detailed information and TPRM perspectives on specific vulnerabilities with the ability to sort by FocusTag, CVSS, and EPSS.

Both of these resources are available to everyone, not just Black Kite customers, as part of our mission to improve the health and safety of the entire planet’s cyber ecosystem.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
• FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
• MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
• Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
• Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
• Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
• SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
• MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).
• DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.
• VMware ESXi – Mar2025 : CVE-2025-22224, CVE-2025-22225, CVE-2025-22226, Heap Overflow Vulnerability, TOCTOU Race Condition Vulnerability, Arbitrary Write Vulnerability, Information Disclosure Vulnerability in VMware ESXi.
• Apache Tomcat – Mar2025 : CVE-2025-24813, Remote Code Execution Vulnerability, Information Disclosure and Corruption Vulnerability in Apache Tomcat.
• Axios HTTP Client : CVE-2025-27152, Server-Side Request Forgery (SSRF) Vulnerability, Credential Leakage in Axios HTTP Server.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22457

https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US

https://cyberscoop.com/china-espionage-group-ivanti-vulnerability-exploits

https://nvd.nist.gov/vuln/detail/CVE-2024-48887

https://fortiguard.fortinet.com/psirt/FG-IR-24-435

https://thehackernews.com/2025/04/fortinet-urges-fortiswitch-upgrades-to.html

https://securityonline.info/minio-urgently-patches-high-severity-incomplete-signature-validation-vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-31489

https://github.com/advisories/GHSA-wg47-6jq2-q2hh

The post Focus Friday: TPRM Perspectives On Ivanti Connect Secure, FortiSwitch, and MinIO Vulnerabilities appeared first on Black Kite.

Raw data, even from powerful sources, lacks the contextual intelligence needed for effective third-party cyber risk management (TPCRM). It’s this human element, the ability to connect the dots and discern patterns, that transforms data into actionable intelligence. The Black Kite Research & Intelligence Team (BRITE) conducts in-depth research to provide the critical context needed for Chief Information Security Officers (CISOs) and Third-Party Risk Managers to make informed decisions and proactively mitigate risks. 

The team’s fingerprint can be found on Black Kite’s most impactful products and resources. That includes the Ransomware Susceptibility Index^® (RSI™), FocusTags™, the artificial intelligence (AI) engines that power our products, and our many in-depth research reports.

As our own Chief Security Officer, Bob Maley says:

“What truly sets Black Kite apart is the BRITE team. They’re not just running scans; they’re researchers digging into the data, revealing the critical connections that automated tools miss. That’s the real game-changer.”

What Exactly Is BRITE?

BRITE is a team within Black Kite that provides research led by Black Kite’s Chief Research and Intelligence Officer, Ferhat Dikbiyik. Ferhat has 15 years of experience as a researcher in the risk-centered studies space, which he now applies to studying threat actors, the hacker mindset, cyber risk, and cyber attacks.

BRITE is made up of a few dozen people who work in the following verticals:

• Data engineering: This team processes and maintains terabytes of data every day. Their mission is to make sure data in our products is accurate, transparent, and fast. 
• Data research: This team manages Black Kite’s machine-learning algorithms and projects that help generate the tailored intelligence Black Kite provides. 
• Cybersecurity research: This team is on 24/7, scouring hacker forums, Telegram channels, the dark web, and more to identify vulnerabilities and threats.

How Does BRITE’s Work Impact Black Kite Customers?

We’ve seen the forum chatter out there where security professionals complain about security rating service providers being slow, inaccurate, and opaque with its ratings methodology. It can take up to a month for a vendor to see their security rating score change from these providers, even on the simplest of issues.

We don’t want to be in that camp. Do you know how long they have to wait on Black Kite? One day at most.

At Black Kite, we take pride in providing our customers with accurate, transparent, and fast risk intelligence, so teams can easily make informed risk decisions and bring cyber resilience into their supply chains. In other words, our goal is to provide teams with targeted, tailored risk intelligence they can easily act on that stays updated in near real-time. The work that BRITE does makes this possible.

BRITE Powers Black Kite’s Biggest Differentiators

The Ransomware Susceptibility Index^®

Black Kite’s RSI™ helps teams understand the likelihood that an organization in their ecosystem will experience a ransomware attack. Rather than looking at indicators of compromise after an event, the RSI is a proactive measurement of near-future incidents.

RSI follows a process of inspecting, transforming, and modeling data collected from a variety of OSINT sources, such as internet-wide scanners, hacker forums, the deep/dark web, and more. Using machine learning (ML), RSI then identifies critical indicators correlated with an attack. Companies then receive a score that reflects their susceptibility to an attack. 

BRITE collects and analyzes data that goes into RSI, and frequently verifies that the RSI is accurate.

FocusTags™

Black Kite FocusTags™ automatically flag vendors impacted by cyber events, such as data breaches, ransomware attacks, known exploitable vulnerabilities, and security incident disclosures/filings. 

Many threat intelligence vendors struggle to report on critical events in a timely way. For example, some security rating providers may take weeks to months to log a new mass event. Comparatively, Black Kite applied a FocusTag to 82.4% of OSINT-discoverable vulnerabilities before or within 24 hours of being added to CISA’s Known Exploited Vulnerability (KEV) catalog last year. One of our customers told us they waiting two months for intelligence on a vulnerability from another provider. By that time, any exploitation can wreak havoc.

How can Black Kite act so quickly?

In short, BRITE focuses on relevant data, rather than all available information. Consider this: In 2024, more than 40,000 CVEs were published (as shown by the light gray circle in the diagram below). No team has the bandwidth to investigate every single one of these vulnerabilities. Even if you investigate vulnerabilities with a CVSS score of 7.0 or higher, that’s 20,000 CVEs (as shown by the dark gray circle in the diagram below), or if you just look at vulnerabilities with a CVSS score of 9.0 or higher, that’s still 4,000 CVEs (as shown by the blue circle in the diagram below). Still too many.

But what really matters are the CVEs that will be exploited. Last year, 768 CVEs were exploited in the wild (as shown by the purple oval in the diagram below). A proactive approach to TPCRM will address that subsest of vulnerabilities. And last year. BRITE identified and analyzed 780 high-priority CVEs (as shown by the green oval in the diagram below).

BRITE takes it a step further by looking at vulnerabilities that our customers need to focus on – those that are discoverable by open-source intelligence (OSINT), the same resources bad actors use to find vulnerabilities to exploit. So of the 780 high-priority CVEs analyzed by BRITE last year, 295 are discoverable by OSINT. In one customer’s supply chain, there may be about a dozen of these vulnerabilities present. This is a much more manageable number to manage. And with the research BRITE offers on each of these vulnerabilities, our customers can go to their vendors with actual intelligence – not questionnaires – for faster remediation.

First-Party Research Reports: Keeping a Pulse on Cyber Threats

BRITE publishes several reports each year that share our data and analysis on the cyber threat landscape and what those insights mean for customers and beyond. 

These reports include:

Third-Party Breach Report:

Each spring, we publish a report that analyzes all third-party breaches from the previous year to explore trends in attack vectors, attack targets, and actionable tips to improve third-party security. Check out our sixth annual report, “2025 Third-Party Breach Report: The Silent Breach, How Third Parties Became the Biggest Cyber Threat in 2024.”

Ransomware Report:

BRITE’s annual State of Ransomware Report provides in-depth analysis of ransomware trends, dissecting attack patterns, vulnerable industries, and emerging threat actor tactics, empowering organizations to proactively strengthen their defenses. Check out our latest report, “State of Ransomware 2024: A Year of Surges and Shuffling.” (And keep an eye out for our 2025 Ransomware Report coming in May.)

Supply Chain Vulnerability Report:

New this year, the 2025 Supply Chain Vulnerability Report confronts the challenge of ‘vulnerability overload’ by revealing the shortcomings of applying traditional vulnerability management to third-party cyber risk management and introducing a framework that prioritizes vulnerabilities in the supply chain.

Vertical-Specific Reports:

In addition to broad landscape reports, we also publish industry-specific reports, such as “Healthcare Under Ransomware Attack: Why Healthcare Is Now the 3rd Most Targeted Industry in the Ransomware Cybercrime Ecosystem,” to provide TPRM leaders with more granular insights relevant to their specific industries. 

We offer our reports with no registration required and strings attached to make sure our learnings are accessible to anyone who wants to learn more.

Delivering Unmatched, Tailored Intelligence

When a cyber event occurs, time is of the essence. Black Kite customers can access accurate, transparent, and highly tailored intelligence at a remarkable speed.

If you’re interested in experiencing the impact of BRITE on your threat intelligence operations, request a free demo.

The post Why You Want Human Experts Behind Your TPRM Data: Black Kite Research & Intelligence Team (BRITE) appeared first on Black Kite.

Last year, several cyber incidents made headlines for their cascading impacts on devices, companies, industries, and individuals around the world. The CrowdStrike outage caused blue-screen chaos for more than 8.5 million devices, and the Snowflake attack campaign rippled into disruptions at giants like Ticketmaster and AT&T, among others.

In our 2025 Third-Party Breach Report, The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024, the Black Kite Research and Intelligence Team (BRITE) dug beyond general statistics to find the stories behind nearly 100 major cyber incidents from last year. From those, we identified eight incidents that we believe had the biggest impact on global industries and the cyber risk landscape: 

1. Cencora Ransomware Attack
2. Change Healthcare Ransomware Attack
3. Snowflake Attack Campaign
4. CrowdStrike Service Outage
5. CDK Global Ransomware Attack
6. HealthEC LLC Software Vulnerability
7. Blue Yonder Ransomware Attack
8. Cleo Exploitation

Check out the infographic below to learn more about each incident, its cascading effects, and key takeaways for security teams. You can also read on for commonalities and trends we identified among our top eight incidents.

Common Themes in 2024’s Most Significant Cyber Incidents

Last year’s most significant cyber incidents saw new targets, known bad actor priorities, and some old tricks. Here are three trends we identified among last year’s most noteworthy cyber events:

The Cascading Impact of a Single Incident Can Impair Entire Supply Chains

The interconnected nature of the world today can be a boon for business innovation, but it also creates room for bigger risks. Increasingly in 2024, we saw how attacks on individual organizations can ripple downstream, exposing the fragility of entire supply chains. Consider the following examples: 

• Crowdstrike: While not an attack, the Crowdstrike outage impacted an estimated 8.5 million devices worldwide across several industries. It’s estimated the event cost more than $5 billion in direct costs and lost productivity. 
• Snowflake: Attackers gained access to Snowflake accounts without multi-factor authentication (MFA), ultimately leading to data exposure for organizations like Ticketmaster, Santander Bank, LendingTree, and AT&T.

Bad Actors Remain Fixated on Industries Rich in Sensitive Data, Like Healthcare

Bad actors’ fixation on industries rich in sensitive data isn’t new—but it is persistent. In 2024, the lure of sensitive data in healthcare still proved especially tempting for bad actors. Three of the companies involved in our top incidents from last year operate in the healthcare space:

• Cencora: A breach at this pharmaceutical distributor exposed sensitive patient data for millions of individuals and came with an alleged $75 million ransom—potentially the largest on record. 
• Change Healthcare: A ransomware attack on this healthcare data provider caused disruptions throughout the U.S. healthcare ecosystem. It also triggered an increase in more aggressive tactics from ransomware affiliates. 
• HealthEC LLC: A breach at this healthcare technology firm exposed the sensitive information of approximately 45 million patients.

Despite ongoing concerns about the impacts of AI on the cyber landscape, some threat actors found that old tricks and techniques still work just fine. Consider the following incidents from our list that used known attack vectors and vulnerabilities to exploit entire supply chains: 

• Cleo: The Cl0p ransomware group exploited vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions to breach downstream organizations, similar to the previous year’s MOVEit and GoAnywhere incident.
• CDK Global and Blue Yonder: Ransomware is still a menace. CDK Global suffered a ransomware attack that caused disruptions at thousands of car dealerships across the U.S. Meanwhile, a ransomware attack at Blue Yonder caused disarray for retail giants. 

Dig into the details of each incident by downloading our infographic: 

The incidents of 2024 exposed the “silent breaches” lurking within our interconnected ecosystems. These breaches often went unnoticed until their cascading effects wreaked havoc on industries such as healthcare, retail, and logistics. 

What does that mean for cybersecurity teams? Now, more than ever, there’s an urgent need for proactive risk management, robust defense, and greater visibility into vendor ecosystems. 
CTA: Want to learn more about the biggest cyber incidents of 2024 and what you can do to protect your organization? Download our full 2025 Third-Party Breach Report, The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 (no download required).

The post Infographic: Takeaways from the 8 Most Noteworthy Cyber Incidents of 2024 appeared first on Black Kite.

Last year saw no shortage of headline-grabbing cybersecurity incidents. At Black Kite, we dove into these events and analyzed the threat landscape for emerging trends to inform our annual Third-Party Breach Report. 

What did we find? We’re calling 2024 the year of the “silent breach,” as unnoticed vulnerabilities within third-party networks repeatedly exposed the fragility of online ecosystems.

Top 3 Takeaways from our Third-Party Breach Report

Read on for some of our biggest takeaways from the past 12 months and how to apply those learnings to 2025.

The Cascading Impacts from a Breach Reach Far and Wide

These days, the damage caused by a cyber incident is no longer constrained to a single company. As our world becomes more interconnected, we’re seeing the cascading impacts of a breach cause widespread impacts across industries, geographies, and consumers. 

• 26%: Software services was the predominant source for breaches in 2024 and saw a significant increase from 2023. 
• 41.2%: Most companies that felt the cascading impacts of vendor breaches were in the healthcare industry. 
• 55%: The majority of vendors targeted in attacks are based in the U.S. Similarly, 71% of companies experiencing cascading effects also are based in the U.S.

Many Bad Actors Still Rely on Known Attack Vectors

We’ve all heard the maxim that the threat landscape is constantly evolving. While this is true, with new bad actors emerging regularly, many of 2024’s cyber incidents were caused by tried and true attack methods, such as ransomware, persistent vulnerabilities, and credential misuse. 

• 51.7%: Unauthorized network access remains a pervasive issue, accounting for half of publicly disclosed incidents (with many details remaining unknown).
• 66.7%: Ransomware was the second most common attack vector, accounting for two-thirds of all known attack methods. Third-party vectors were central to many ransomware campaigns. 
• 56%: Compared to previous years, 2024 saw an estimated 56% increase in zero-day vulnerabilities. Credential misuse and delayed vulnerability patching were significant challenges for third-party systems.

Collaboration Is Critical Moving Forward

The security practices of a single company can impact millions of individuals. Moving forward, we’ll need proactive, cross-industry collaboration to address the systemic risks of third-party vulnerabilities. 

• 20% / 20% / 20%: Of vendors that improved their cyber ratings following a breach, 20% were in software services, 20% in healthcare, and 20% in finance. 
• 62.5%: A majority of healthcare vendors improved their cybersecurity posture following an incident—the most of any industry. This may be due to regulatory requirements from frameworks like HIPAA.

Learn from the 2024 Data Breaches & Improve Third-Party Security in 2025

Last year taught us that more often than not, our greatest security weaknesses are just out of sight. Fortunately, the challenges of 2024 also reveal a clear path forward. Adopting a proactive, collaborative approach to third-party security can lead to more resilient supply chains and better position organizations to mitigate risk. 

If you’d like to read more actionable recommendations for your cybersecurity strategy in 2025, read our full report, 2025 Third-Party Breach Report, The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 (no download required).

The post Infographic: Key Stats from the 2025 Third-Party Breach Report appeared first on Black Kite.

We can say that March has been one of the critical months in terms of vulnerabilities. In addition to the critical vulnerabilities this month, another major topic in the news this week was the Oracle data breach. You can read the article we shared yesterday on this topic: “Oracle Cloud Breach: Claims, Denials, and the Reality of Cloud Security Risks in TPRM.”

This week’s Focus Friday blog explores three high-profile vulnerabilities affecting widely used systems: Kubernetes Ingress NGINX Controller, Synology DiskStation Manager (DSM), and the Synapse Server. From critical unauthenticated remote code execution risks to denial-of-service vulnerabilities actively exploited in the wild, these flaws not only pose technical threats but also carry deep implications for third-party risk management (TPRM) programs.

For organizations managing complex digital supply chains, knowing which vendors are affected and how they are impacted is critical for prioritizing response and minimizing downstream risk. In this post, we provide in-depth analysis of each vulnerability, highlight questions TPRM professionals should ask their vendors, and demonstrate how Black Kite’s FocusTags™ help streamline risk identification and vendor engagement.

CVE-2025-1974: Ingress NGINX Controller Remote Code Execution Vulnerability

What is the Ingress NGINX Controller RCE Vulnerability?

CVE-2025-1974 is a critical vulnerability in the Ingress NGINX Controller for Kubernetes that permits unauthenticated remote code execution (RCE), potentially leading to full cluster compromise. This flaw arises from improper isolation and compartmentalization within the admission controller component. With a CVSS score of 9.8 and an EPSS score of 75.73%, it underscores a significant security risk. Discovered by Wiz Research, the vulnerability was publicly disclosed on March 24, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Attack Vector Overview:

‘IngressNightmare’ is a multi-step attack targeting the Ingress NGINX Controller’s admission controller, which is often exposed over the network without authentication by default. The following flow illustrates how attackers exploit this weak point to achieve full cluster compromise.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

The Ingress NGINX Controller is widely used to manage external access to Kubernetes services. A successful exploit of CVE-2025-1974 could allow attackers to execute arbitrary code within the controller’s pod, leading to unauthorized access to all secrets across namespaces and potential full control over the Kubernetes cluster. This poses severe risks, including data breaches, service disruptions, and unauthorized lateral movement within the network.

What questions should TPRM professionals ask vendors regarding this vulnerability?

1. Have you updated your Ingress NGINX Controller to versions 1.12.1, 1.11.5, or 1.10.7 to mitigate the risk of the ‘IngressNightmare’ vulnerabilities (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974)?
2. Have you implemented strict network policies to limit access to the admission controller as recommended in the advisory to prevent potential exploitation of the ‘IngressNightmare’ vulnerabilities?
3. Can you confirm if you have taken measures to ensure only the Kubernetes API server can access the admission controller, as a part of your response to the ‘IngressNightmare’ vulnerabilities?
4. Have you utilized the pre-built query and advisory in the Wiz Threat Center and the Wiz Dynamic Scanner as recommended in the advisory to monitor for anomalies and detect potential exploitation of the ‘IngressNightmare’ vulnerabilities?

Remediation Recommendations for Vendors Subject to This Risk

• Immediate Patching: Upgrade the Ingress NGINX Controller to versions 1.12.1, 1.11.5, or 1.10.7 to address the vulnerability.​
• Restrict Access: Configure network policies to ensure that only the Kubernetes API server can communicate with the admission controller.​
• Disable Admission Controller: If the admission controller is not essential, consider disabling it to reduce the attack surface.​
• Monitor Systems: Implement continuous monitoring to detect any unusual activity or potential exploitation attempts.​

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite has issued a FocusTag™ titled “Kubernetes Ingress NGINX,” highlighting organizations potentially exposed to the ‘IngressNightmare’ vulnerabilities, including CVE-2025-1974. Released on March 25, 2025, this tag enables TPRM professionals to identify and prioritize vendors at risk. Black Kite provides detailed asset information, such as IP addresses and subdomains, associated with the vulnerable products within a vendor’s infrastructure. This intelligence allows for targeted risk assessments and informed decision-making, streamlining the remediation process and enhancing overall supply chain security.​

CVE-2024-10441: Critical Remote Code Execution Vulnerability in Synology Products

What is the Synology DSM Remote Code Execution Vulnerability?

CVE-2024-10441 is a critical vulnerability identified in Synology’s DiskStation Manager (DSM) and BeeStation Manager (BSM). This flaw arises from improper encoding or escaping of output within the system plugin daemon, allowing remote attackers to execute arbitrary code without authentication. The vulnerability has been assigned a CVSS score of 9.8, indicating its severity. It was publicly disclosed on March 19, 2025.  As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.​

Why Should TPRM Professionals Be Concerned About CVE-2024-10441?

Synology DSM and BSM are widely used for network-attached storage (NAS) solutions, often housing sensitive organizational data. A successful exploit of this vulnerability could lead to unauthorized access, data exfiltration, or deployment of malicious payloads, compromising data integrity and confidentiality. Third-Party Risk Management (TPRM) professionals must assess the potential impact on their supply chain, especially if vendors utilize Synology products, to prevent cascading security breaches.

What questions should TPRM professionals ask vendors regarding CVE-2024-10441?

1. Have you upgraded all instances of Synology DiskStation Manager (DSM) to the recommended versions (7.2.2-72806-1, 7.2.1-69057-6, 7.2-64570-4, 7.1.1-42962-7, 6.2.4-25556-8) to mitigate the risk of CVE-2024-10441, CVE-2024-10445, and CVE-2024-50629?
2. Can you confirm if you have implemented firewall rules and intrusion detection/prevention systems specifically to block potential exploitation attempts related to the improper encoding or escaping of output vulnerability (CVE-2024-10441 and CVE-2024-50629) and the improper certificate validation vulnerability (CVE-2024-10445)?
3. Have you conducted a security audit on affected systems to check for any unauthorized access or signs of exploitation related to the vulnerabilities in Synology BeeStation Manager (BSM), Synology DiskStation Manager (DSM), and Synology Unified Controller (DSMUC)?
4. Can you confirm if you have strengthened access controls specifically for Synology products to ensure only authorized users have access to vulnerable systems, as a measure to mitigate the risk of CVE-2024-10441, CVE-2024-10445, and CVE-2024-50629?

Remediation Recommendations for Vendors Affected by CVE-2024-10441

• Upgrade Synology Products: Apply the latest security updates as per Synology’s advisory. For DSM versions, upgrade to at least 7.2.2-72806-1. For BSM, upgrade to version 1.1-65374 or later. ​
• Restrict Network Access: Limit exposure of Synology devices to untrusted networks to reduce potential attack vectors.​
• Monitor System Logs: Regularly review logs for unusual activities that may indicate exploitation attempts.​
• Implement Intrusion Detection Systems (IDS): Deploy IDS to identify and alert on suspicious network traffic targeting Synology devices.​

How Can TPRM Professionals Leverage Black Kite for CVE-2024-10441?

Black Kite has issued a FocusTag™ titled “Synology DSM” to assist in identifying potential exposures to CVE-2024-10441.This tag, published on March 28, 2025, enables TPRM professionals to pinpoint vendors with vulnerable Synology devices. By utilizing this tag, professionals can access detailed asset information, including IP addresses and subdomains, facilitating targeted risk assessments and remediation efforts. This proactive approach aids in safeguarding the supply chain against threats associated with this critical vulnerability.​

CVE-2025-30355: Synapse Server Improper Input Validation Vulnerability

What is the Synapse Server Improper Input Validation Vulnerability?

CVE-2025-30355 is a high-severity improper input validation vulnerability in Synapse, an open-source Matrix homeserver implementation. This flaw allows a malicious server to craft specific events that, when received by a vulnerable Synapse server (versions up to 1.127.0), prevent it from federating with other servers, effectively isolating it from the broader Matrix network. The vulnerability has a CVSS score of 7.1 and an EPSS score of 0.06%. It was publicly disclosed on March 26, 2025, and has been exploited in the wild. As of now, it has not been added to CISA’s Known Exploited Vulnerabilities catalog, and no CISA advisory has been published regarding this issue.​

Why should TPRM professionals be concerned about CVE-2025-30355?

Synapse servers are integral to organizations relying on Matrix for secure, real-time communication. A successful exploitation of CVE-2025-30355 can disrupt inter-server communication, leading to potential isolation from the Matrix network. This disruption can result in significant operational downtime and hinder collaboration, posing substantial risks to business continuity and data integrity.​

What questions should TPRM professionals ask vendors regarding CVE-2025-30355?

1. Can you confirm if you have upgraded all instances of Synapse servers to version 1.127.1 to mitigate the risk of CVE-2025-30355?
2. Are you actively monitoring your Synapse servers for any signs of unusual activity, specifically related to the Federation Denial-of-Service via Malformed Events?
3. Can you confirm if your Synapse servers are operating in a closed federation environment consisting of trusted servers or non-federating installations, which are not affected by this vulnerability?
4. Have you reviewed and reinforced your security best practices for server administration in light of the CVE-2025-30355 vulnerability?

Remediation Recommendations for Vendors subject to this risk

• Immediate Update: Upgrade all Synapse servers to version 1.127.1 or later to address CVE-2025-30355.​
• Monitoring: Implement continuous monitoring of Synapse servers for signs of unusual activity that may indicate exploitation attempts.​
• Access Controls: Review and reinforce access controls to ensure only authorized servers can federate, reducing exposure to malicious entities.​
• Incident Response: Develop and test an incident response plan specifically addressing scenarios involving Synapse server isolation due to exploitation.​

How can TPRM professionals leverage Black Kite for this vulnerability?

Black Kite has published a FocusTag™ titled “Synapse Server” on March 27, 2025, to assist in identifying vendors potentially exposed to CVE-2025-30355. This tag provides detailed information about the vulnerability, including affected versions and remediation steps. TPRM professionals can utilize Black Kite to:​

• Identify third-party vendors using vulnerable Synapse server versions.​
• Access asset information such as IP addresses and subdomains associated with the vendors’ Synapse servers, facilitating targeted risk assessments.​
• Monitor vendors’ remediation efforts and ensure timely updates to mitigate the vulnerability.​

Enhancing TPRM Visibility With Black Kite’s FocusTags™

In an era where vulnerabilities like IngressNightmare, critical flaws in Synology DSM, and zero-day DoS risks in Synapse servers emerge with growing frequency, Black Kite’s FocusTags™ serve as a pivotal asset for Third-Party Risk Management (TPRM) teams.

Here’s how these tags elevate TPRM outcomes:

• Immediate Exposure Mapping: Instantly surface vendors using affected products—such as Kubernetes Ingress, Synology DSM, or Synapse—so that teams can take swift, informed action.
• Risk-Based Vendor Prioritization: Evaluate vendors not just by their importance to your organization but also by their exposure to specific, high-severity vulnerabilities.
• Precision Questionnaires: Guide focused conversations by targeting relevant risk areas, reducing questionnaire fatigue for vendors and ensuring relevance in responses.
• Actionable Asset Intelligence: Access IPs and subdomains tied to vulnerable products within vendor environments, transforming cyber risk from abstract to tangible.

By integrating Black Kite’s FocusTags™ into their workflows, TPRM professionals can reduce analysis time, minimize uncertainty, and focus their remediation efforts where it matters most—on the vendors and systems that pose real-world risk.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
• Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
• Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
• SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
• MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).
• DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.
• VMware ESXi – Mar2025 : CVE-2025-22224, CVE-2025-22225, CVE-2025-22226, Heap Overflow Vulnerability, TOCTOU Race Condition Vulnerability, Arbitrary Write Vulnerability, Information Disclosure Vulnerability in VMware ESXi.
• Apache Tomcat – Mar2025 : CVE-2025-24813, Remote Code Execution Vulnerability, Information Disclosure and Corruption Vulnerability in Apache Tomcat.
• Axios HTTP Client : CVE-2025-27152, Server-Side Request Forgery (SSRF) Vulnerability, Credential Leakage in Axios HTTP Server.
• PostgreSQL – Feb2025: CVE-2025-1094, SQLi Vulnerability, Improper Neutralization of Quoting Syntax in PostgreSQL.
• Zimbra XSS: CVE-2023-34192, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration Suite (ZCS).
• PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
• Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.

References

https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

https://www.darkreading.com/application-security/critical-ingressnightmare-vulns-kubernetes-environments

https://nvd.nist.gov/vuln/detail/CVE-2025-1974

https://nvd.nist.gov/vuln/detail/CVE-2025-24514

https://nvd.nist.gov/vuln/detail/CVE-2025-1098

https://nvd.nist.gov/vuln/detail/CVE-2025-1097

https://github.com/sandumjacob/IngressNightmare-POCs/blob/main/CVE-2025-1974/README.md

https://nvd.nist.gov/vuln/detail/CVE-2024-10441

https://securityonline.info/cve-2024-10441-cvss-9-8-synology-patches-critical-code-execution-flaw-in-multiple-products

https://nvd.nist.gov/vuln/detail/CVE-2025-30355

https://www.synology.com/en-global/security/advisory/Synology_SA_24_20

https://www.synology.com/en-global/security/advisory/Synology_SA_24_23

https://securityonline.info/synapse-servers-at-risk-zero-day-dos-in-the-wild

https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6

https://blackkite.com/blog/oracle-cloud-breach-claims-denials-and-the-reality-of-cloud-security-risks-in-tprm

The post Focus Friday: TPRM Implications of Kubernetes Ingress NGINX, Synology DSM, and Synapse Server Vulnerabilities appeared first on Black Kite.

In March 2025, a threat actor known by the alias “rose87168” publicly claimed responsibility for a large-scale cybersecurity incident targeting Oracle Cloud. Posting on the hacker forum BreachForums, the actor asserted that they had compromised Oracle’s traditional login servers (login.(region-name).oraclecloud.com) and exfiltrated approximately 6 million sensitive records, potentially impacting over 140,000 Oracle Cloud tenants globally. Oracle officially denied any breach, stating explicitly that no Oracle Cloud customers experienced data loss or compromise.

However, independent cybersecurity analyses, particularly investigations by BleepingComputer, provided credible evidence contradicting Oracle’s statements. Several Oracle customers confirmed the authenticity of data samples provided by the hacker, thereby validating the alleged data breach. Moreover, emails allegedly exchanged between the threat actor and Oracle—especially Oracle’s attempts to redirect communications through external channels like ProtonMail—suggest that the company is actively attempting to contain information related to this incident

Additionally, Oracle’s infrastructure (login.us2.oraclecloud.com) was discovered to be running Oracle Fusion Middleware version 11g as recently as February 2025, a version vulnerable to the critical flaw tracked as CVE-2021-35587. The threat actor claims to have exploited this specific vulnerability to compromise Oracle’s servers.

These findings reveal significant discrepancies between Oracle’s official claims and independent verifications, raising serious doubts about the accuracy of the company’s statements. Such contradictions pose a considerable risk to Oracle’s brand credibility and undermine its security assurances, underscoring the critical importance of proactive security measures, robust vulnerability management, and preparedness in today’s interconnected digital landscape.

According to the threat actor, the stolen data included:

• Java KeyStore (JKS) files
  
• Encrypted SSO and LDAP credentials
  
• OAuth2 access keys
  
• Enterprise Manager JPS keys
  
• Configuration files and a list of tenant domains

This breach is believed to potentially affect over 140,000 Oracle Cloud tenants, posing serious security and reputational risks. The actor stated that companies could pay to have their employees’ data removed from the dataset before it was sold. They also shared sample data and tenant domain lists to back their claims.

On March 21, 2025, Oracle responded in a statement to Bleeping Computer:

Despite this denial, independent cybersecurity firms including CloudSEK, Orca Security, and eSecurityPlanet shared analyses suggesting otherwise. CloudSEK pointed to the potential exploitation of a known vulnerability in misconfigured or outdated Oracle login infrastructure.

The vulnerability in question is CVE-2021-35587 — a critical flaw in Oracle Access Manager that allows unauthenticated attackers to gain remote access over HTTP, potentially leading to full system compromise. It carries:

• a CVSS 3.1 score of 9.8
• an EPSS score of 94.23%
• and affects versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0
• Though patches are available, many organizations have not yet applied them.

Black Kite’s Response: Oracle Cloud Data Breach FocusTag^TM

The Black Kite Research & Intelligence Team (BRITE) responded with a dedicated FocusTag, ‘Oracle Cloud Data Breach,’ providing insight into the incident’s potential impact on third-party ecosystems.

​​While Oracle has denied the breach, the confidence level for this FocusTag has been classified as Medium by Black Kite’s BRITE team. This assessment is based on the credibility of the threat actor’s claims, the nature of the leaked data, and supporting indicators from independent research. However, due to the lack of direct access to all data samples provided by the actor, the confidence level remains below ‘ High’. This level may be reevaluated if further data is verified.

Rather than relying solely on CVE-based tagging (which can produce false positives), this FocusTag leverages the leaked tenant domain list provided by the threat actor to deliver precision targeting. It helps identify over 140,000 potentially impacted organizations, empowering TPRM teams to act decisively.

How Can TPRM Professionals Leverage Black Kite’s Oracle Cloud Data Breach FocusTag^TM?

Black Kite’s FocusTag™ for the Oracle Cloud Data Breach empowers TPRM professionals to proactively manage risks arising from the alleged breach. By utilizing the leaked tenant domain list, this FocusTag identifies over 140,000 potentially impacted organizations, enabling targeted risk assessment and mitigation.

• Audit Your Third-Party Ecosystem: Use the FocusTag to meticulously audit your third-party ecosystem and pinpoint vendors whose domains appear on the leaked list.
• Prioritize Affected Vendors: Focus on vendors running the vulnerable Oracle Access Manager versions (11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0) to prioritize remediation efforts.
• Direct Vendor Outreach: Initiate direct communication with identified vendors to seek clarification on their potential exposure and to coordinate remediation updates.
• Targeted Remediation: Black Kite provides the detailed asset information that allows TPRM teams to target remediation efforts where they are most needed.
• Continuous Updates: This FocusTag, published on March 21, 2025, will be updated as further data verification and analysis become available, ensuring TPRM professionals stay informed about the evolving impact and mitigation strategies related to this incident.

Recommended Actions for Affected Organizations

• Credential Reset: Promptly reset passwords, especially for privileged LDAP accounts and tenant administrators. Enforce strong password policies and multi-factor authentication (MFA).
• Certificate and Secret Rotation: Regenerate all certificates and secrets associated with potentially compromised configurations to prevent unauthorized access.
• Log Auditing & Monitoring: Conduct a thorough audit of security logs for unusual or suspicious activity. Implement enhanced monitoring tools to detect and alert on unauthorized access attempts or anomalies.
• Cloud Security Posture Review: Assess and strengthen your overall cloud security posture, with a focus on access controls, identity management, and vulnerability mitigation.
• Vendor Communication: Reach out to Oracle Support for clarification and ongoing guidance. Push for transparency regarding the breach and any related risks.
• Contingency Planning: Update your incident response and business continuity plans to account for scenarios involving data breaches and potential extortion threats.
• Ongoing Threat Monitoring: Continuously monitor your environment using security tools capable of detecting lateral movement, privilege escalation, or other indicators of compromise.

Oracle Cloud Breach FAQ

Q: What exactly was compromised in the alleged Oracle Cloud breach?

A: The threat actor claims to have exfiltrated approximately 6 million sensitive user records, including Java KeyStore (JKS) files, encrypted Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) credentials, OAuth2 access keys, Enterprise Manager JPS keys, and tenant domain lists.

Q: The involved company denies the breach occurred. Why should we still be concerned?

A: Independent cybersecurity researchers have provided credible analyses indicating otherwise. Evidence such as leaked data samples, verified production environments, and real customer domains substantiates the threat actor’s claims, suggesting significant potential risk despite the company’s denial. Customer confirmations of the data sample validity also increase this concern.

Q: Which vulnerability was likely exploited?

A: The breach appears linked to CVE-2021-35587, a critical vulnerability in Oracle Access Manager allowing unauthenticated remote attackers to gain full system access. This vulnerability affects Oracle Access Manager versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.

Q: Is there a tool to check if my organization is affected?

A: Yes, tools have been released enabling organizations to verify if their domain appears in the threat actor’s leaked tenant list, helping to quickly identify potential impact.

Q: Could this data be fabricated or from a test environment?

A: While some data could be misconstrued as test data, extensive verification indicates that the compromised data includes real tenant domains and active OAuth2 interactions. This significantly reduces the likelihood that the data is fabricated or solely from a testing environment. Customer validation of the data samples also reduces this possibility.

Q: What immediate actions should affected organizations take?

A: Affected organizations should immediately reset all LDAP and administrative passwords, enable multi-factor authentication (MFA), regenerate all potentially compromised certificates and secrets, conduct thorough log auditing, and strengthen overall cloud security posture.

Q: What is the organization’s Oracle Cloud Data Breach Focus Tag?

A: BRITE Team created the “Oracle Cloud Data Breach” Focus Tag to identify organizations potentially impacted by this incident using the threat actor’s leaked tenant domain list. This Focus Tag helps third-party risk management teams efficiently identify, assess, and mitigate related risks.

Q: How confident is the organization about this breach?

A: This vulnerability currently classifies confidence in this breach as MEDIUM. This assessment could be updated to High upon further verification of additional leaked data.

Q: Will there be collaboration with Oracle on this matter?

A: Critical, sensitive details have been proactively shared with Oracle, and collaborative efforts aimed at thorough investigation and mitigation remain open.

Q: Why are cloud vulnerabilities particularly critical for supply chain security?

A: Cloud vulnerabilities can cascade quickly due to interconnected cloud environments, making organizations vulnerable to wide-reaching supply chain attacks. This breach underscores the importance of proactive cloud security measures, continuous monitoring, and rapid incident response capabilities.

Q: What do we know about how Oracle handled communication regarding the breach?

A: Communications shared by the threat actor indicate that someone claiming to be from the company insisted that all communication be conducted through a specific platform. This suggests efforts to contain information about a possible breach. Furthermore, the company’s initial denials contradict customer confirmations of the data sample authenticity, raising questions about transparency.

Q: Why is Oracle so strongly denying the breach?

A: The company may be attempting to maintain confidence in its cloud security and protect its reputation. Especially given the company’s public assertions regarding cloud security and AI surveillance systems, acknowledging a data breach could weaken its market position. However, customer verification of the data samples complicates the company’s stance.

Conclusion

The Oracle Cloud breach – alleged or not – is a reminder of the cascading risk potential in third-party ecosystems. Even patched CVEs like CVE-2021-35587 can be exploited if misconfigurations remain.

If you want to learn where to start when it comes to responding to a data breach in your supply chain, we recommend beginning with our blog post, “How to Respond a Data Breach in Your Supply Chain”. This blog post focuses on the impact of ransomware attacks on businesses and outlines the steps organizations should take during and after a data breach within their supply chain. 

Effectively handling such an incident requires a well-prepared, coordinated response plan—both technically and communicatively. By using Black Kite’s FocusTags^TM, your TPRM team can stay proactive, precise, and protected. At this point, partnering with Black Kite can provide critical value by helping you strengthen your defenses with a supply chain–focused perspective. 

Black Kite’s FocusTags™ turn complex cybersecurity data into actionable insights, enabling TPRM professionals to manage vendor risk with clarity and confidence. In today’s fast-paced digital world, they’re key to staying resilient and ahead of threats.

References

https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com

https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/

https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants

https://www.darkreading.com/cyberattacks-data-breaches/oracle-denies-claim-oracle-cloud-breach-6m-records

https://www.webpronews.com/oracle-customers-throw-cold-water-on-companys-claim-it-was-not-hacked

https://blackkite.com/blog/how-to-respond-to-a-data-breach-in-your-supply-chain

The post Oracle Cloud Breach: Claims, Denials, and the Reality of Cloud Security Risks in TPRM appeared first on Black Kite.

Welcome to this week’s Focus Friday, where we delve into the critical realm of Third-Party Risk Management (TPRM) in the face of emerging cyber threats. This edition addresses three significant vulnerabilities that demand immediate attention from TPRM professionals: a kernel compromise in Juniper Junos OS, a buffer overflow in the MongoDB C driver, and a directory traversal vulnerability in SAP NetWeaver AS Java. Each of these vulnerabilities presents unique challenges and risks, and we’ll explore how Black Kite’s FocusTags™ can empower organizations to effectively mitigate these threats.

CVE-2025-21590: Juniper Junos OS Kernel Compromise

What is the Juniper Junos OS Kernel Compromise?

CVE-2025-21590 is a medium-severity improper isolation or compartmentalization vulnerability within the Juniper Junos OS kernel. This flaw allows an attacker with shell access to inject malicious code silently, thereby compromising the integrity and persistence of Juniper MX routers. The vulnerability has a CVSS score of 6.7 and an EPSS score of 5.75%. This issue was first published in March 2025 and has been actively exploited in the wild by the Chinese nation-state threat group UNC3886. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on March 13, 2025. Juniper has released an out-of-cycle security bulletin, JSA93446, addressing this issue.

Why Should TPRM Professionals Care?

Compromised Juniper MX routers, often found in critical infrastructure like telecom and ISP networks, pose a significant risk. These devices, when compromised, can lead to substantial data breaches, service disruptions, and the potential for persistent backdoors. Given that these routers manage critical network traffic, a successful attack could result in the exfiltration of sensitive data, manipulation of network traffic, and potential disruption of essential services. The fact that threat actors have replaced critical binaries, such as TACACS+, and bypassed security protections demonstrates the sophistication and potential impact of this vulnerability.

What Questions Should TPRM Professionals Ask Vendors About the Vulnerability?

To assess the risk posed by CVE-2025-21590, TPRM professionals should ask vendors:

1. Have you upgraded all instances of Junos OS to the latest supported versions (21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2) to mitigate the risk of CVE-2025-21590?
2. Have you executed the Juniper Malware Removal Tool (JMRT) Quick Scan and Integrity Check after upgrading to detect any signs of compromise related to the CVE-2025-21590 vulnerability?
3. Can you confirm if you have implemented enhanced network monitoring, device lifecycle management, and configuration management programs to detect and prevent potential exploitation of the “Improper Isolation or compartmentalization vulnerability” in the Junos OS kernel?
4. Have you secured all authentication systems, including TACACS+, and enforced multifactor authentication (MFA) for all network device management systems to prevent unauthorized access and potential exploitation of the CVE-2025-21590 vulnerability?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to mitigate the risk:

1. Immediately upgrade all Juniper MX routers to the latest supported Junos OS versions, as specified in the Juniper Security Advisory JSA93446.
2. Restrict shell access to trusted users only as a temporary mitigation measure.
3. Implement YARA and Snort/Suricata rules to detect the provided Indicators of Compromise (IOCs).
4. Execute the Juniper Malware Removal Tool (JMRT) Quick Scan and Integrity Check after upgrading to detect any signs of compromise.
5. Enforce MFA for all network device management systems and secure authentication systems, including TACACS+.
6. Implement a centralized Identity and Access Management (IAM) system with robust multi-factor authentication (MFA) and granular role-based access control (RBAC).

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite released the “Juniper Junos OS – Mar2025” FocusTag to help organizations identify vendors potentially exposed to CVE-2025-21590. This tag, published in March 2025, allows TPRM professionals to quickly identify vendors using vulnerable Juniper MX routers. Black Kite provides asset information, including IP addresses and subdomains, that may be affected, enabling targeted remediation efforts. By leveraging this FocusTag, organizations can efficiently prioritize vendor outreach and mitigation efforts, reducing the time and resources required for risk assessment. Black Kite’s ability to pinpoint specific vulnerable assets within a vendor’s infrastructure is a key differentiator, providing actionable intelligence for effective TPRM.

CVE-2017-12637: SAP NetWeaver AS Java Directory Traversal

What is the SAP NetWeaver AS Java Directory Traversal Vulnerability?

CVE-2017-12637 is a high-severity directory traversal vulnerability found in the scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS component of SAP NetWeaver Application Server Java 7.5. This flaw allows remote attackers to read arbitrary files on the server by exploiting a “.. (dot dot)” sequence in the query string. The vulnerability has been actively exploited in the wild since August 2017. Although systems might have applied the initial patch from SAP Security Note 2486657, the vulnerability can still be triggered through specific URLs. This issue affects SAP NetWeaver AS for JAVA, version ADSSSAP 7.50. The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog on March 19, 2025. The CVSS score for the vulnerability is 7.5, and the EPSS score is 80.11%.

Why Should TPRM Professionals Care?

A directory traversal vulnerability in SAP NetWeaver AS Java can lead to the unauthorized disclosure of sensitive files, potentially exposing critical business data. Given that SAP NetWeaver is widely used in enterprise environments, a successful exploit could result in significant data breaches and compromise sensitive information. The ability of attackers to read arbitrary files on the server poses a substantial risk to data confidentiality. Therefore, TPRM professionals must ensure that vendors using SAP NetWeaver AS Java have implemented the necessary security measures to mitigate this vulnerability.

What Questions Should TPRM Professionals Ask Vendors About the Vulnerability?

To assess the risk posed by CVE-2017-12637, TPRM professionals should ask vendors:

1. Can you confirm if you have applied the recommendations from SAP Knowledge Base Article 3476549 to address potential residual vulnerabilities related to CVE-2017-12637 in your SAP NetWeaver AS Java system?
2. Have you implemented strict access controls to limit access to sensitive files and directories on the SAP NetWeaver AS Java server to mitigate the risk of unauthorized access due to the directory traversal vulnerability (CVE-2017-12637)?
3. Have you updated your SAP NetWeaver AS for JAVA to a version beyond ADSSSAP 7.50 to address the directory traversal vulnerability (CVE-2017-12637)?
4. Can you confirm if you have thoroughly reviewed the web application configuration of your SAP NetWeaver AS Java system to identify and mitigate any potential directory traversal vulnerabilities, specifically related to the scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS component?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to mitigate the risk:

1. Even if the patch level is higher than the original fix, apply the recommendations from SAP Knowledge Base Article 3476549 to address potential residual vulnerabilities.
2. Monitor web server logs for suspicious activity, such as attempts to access unauthorized files.
3. Implement strict access controls to limit access to sensitive files and directories on the SAP NetWeaver AS Java server.
4. Confirm the current patch level of SAP NetWeaver AS Java and ensure all relevant patches, including those beyond the initial fix in SAP Security Note 2486657, are applied.
5. Thoroughly review the web application configuration to identify and mitigate any potential directory traversal vulnerabilities.
6. Ensure that SAP NetWeaver AS Java systems are within securely segmented networks.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite released the “SAP NetWeaver JAVA – Mar2025” FocusTag to help organizations identify vendors potentially exposed to CVE-2017-12637. This tag, published on March 20, 2025, allows TPRM professionals to quickly identify vendors using vulnerable versions of SAP NetWeaver AS Java 7.5. Black Kite provides asset information, including IP addresses and subdomains, that may be affected. By leveraging this FocusTag, organizations can efficiently prioritize vendor outreach and mitigation efforts, reducing the time and resources required for risk assessment. Black Kite’s ability to pinpoint specific vulnerable assets within a vendor’s infrastructure is a key differentiator, providing actionable intelligence for effective TPRM.

CVE-2025-0755: MongoDB C Driver Buffer Overflow

What is the MongoDB C Driver Buffer Overflow?

CVE-2025-0755 is a high-severity buffer overflow vulnerability found in the bson_append functions of the MongoDB C driver library (libbson). This vulnerability arises from inadequate memory overflow protection when creating BSON documents that exceed the maximum allowable size (INT32_MAX). Exploitation of this flaw can lead to application crashes. The vulnerability has a CVSS score of 8.4 and an EPSS score of 0.01%. This vulnerability was first disclosed on July 21, 2024. Currently, there is no public proof-of-concept (PoC) exploit code available, and CVE-2025-0755 has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Affected versions include libbson prior to 1.27.5, MongoDB Server versions prior to 8.0.1 (8.0 line), and MongoDB Server versions prior to 7.0.16 (7.0 line).

Why Should TPRM Professionals Care?

A buffer overflow within the MongoDB C driver can lead to application instability and potential service disruptions. Given that MongoDB is widely used for data storage in various applications, a crash could impact critical business operations. The vulnerability’s presence in the underlying libbson library means that numerous applications relying on MongoDB are potentially at risk. This can lead to data integrity issues and potential denial-of-service scenarios. Therefore, TPRM professionals should ensure that vendors using MongoDB have applied the necessary patches to mitigate this risk.

What Questions Should TPRM Professionals Ask Vendors About the Vulnerability?

To assess the risk posed by CVE-2025-0755, TPRM professionals should ask vendors:

1. Can you confirm if you have upgraded the MongoDB Server to versions 8.0.1 or later for the 8.0 line and 7.0.16 or later for the 7.0 line to mitigate the risk of CVE-2025-0755?
2. Have you updated the libbson driver to version 1.27.5 or later to address the buffer overflow vulnerability in the MongoDB C driver library?
3. Are you monitoring your application logs for unusual activity, such as application crashes or segmentation faults, which could indicate exploitation of the buffer overflow vulnerability in the MongoDB C driver?
4. After upgrading the MongoDB Server and libbson driver, did you conduct thorough testing to verify that your applications are functioning normally and are no longer susceptible to the buffer overflow vulnerability?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to mitigate the risk:

1. Upgrade the libbson driver to version 1.27.5 or later.
2. Upgrade MongoDB Server 8.0 to version 8.0.1 or later, or MongoDB Server 7.0 to version 7.0.16 or later.
3. Conduct thorough application testing after the update to ensure proper functionality.
4. Implement a regular update plan for future MongoDB updates.
5. Monitor application logs for unusual activity, such as application crashes or segmentation faults.
6. Regularly scan MongoDB installations for known vulnerabilities.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite released the “SAP NetWeaver JAVA – Mar2025” FocusTag to assist organizations in identifying vendors potentially exposed to CVE-2025-0755. This tag, published on July 21, 2024, enables TPRM professionals to quickly identify vendors using vulnerable versions of MongoDB. Black Kite provides asset information, including IP addresses and subdomains, that may be affected. By leveraging this FocusTag, organizations can efficiently prioritize vendor outreach and mitigation efforts, reducing the time and resources required for risk assessment. Black Kite’s ability to pinpoint specific vulnerable assets within a vendor’s infrastructure is a key differentiator, providing actionable intelligence for effective TPRM.

Streamlining TPRM with Black Kite’s FocusTags™

In the dynamic landscape of cybersecurity, maintaining robust Third-Party Risk Management (TPRM) strategies is paramount. Black Kite’s FocusTags™ serve as an essential tool, offering real-time insights and actionable data to effectively manage emerging threats. This week’s vulnerabilities in Juniper Junos OS, MongoDB, and SAP NetWeaver highlight the necessity of proactive risk assessment and mitigation.

Here’s how Black Kite’s FocusTags™ enhance TPRM:

• Rapid Vendor Identification: Quickly pinpoint vendors impacted by critical vulnerabilities, enabling immediate response and remediation.
• Strategic Risk Prioritization: Prioritize risks based on vendor criticality and vulnerability severity, ensuring resources are allocated efficiently.
• Targeted Vendor Engagement: Facilitate informed discussions with vendors, focusing on their specific security posture and mitigation efforts.
• Comprehensive Threat Awareness: Provide a holistic view of the threat landscape, empowering organizations to strengthen their overall security posture.

Black Kite’s FocusTags™ transform complex cybersecurity data into actionable intelligence, enabling TPRM professionals to proactively address vulnerabilities and strengthen their defense against evolving cyber threats. By providing specific asset information, including IP addresses and subdomains, Black Kite enables precision in risk mitigation, a critical advantage in today’s threat landscape.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
• SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
• MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).
• DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.
• VMware ESXi – Mar2025 : CVE-2025-22224, CVE-2025-22225, CVE-2025-22226, Heap Overflow Vulnerability, TOCTOU Race Condition Vulnerability, Arbitrary Write Vulnerability, Information Disclosure Vulnerability in VMware ESXi.
• Apache Tomcat – Mar2025 : CVE-2025-24813, Remote Code Execution Vulnerability, Information Disclosure and Corruption Vulnerability in Apache Tomcat.
• Axios HTTP Client : CVE-2025-27152, Server-Side Request Forgery (SSRF) Vulnerability, Credential Leakage in Axios HTTP Server.
• PostgreSQL – Feb2025: CVE-2025-1094, SQLi Vulnerability, Improper Neutralization of Quoting Syntax in PostgreSQL.
• Zimbra XSS: CVE-2023-34192, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration Suite (ZCS).
• PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
• Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra – Feb2025: CVE-2025-25064, SQLi Vulnerability in Zimbra Collaboration.
• Cacti – Feb2025: CVE-2025-22604, Remote Code Execution Vulnerability in Cacti.
• FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-21590

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers

https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-Bulletin-Junos-OS-A-local-attacker-with-shell-access-can-execute-arbitrary-code-CVE-2025-21590?language=en_US

https://www.darkreading.com/cyberattacks-data-breaches/china-hackers-backdoor-carrier-grade-juniper-mx-routers

https://nvd.nist.gov/vuln/detail/CVE-2017-12637

https://github.com/advisories/GHSA-5p56-56jf-wfv2

https://userapps.support.sap.com/sap/support/knowledge/en/3476549

https://nvd.nist.gov/vuln/detail/CVE-2025-0755

https://jira.mongodb.org/browse/SERVER-94461

https://securityonline.info/cve-2025-0755-mongodb-c-driver-vulnerability-could-lead-to-buffer-overflow

The post Focus Friday: Fortifying TPRM Against Kernel Compromise, Buffer Overflow, and Directory Traversal Vulnerabilities appeared first on Black Kite.

This week’s Focus Friday highlights critical vulnerabilities impacting widely used technologies: DrayTek Vigor routers, VMware ESXi, Apache Tomcat, and Axios HTTP Client. These vulnerabilities expose organizations to severe risks, ranging from remote code execution and authentication weaknesses to credential leakage and denial-of-service (DoS) attacks. Third-Party Risk Management (TPRM) professionals must stay ahead by identifying affected vendors, mitigating threats, and enforcing security best practices. With Black Kite’s FocusTags™, organizations can proactively assess vendor exposure and prioritize remediation efforts to safeguard their supply chains.

DrayTek Vigor Router Critical Vulnerabilities

What are the vulnerabilities affecting DrayTek Vigor routers?

A comprehensive security audit by the Faraday Team has uncovered multiple critical vulnerabilities in DrayTek Vigor routers, commonly used in small office/home office (SOHO) environments. These vulnerabilities range from remote code execution (RCE) flaws to authentication weaknesses and denial-of-service (DoS) risks. If exploited, attackers can gain complete control over affected devices, extract sensitive information, and disrupt network services.

• CVE-2024-41334 (CVSS 9.8): A remote code execution (RCE) vulnerability arising from a lack of SSL certificate validation in the APP Enforcement module. This allows attackers to install malicious modules from unauthorized servers.
• CVE-2024-41335 (CVSS 7.5): A timing attack vulnerability due to a flawed password comparison mechanism, potentially leading to credential leakage.
• CVE-2024-41336 (CVSS 7.5): Plaintext storage of passwords, exposing user credentials to attackers who gain memory or physical access.
• CVE-2024-41338 (CVSS 7.5): A NULL pointer dereference in the DHCP server, enabling attackers to send crafted requests that crash the device, causing a DoS condition.
• CVE-2024-41339 (CVSS 9.8): An undocumented kernel module upload flaw in the CGI configuration endpoint, allowing attackers to execute arbitrary code.
• CVE-2024-41340 (CVSS 8.4): A vulnerability in APP Enforcement signature updates, enabling attackers to bypass security controls and execute arbitrary commands.
• CVE-2024-51138 (CVSS 9.8): A stack-based buffer overflow in the TR069 STUN server URL parsing, leading to unauthenticated remote code execution.
• CVE-2024-51139 (CVSS 9.8): A heap overflow vulnerability in the CGI parser, allowing attackers to execute arbitrary commands.

The table below lists the affected versions of the relevant vulnerable products.

Currently, there is no publicly available proof-of-concept (PoC) exploit for these vulnerabilities. Additionally, they have not yet been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Why should TPRM professionals care?

These vulnerabilities pose significant risks to organizations relying on DrayTek Vigor routers for connectivity. The exploitation of these flaws can result in:

• Network compromise: Attackers can gain full control over routers, allowing them to intercept traffic, modify network settings, and perform further attacks.
• Credential theft: The storage of plaintext passwords and authentication flaws increases the risk of credential compromise, enabling lateral movement within networks.
• Denial of service: Exploits targeting the DHCP server and buffer overflow flaws can disrupt business operations by rendering affected routers inoperable.
• Malware delivery and persistence: Unauthorized kernel module uploads and signature manipulation can allow attackers to install persistent backdoors for long-term access.

What questions should TPRM professionals ask vendors?

TPRM professionals should engage their vendors with the following questions to assess exposure:

1. Have you updated the firmware of your DrayTek Vigor routers to the versions mentioned in the advisory to mitigate the risks associated with CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, and CVE-2024-51139?
2. Can you confirm if you have implemented the recommended actions such as disabling remote management, enforcing strong authentication, restricting access to CGI endpoints, and monitoring for exploitation attempts to address the vulnerabilities in DrayTek Vigor routers?
3. Have you taken steps to secure the APP Enforcement Module and the CGI configuration endpoint to prevent RCE via these methods as mentioned in CVE-2024-41334 and CVE-2024-41339?
4. Have you addressed the insecure password storage issue mentioned in CVE-2024-41336 by implementing secure password storage mechanisms and have you mitigated the risk of the timing attack on authentication as mentioned in CVE-2024-41335?

Remediation recommendations for vendors

Vendors using affected DrayTek Vigor routers should take the following remediation steps:

• Apply firmware updates immediately, as provided by DrayTek, to patch the identified vulnerabilities.
• Implement network segmentation to isolate vulnerable routers from critical infrastructure and limit potential attack surfaces.
• Monitor network traffic for unusual activity that could indicate exploitation attempts, particularly related to unauthorized module uploads or authentication anomalies.
• Disable unnecessary services that could be targeted by attackers, such as TR069 if not required for device management.
• Change default credentials and enforce strong authentication mechanisms to mitigate brute-force and credential theft risks.

VMware ESXi Vulnerabilities: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226

Last week, after completing our work and adding VMware ESXi to FocusTag™, three vulnerabilities were published for the product.

What are the VMware ESXi vulnerabilities CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226?

Broadcom has disclosed multiple vulnerabilities affecting VMware ESXi, Workstation, and Fusion, with confirmed active exploitation in the wild.

• CVE-2025-22224 (CVSS: 9.3, EPSS: 1.18%): A critical heap-overflow vulnerability in VMCI that allows attackers with administrative privileges inside a virtual machine to execute code as the VMX process on the host.
• CVE-2025-22225 (CVSS: 8.2, EPSS: 1.18%): A high-severity arbitrary write vulnerability in ESXi, enabling attackers with VMX process privileges to perform arbitrary kernel writes, potentially leading to sandbox escapes.
• CVE-2025-22226 (CVSS: 7.1, EPSS: 1.18%): A high-severity out-of-bounds read vulnerability in HGFS, allowing attackers with administrative privileges inside a virtual machine to leak memory from the VMX process, potentially exposing sensitive data.

POC is not available, and all vulnerabilities were published in CISA’s Known Exploited Vulnerabilities (KEV) catalog on March 4, 2025. Reports confirm that these vulnerabilities are actively exploited in the wild, increasing the urgency for remediation. In the past, similar ESXi vulnerabilities have been targeted by ransomware operators such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. Therefore, it is strongly recommended to urgently upgrade to the latest versions.

Why should TPRM professionals be concerned about these vulnerabilities?

Third-Party Risk Management (TPRM) professionals should be concerned because these vulnerabilities can lead to:

• Hypervisor Compromise: Attackers can execute code on the host system, potentially affecting all virtual machines running on it.
• Data Breach: Sensitive information could be exposed through memory leaks, leading to data exfiltration.
• Service Disruption: Exploitation can result in system instability or downtime, disrupting business operations.
• Ransomware Attacks: Given past exploitation by ransomware groups, unpatched systems are at heightened risk.

What questions should TPRM professionals ask vendors about these vulnerabilities?

TPRM professionals should inquire:

1. Have you updated all instances of VMware ESXi, Workstation, and Fusion to the latest versions that address the vulnerabilities CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226?
2. Can you confirm if you have disabled unnecessary VMCI and HGFS components, especially in environments with high security requirements, to mitigate the risk of CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226?
3. Have you applied the security patches released by VMware for the affected products to remediate the vulnerabilities CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226?
4. Have you restricted VM-level administrative privileges to minimize the risk of an attacker leveraging these vulnerabilities CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226?

Remediation recommendations for vendors subject to this risk

Vendors should:

• Apply Patches Immediately: Install the security updates provided by VMware to address these vulnerabilities.
• Restrict Administrative Privileges: Limit administrative access within virtual machines to reduce the risk of exploitation.
• Disable Unnecessary Services: Turn off VMCI and HGFS components if they are not required, especially in high-security environments.
• Monitor Systems: Implement monitoring to detect unusual activities that may indicate exploitation attempts.

CVE-2025-24813: Apache Tomcat Remote Code Execution and Information Disclosure Vulnerability

What is the Apache Tomcat Remote Code Execution and Information Disclosure vulnerability?

CVE-2025-24813 is a critical security vulnerability identified in Apache Tomcat, a widely used open-source web server and servlet container. This flaw stems from improper handling of partial PUT requests, potentially leading to remote code execution (RCE), information disclosure, or data corruption under specific conditions. The vulnerability has been assigned a CVSS score of 8.6, indicating high severity. However, it is currently listed with a CVSS score of 5.5 (medium) in the NVD, while some customer portals, such as Red Hat, have assigned it a score of 8.6. The vulnerability affects the following Apache Tomcat versions: 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, 9.0.0.M1 through 9.0.98. A PoC exploit is not available, and the vulnerability has not yet been listed in CISA’s Known Exploited Vulnerabilities catalog. However, it remains a significant threat, as it could enable attackers to fully compromise the affected system.

Exploitation scenarios include:

• Information Disclosure and Data Corruption: If writes are enabled for the default servlet (disabled by default), partial PUT support is active (enabled by default), a target URL for sensitive uploads is a subdirectory of a public upload URL, and an attacker knows the sensitive file names being uploaded via partial PUT, they can view security-sensitive files and/or inject content into those files. 
• Remote Code Execution (RCE): If writes are enabled for the default servlet, partial PUT is active, the application uses Tomcat’s file-based session persistence with the default storage, and the application includes a library vulnerable to deserialization attacks, a malicious user was able to perform remote code execution. 

As of March 13, 2025, there are no reports of this vulnerability being exploited in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Why should TPRM professionals be concerned about this vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-24813 due to its potential to compromise the integrity, confidentiality, and availability of systems running vulnerable versions of Apache Tomcat. Successful exploitation could lead to unauthorized access, data breaches, and system compromises, affecting both the organization and its stakeholders.

What questions should TPRM professionals ask vendors about CVE-2025-24813?

To assess the risk associated with this vulnerability, TPRM professionals should inquire:

1. Have you upgraded all instances of Apache Tomcat to versions 11.0.3, 10.1.35, or 9.0.99 or later to mitigate the risk of CVE-2025-24813?
2. Can you confirm if the default servlet’s write capability remains disabled in your Apache Tomcat configuration to prevent unauthorized actions?
3. Have you assessed the necessity of partial PUT support in your Apache Tomcat configuration and disabled it if not required to prevent potential data corruption and information disclosure?
4. Have you conducted a thorough review of server configurations and deployed libraries to identify and mitigate potential deserialization vulnerabilities that could be exploited in conjunction with CVE-2025-24813?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate the risks associated with CVE-2025-24813:

• Immediate Upgrade: Upgrade Apache Tomcat to a secure version: 11.0.3 or later, 10.1.35 or later, 9.0.99 or later. Upgrading addresses the vulnerability by correcting the handling of partial PUT requests. 
• Configuration Review: Ensure that the default servlet’s write capability remains disabled unless absolutely necessary. Assess the necessity of partial PUT support; disable it if not required.
• Security Audit: Conduct a thorough review of server configurations and deployed libraries to identify and mitigate potential deserialization vulnerabilities.
• Monitoring and Detection: Implement monitoring to detect unauthorized file access or modifications. Regularly inspect logs for unusual activities indicative of exploitation attempts.

CVE-2025-27152: Axios HTTP Client Server-Side Request Forgery (SSRF) and Credential Leakage Vulnerability

Axios is a promise-based HTTP client for JavaScript, commonly used for making HTTP requests in Node.js and browser-based applications. It provides a simple API to send asynchronous HTTP requests to REST endpoints and handle responses.

What is the Axios HTTP Client SSRF and Credential Leakage vulnerability?

CVE-2025-27152 is a high-severity vulnerability identified in Axios, a widely used JavaScript HTTP client for both browsers and Node.js environments. The flaw, rated CVSS 7.7, stems from improper handling of absolute URLs in requests, which could lead to Server-Side Request Forgery (SSRF) and credential leakage in applications relying on Axios for HTTP requests.

The vulnerability affects all Axios versions up to and including 1.7.9. Attackers can exploit this flaw to:

• Trigger SSRF attacks, forcing the application to send unauthorized requests to internal services or unintended external systems.
• Leak sensitive credentials, such as API keys or authentication tokens, by inadvertently sending them to an unintended remote server.

A publicly available Proof-of-Concept (PoC) exploit exists for this vulnerability, but it has not been listed in CISA’s Known Exploited Vulnerabilities catalog. There is no public evidence of active exploitation of CVE-2025-27152 by threat actors. However, given Axios’s widespread use, with over 251 million downloads per month, the potential impact is significant.

Exploitation Details

This vulnerability arises because Axios prioritizes absolute URLs over the configured baseURL. If an application dynamically generates URLs, an attacker could override the request destination and send it to an external malicious server, leading to data exfiltration.

For example, consider the following Axios implementation with javascript:

Despite defining a baseURL, the request is sent to http://malicious.com/ along with the authorization token, leaking sensitive credentials.

Why should TPRM professionals be concerned?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-27152 because:

• SSRF Attacks: If a vendor’s application is vulnerable, attackers can access internal services, exfiltrate data, or launch follow-up attacks.
• Credential Leakage: Sensitive API keys and authentication tokens may be inadvertently exposed to malicious third parties.
• Supply Chain Impact: Many third-party services rely on Axios. If a vendor uses an outdated version, customer data could be at risk.

What questions should TPRM professionals ask vendors?

To assess the impact of this vulnerability on vendor infrastructure, TPRM professionals should ask:

1. Have you updated all instances of Axios to version 1.8.3 or later to mitigate the risk of CVE-2025-27152?
2. Have you implemented strict validation of user-provided URLs to ensure they conform to expected formats and do not include absolute URLs that could bypass intended baseURL configurations?
3. Can you confirm if you have conducted regular code reviews and security assessments to identify and mitigate potential vulnerabilities related to third-party libraries such as Axios?
4. Are you utilizing tools to monitor and manage dependencies, ensuring that all libraries, including Axios, are up-to-date with the latest security patches?

Remediation recommendations for vendors

Vendors using Axios in their applications should take the following steps to mitigate CVE-2025-27152:

• Upgrade Axios Immediately: Ensure all applications use Axios 1.8.2 or later, where this issue is patched.
• Implement URL Validation: Enforce strict validation of user-supplied URLs to prevent request redirection to unintended destinations.
• Review Security Configurations: Disable baseURL overrides and enforce allowlists for internal and external requests.
• Monitor Dependencies: Utilize automated dependency management tools to ensure all third-party libraries are patched against known vulnerabilities.
• Conduct Security Audits: Regularly review application code for insecure request handling and implement SSRF protections.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite has issued multiple FocusTags™ to help organizations quickly identify and mitigate risks associated with critical vulnerabilities affecting their supply chain. These FocusTags™ provide actionable intelligence on affected assets, such as IP addresses, subdomains, and software versions linked to vulnerable systems.

By leveraging these FocusTags™, TPRM professionals can:

• Identify At-Risk Vendors: Determine which vendors within their supply chain may be exposed to vulnerabilities in DrayTek Vigor routers, VMware ESXi, Apache Tomcat, or the Axios HTTP Client.
• Assess Vendor Risk Posture: Evaluate how these vulnerabilities impact their vendors, considering factors like patch management, configuration practices, and overall security posture.
• Facilitate Communication: Engage with vendors to confirm awareness of these vulnerabilities and encourage timely remediation efforts.
• Monitor Remediation Progress: Track vendors’ responses, security updates, and mitigation strategies to ensure continuous risk reduction.

Black Kite’s FocusTags™ for these vulnerabilities—including “DrayTek Vigor Routers – Mar2025,” “VMware ESXi – Mar2025,” “Apache Tomcat – Mar2025,” and “Axios HTTP Client – Mar2025″—are regularly updated as new intelligence emerges. Organizations are encouraged to integrate these insights into their risk management workflows to strengthen resilience against third-party cyber threats.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

In today’s evolving cybersecurity landscape, proactive risk management is essential. Black Kite’s FocusTags™ equip TPRM professionals with actionable intelligence to streamline security assessments and mitigate third-party risks. These tags provide:

• Real-Time Risk Identification: Quickly detect vendors affected by critical vulnerabilities, enabling a swift response.
• Strategic Risk Prioritization: Assess vendor importance and vulnerability severity to optimize remediation efforts.
• Informed Vendor Communication: Engage vendors with targeted questions about security measures and mitigation steps.
• Holistic Security Enhancement: Gain a comprehensive view of the threat landscape, reinforcing cybersecurity defenses.

By leveraging Black Kite’s FocusTags™, organizations can transform complex vulnerability data into precise, strategic actions—enhancing resilience against supply chain risks and emerging cyber threats.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.
• VMware ESXi – Mar2025 : CVE-2025-22224, CVE-2025-22225, CVE-2025-22226, Heap Overflow Vulnerability, TOCTOU Race Condition Vulnerability, Arbitrary Write Vulnerability, Information Disclosure Vulnerability in VMware ESXi.
• Apache Tomcat – Mar2025 : CVE-2025-24813, Remote Code Execution Vulnerability, Information Disclosure and Corruption Vulnerability in Apache Tomcat.
• Axios HTTP Client : CVE-2025-27152, Server-Side Request Forgery (SSRF) Vulnerability, Credential Leakage in Axios HTTP Server.
• PostgreSQL – Feb2025: CVE-2025-1094, SQLi Vulnerability, Improper Neutralization of Quoting Syntax in PostgreSQL.
• Zimbra XSS: CVE-2023-34192, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration Suite (ZCS).
• PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
• Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra – Feb2025: CVE-2025-25064, SQLi Vulnerability in Zimbra Collaboration.
• Cacti – Feb2025: CVE-2025-22604, Remote Code Execution Vulnerability in Cacti.
• FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.
• QNAP QTS – Jan2025: CVE-2024-53691, CVE-2023-39298, Remote Code Execution Vulnerability, Link Following Vulnerability, Missing Authorization Vulnerability in QNAP QTS.
• Mongoose: CVE-2025-23061, Search Injection Vulnerability in Mongoose.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-41334

https://nvd.nist.gov/vuln/detail/CVE-2024-41335

https://nvd.nist.gov/vuln/detail/CVE-2024-41336

https://nvd.nist.gov/vuln/detail/CVE-2024-41338

https://nvd.nist.gov/vuln/detail/CVE-2024-41339

https://nvd.nist.gov/vuln/detail/CVE-2024-41340

https://nvd.nist.gov/vuln/detail/CVE-2024-51138

https://nvd.nist.gov/vuln/detail/CVE-2024-51139

https://www.draytek.com/about/security-advisory/denial-of-service,-information-disclosure,-and-code-execution-vulnerabilities

https://securityonline.info/critical-flaws-uncovered-in-draytek-routers-backdoors-rce-and-weak-authentication-exposed

https://nvd.nist.gov/vuln/detail/CVE-2025-22224

https://nvd.nist.gov/vuln/detail/CVE-2025-22225

https://nvd.nist.gov/vuln/detail/CVE-2025-22226

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

https://securityonline.info/cve-2025-22224-cve-2025-22225-cve-2025-22226-critical-vmware-vulnerabilities-exploited

https://nvd.nist.gov/vuln/detail/CVE-2025-24813

https://access.redhat.com/security/cve/cve-2025-24813

https://www.openwall.com/lists/oss-security/2025/03/10/5

https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

https://securityonline.info/cve-2025-24813-flaw-in-apache-tomcat-exposes-servers-to-rce-data-leaks-update-immediately

https://nvd.nist.gov/vuln/detail/CVE-2025-27152

https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69×6

https://securityonline.info/popular-javascript-library-axios-exposes-millions-to-server-side-vulnerabilities-cve-2025-27152/

The post Focus Friday: Third-Party Risks In DrayTek Vigor Routers, VMware ESXi, Apache Tomcat, and Axios HTTP Client Vulnerabilities appeared first on Black Kite.

Welcome to the February 2025 ransomware update, highlighting the latest trends, threat actors, and significant events in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.The Black Kite Research & Intelligence Team (BRITE) tracked 809 ransomware incidents in February 2025, marking the highest monthly victim count ever recorded. Previously, the peak stood at around 590 victims, making this month’s figure especially alarming.

The United States once again topped the list with 513 incidents, followed by Canada with 51 and the United Kingdom with 23.

Manufacturing remained the hardest-hit sector with 193 victims, followed by Professional and Technical Services with 118, and Wholesale with 82. The gap between Manufacturing and Technical Services continues to widen as attacks intensify.

Top Threat Actors

Clop dominated February with 283 disclosed victims, retaining its leadership for the second consecutive month. RansomHub maintained its consistent presence, following with 98 victims. The Akira group kept up its recent momentum, placing third with 50 victims, closely followed by Play with 48 victims. Additionally, Qilin, Lynx, Cactus, and Medusa collectively disclosed numerous victims, contributing significantly to the month’s total.

If we’re not going to take 809 victims seriously, when will we start?

The unprecedented surge of ransomware attacks in February demands attention. Throughout 2024, we occasionally reached numbers around 500 and had grown somewhat accustomed to them. But surpassing the previous all-time high of around 590, this surge significantly, especially at the beginning of 2025, highlights the disturbing trajectory of ransomware attacks and underscores the need for critical insights into the evolving ransomware landscape.

Clop Played All Its Cards

Clop started February by gradually revealing victims, initially disclosing 50, followed shortly by another batch of 50. Just when it seemed they would continue this incremental approach, the group unexpectedly released over 180 remaining victims in a single batch, suggesting they’ve now exhausted their CLEO-related victim pool.

Since the CLEO vulnerability emerged, Clop has publicly disclosed over 400 victims, confirming earlier predictions of potentially reaching around 450. In February alone, the United States (185 victims) and Canada (24 victims) were the primary targets. Manufacturing was again the hardest-hit sector with 89 victims, followed by Wholesale with 49 and Transportation and Warehousing with 35.

Yet, despite these substantial victim numbers, Clop doesn’t seem to be achieving the impact it desires. Increasingly strict ransom payment policies by companies and governments have meant organizations often prefer to absorb short-term reputational damage rather than financial loss. Clearly, media attention around Clop’s CLEO attacks is significantly lower than their previous MoveIT campaign, visibly affecting the group’s morale and possibly frustrating their ambitions.

Whether Clop will innovate its methods or shift entirely to new attack strategies remains uncertain. Still, one thing remains clear: Clop excels at ransomware operations, and its future moves will undoubtedly remain closely watched.

8Base Shutdown

The 8Base ransomware group, which had been showing sporadic activity following the arrest of Russian citizen Evgenii Ptitsyn last year, attempted a comeback in January with 25 victims. However, a significant international law enforcement operation in early February shut down 8Base’s leak site completely, resulting in the arrest of four European suspects (two women and two men) in Phuket, Thailand.

The dismantling of such a major ransomware operation, which had evolved from Phobos into a sophisticated and professionally managed group, underscores the effectiveness of global collaboration against cybercrime. This event offers a hopeful reminder of what coordinated efforts can achieve against ransomware threats.

Black Basta’s Internal Chaos Exposed

Another notable event in February was the leak of roughly 50MB of internal chat logs from the Black Basta ransomware group, revealing insights into their operations, target selection strategies, internal vulnerabilities, and organizational dysfunction. The leaked messages include numerous RDP, VPN, and proxy credentials, along with internal debates highlighting serious trust and coordination issues within the group.

Critically, the leak exposed discussions about technical shortcomings compared to rival ransomware groups, internal conflicts, and the presence of former Conti members seeking to improve operational strategies. Such leaks provide valuable insights for defenders and underscore how ransomware groups are vulnerable to internal collapse.

The Road Ahead

February’s unprecedented ransomware activity is a clear indicator of where the ecosystem is heading. The aggressive exploitation of the CLEO vulnerability by Clop, the emergence of new ransomware groups, and a surge in activity across the board have set a troubling precedent. Unless organizations and governments adopt radical security measures soon, it’s unrealistic to expect any slowdown in ransomware attacks in the foreseeable future.

Although law enforcement operations, such as the takedown of 8Base, offer some hope, the continuous emergence and rebranding of ransomware groups emphasize that defense measures must continually evolve. Collaboration, resilience, and proactive defense have never been more critical.

To keep an eye on potential ransomware targets in your cyber ecosystem, check out Black Kite’s Ransomware Susceptibility Index® (RSI^TM). It allows third-party risk managers to identify high-risk vendors before an attack strikes, prioritize remediation efforts, and ultimately safeguard your organization against the escalating threat.

Stay tuned for more monthly Ransomware Reviews on our blog and LinkedIn Newsletter.

The post Ransomware Review February 2025: Clop’s CLEO Attack Pushes Victim Count to Historic High appeared first on Black Kite.

If you’ve been in the information security field as long as I have, you’re probably feeling a sense of déjà vu after reading the 2025 Third-Party Breach Report when it comes to the prevalence of ransomware in third-party breaches. Ransomware has been around for decades. It first showed up on 5.25” floppy disks that someone handed out at a healthcare conference. The ransomware fee was just $200 back then, a far cry from the record-breaking $75 million ransom that was reported in 2024. You’d think we wouldn’t be dealing with this kind of threat after all this time. 

The most frustrating part? Ransomware is preventable. If organizations had stopped it—and they could have—the bad guys would have moved onto something new. But over my years spent in law enforcement and cyber security, I’ve learned that bad actors will go where the money is. Organizations haven’t made enough progress in stopping ransomware attacks, so bad actors have no reason to stop using this tried-and-true form of attack. 

If anything, they’re getting better at it. Google just issued a report claiming that threat actors are using Gemini to launch even more effective ransomware attacks. Generative AI comes in handy for them doing vulnerability research, scripting and development, and crafting phishing campaigns, among other things. If organizations don’t up their game, particularly when it comes to third-party risk management (TPRM), the situation is only going to get worse.

The findings in our 2025 Third-Party Breach Report make this clear. But rather than just ringing another alarm bell, I will share three concrete steps you can take now to protect yourself from hidden vendor threats, such as ransomware. Because although criminals are becoming more sophisticated, the fundamentals of prevention haven’t changed—CISOs just need to get better at executing on them.

3 Steps to Help Protect from Hidden Vendor Threats

1. Think Like a Bad Actor—And Use Technology to Step Up Your Game

When I was in law enforcement working the midnight shift, one of our regular tasks was to drive around closed businesses looking for unlocked doors and windows. We were thinking like criminals, looking for exactly the same kinds of opportunities they might use to find a way in. Today’s CISOs need to apply this same mindset to their broader vendor ecosystem, but at a much larger scale.

Take the Colonial Pipeline ransomware attack as an example. Their breach didn’t happen because of one wide-open vulnerability. It came from a combination of small failures that, when properly exploited, created the perfect opportunity for bad actors to wreak havoc. In this case, they had remote access ports open to the public due to a legitimate business need, but they didn’t have multi-factor authentication protecting this access. The attackers were able to use leaked network credentials to get in. And once they did, they were able to move laterally throughout the network.

Most people don’t realize that the Colonial Pipeline attack didn’t actually shut down the gas pipeline. It hit their billing system. But since the bad actors could have gained access to the company’s operational systems, Colonial Pipeline proactively shut everything down. A $5 million ransom and major East Coast fuel disruptions all started because of a few small gaps in their security.

Of course, figuring out which third-party vendors could be putting your company at risk of an attack like this could be like finding a needle in a haystack using traditional methods. This is why we developed our Ransomware Susceptibility Index® (RSI^TM). It analyzes billions of data points the way an attacker would, helping you figure out which vendors represent your weakest link before an attack happens. 

Take the Change Healthcare ransomware attack, which disrupted healthcare operations nationwide in 2024. Our RSI solution identified the vulnerabilities involved seven months before the attack occurred. Healthcare organizations with access to this early warning had the opportunity to address these vulnerabilities before they could be exploited, potentially preventing millions in damages and widespread service disruptions. 

2. Stop Trusting Questionnaires and Start Verifying Everything

I’ve seen plenty of vendor security questionnaires over the years. In fairness, they were designed with an admirable goal in mind—helping CISOs identify and address potential risks in their third-party ecosystems. The problem is that they’re not nearly agile enough to handle today’s threats. 

A typical questionnaire might have well-meaning questions like, “Do you have multi-factor authentication in place?” or “Are your remote access protocols secure?” The problem is that the answers vendors give are often aspirational at best. A vendor might really believe they’re following security best practices, but if you can’t verify their responses, you’re building your risk management program on trust alone.

Here, too, thinking like a criminal will serve you well. Are threat actors sending long questionnaires to their targets asking them about their security measures? Obviously not. They don’t need to. They’re using automated tools and AI capabilities to probe for vulnerabilities they can exploit. Unfortunately, the security field hasn’t caught up with the bad guys yet. 

So, just like your would-be attackers do, take advantage of current technology instead of relying on lengthy assessments that take weeks or months to complete and likely won’t give you an accurate view of the threats you face. When a vendor claims that they’re using MFA to protect their remote access ports, wouldn’t you rather verify that claim right away instead of taking it at face value a few weeks or months from now? 

An advanced TPRM solution can help you get this done in record time. At Black Kite, our platform can pre-answer almost all standard security questionnaires by collecting actual evidence of a vendor’s controls and compliance measures. This way, instead of chasing paper trails, you can focus on addressing the gaps that matter most to your business.

3. Put a Dollar Value on Your Vendor Risks

Most security teams can show you a dashboard full of red, green, and yellow indicators that are supposed to highlight the most important risks. But what happens when everything is marked red? Let’s say you’ve discovered ten vendors in your environment that have serious security issues requiring your attention. One of them might cost your company $10 million in damages if a breach happens, while the others might run you $50,000 each. When you use this lens to decide which risks to deal with first, your decision about where to invest your limited resources becomes a lot easier. 

This is why, at Black Kite, we’ve integrated the Open FAIR™ model into our platform. Open FAIR™ can fundamentally transform how you manage vendor risk. Many security professionals still conflate vulnerabilities or system outages with risk, but real risk is about impact—specifically, the financial impact to your business. If you can’t convert a security threat into dollars and cents, then you’re missing the bottom-line perspective that your board and executive team need to make the right call.

Determining the financial impact of your vendor risks isn’t just helpful for getting budget approval. It can also help you build a more innovative and more strategic security program over the long term. When you understand the actual financial stakes involved with each vendor relationship, you can make smarter decisions about everything from the security requirements you include in your vendor contracts to how much time your team spends on assessments and monitoring.

It’s Well Past Time to Answer the Wake-Up Call 

As the 2025 Third-Party Breach Report makes clear, when it comes to ransomware and other major threats, the wake-up call has come and gone. As a community, CISOs haven’t yet answered it. On the other hand, there’s never been a better time to do so. We have proven processes and great tools to make the necessary changes and make them stick. 

These three actions—thinking like a bad actor, moving beyond static questionnaires, and putting a dollar value on your risks—might seem straightforward. But they require a fundamental shift in how to think about TPRM. Organizations have to stop defaulting to familiar low-entropy approaches from years gone by that don’t address modern threats and start building the kind of agility adversaries have already employed for some time now.

For more insights on the current third-party cyber risk landscape, read our 2025 Third-Party Breach Report, The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024. No downloads required.

The post Top 3 Actions to Take After Reading the 2025 Third-Party Breach Report appeared first on Black Kite.