Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we spotlight the latest high-profile cybersecurity threats and examine their implications from a Third-Party Risk Management (TPRM) perspective. As organizations increasingly rely on a complex web of external vendors and services, timely identification and risk mitigation of critical vulnerabilities is essential. This edition highlights two major vulnerabilities—one in ConnectWise ScreenConnect and the other in Roundcube Webmail. Both issues introduce significant risk potential and require careful vendor outreach and technical remediation. With Black Kite’s FocusTags™, TPRM professionals are equipped to respond precisely and proactively. The Black Kite research group issues FocusTags on the most critical vulnerabilities impacting third-party cyber ecosystems from the full CVE Database.

Filtered view of companies with ScreenConnect – May2025 FocusTag™ on the Black Kite platform.

CVE-2025-3935 – ScreenConnect Improper Authentication Vulnerability

What is the ScreenConnect Improper Authentication Vulnerability?

CVE-2025-3935 is a high-severity improper authentication vulnerability affecting ConnectWise ScreenConnect. The flaw exists in the handling of ASP.NET Web Forms ViewState data. If an attacker obtains the application’s machine keys, they can craft malicious ViewState payloads, potentially leading to remote code execution on the affected server. This vulnerability is categorized as Improper Authentication (CWE-287) and has a CVSS v3.1 base score of 8.1, indicating a high level of severity. Its EPSS score is 19.47%, suggesting a moderately high likelihood of exploitation in the wild.

The vulnerability was publicly disclosed on April 25, 2025. It has since been exploited in real-world attacks, with ConnectWise confirming a breach linked to nation-state threat actors who leveraged this flaw to gain unauthorized access. Due to its critical implications and active exploitation, the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on June 2, 2025. The PoC is publicly available.

Why Should TPRM Professionals Be Concerned?

ScreenConnect is a remote support and remote desktop solution used by IT teams and service providers to access client endpoints and internal assets. A vulnerability in such a remote access tool creates a significant security risk. If exploited, attackers can take control of remote sessions, access sensitive internal systems, or impersonate trusted technicians.

From a third-party risk management perspective, if a vendor is running an unpatched version of ScreenConnect, they may unknowingly expose their systems—and potentially their clients’ environments—to compromise. Such remote access tools can be leveraged for lateral movement, data exfiltration, or as initial access points in larger supply chain attack campaigns. The risk is amplified in environments where ScreenConnect is accessible over the internet and lacks additional authentication or network restrictions.

What Questions Should TPRM Professionals Ask Vendors?

To assess their exposure to this vulnerability, TPRM professionals should ask vendors the following:

  1. Have you applied the 2025.4 patch (or later) to all instances of ScreenConnect to mitigate the risk of ViewState code injection as per CVE-2025-3935?
  2. Have you generated new machine keys and updated the web.config via the TransformWebConfig.xsl process after patching to invalidate any potentially stolen keys?
  3. Have you implemented measures to monitor for anomalous POST requests containing oversized __VIEWSTATE parameters and unexpected deserialization errors in server logs, which could indicate exploitation of this vulnerability?
  4. Have you taken steps to store decryptionKey and validationKey outside of web-accessible directories and restrict filesystem permissions to prevent unauthorized read access, as recommended in the advisory?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using vulnerable versions of ScreenConnect should take the following steps to remediate the risk:

  • Apply the Patch: Upgrade to ScreenConnect version 25.2.4 or newer, which disables ViewState and mitigates the vulnerability.
  • Rotate Machine Keys: Replace machine keys used by the ASP.NET application to prevent reuse of compromised tokens.
  • Restrict Access: Limit access to the ScreenConnect interface to trusted IP ranges and enforce multi-factor authentication.
  • Audit Remote Access Logs: Review access logs and monitor for anomalies or indicators of compromise related to ViewState manipulation.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the ScreenConnect – May2025 FocusTag shortly after the public disclosure of CVE-2025-3935. The FocusTag helps TPRM professionals quickly identify vendors within their supply chain that are potentially exposed to this vulnerability.

Black Kite’s platform surfaces detailed intelligence, including internet-exposed assets (such as IP addresses and subdomains) that indicate the presence of vulnerable ScreenConnect instances. This level of asset granularity allows risk managers to prioritize outreach and mitigation efforts without burdening all vendors with blanket assessments. The tag includes both current exposure and historical insights where relevant, offering a clear view into third-party vulnerability posture. This significantly accelerates the risk triage process and reduces vendor fatigue by enabling targeted, evidence-backed engagement.

Black Kite’s ScreenConnect – May2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-49113 – Roundcube Webmail Remote Code Execution Vulnerability

What is the Roundcube Webmail Remote Code Execution Vulnerability?

CVE-2025-49113 is a critical remote code execution (RCE) vulnerability in Roundcube Webmail versions prior to 1.5.10 and 1.6.11. The flaw arises from improper validation of the _from parameter in the upload.php script, leading to PHP object deserialization. An authenticated attacker can exploit this vulnerability by sending a crafted POST request containing a malicious serialized PHP object, which, when deserialized, can execute arbitrary code on the server under the webserver’s user context.

This vulnerability is categorized under CWE-502 (Deserialization of Untrusted Data) and has been assigned a CVSS v3.1 base score of 9.9, indicating a critical severity level. The Exploit Prediction Scoring System (EPSS) score is 0.66%, suggesting a moderate likelihood of exploitation in the wild. The vulnerability was publicly disclosed on June 1, 2025. As of now, there is no evidence of exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CISA has not published a specific advisory regarding this vulnerability. The PoC is publicly available.

Why Should TPRM Professionals Be Concerned?

Roundcube Webmail is a widely used open-source webmail client that integrates with various mail servers. A vulnerability in such a platform poses significant risks:

  • Unauthorized Access: Exploitation can lead to unauthorized access to sensitive email communications, contact lists, and potentially other internal systems.
  • Data Exfiltration: Attackers can exfiltrate confidential information, leading to data breaches and compliance violations.
  • Lateral Movement: Compromised webmail servers can serve as entry points for attackers to move laterally within an organization’s network.
  • Supply Chain Risks: If a third-party vendor’s Roundcube instance is compromised, it can be leveraged to launch attacks against connected clients, amplifying the impact across the supply chain.

What Questions Should TPRM Professionals Ask Vendors?

To assess the potential exposure and remediation efforts of vendors, TPRM professionals should consider the following questions:

  1. Can you confirm if you have updated all instances of Roundcube Webmail to versions 1.5.10 or later and 1.6.11 or later to mitigate the risk of CVE-2025-49113?
  2. Have you implemented multi-factor authentication for all mail users and restricted access to Roundcube’s upload.php to authorized IP ranges as recommended?
  3. Have you reviewed the file permissions to ensure that the webserver user has only the minimum necessary filesystem permissions to limit post-exploitation damage?
  4. Are you monitoring server logs for POST requests to program/actions/settings/upload.php that include unusually large or nonstandard serialized data as an indicator of potential exploitation of this vulnerability?

Remediation Recommendations for Vendors Subject to This Risk

Vendors utilizing vulnerable versions of Roundcube Webmail should take the following actions:

  • Upgrade Roundcube: Update to version 1.5.10 or 1.6.11, which includes patches addressing the deserialization vulnerability.
  • Restrict Access: Implement access controls on the upload.php script, limiting it to authorized IP addresses or authenticated users.
  • Review Permissions: Audit and adjust file system permissions to ensure the webserver user operates with the least privilege necessary.
  • Monitor Logs: Continuously monitor server logs for indicators of exploitation attempts, such as unusual POST requests to the vulnerable script.
  • Audit User Accounts: Review all authenticated user accounts for signs of compromise, such as unexpected configuration changes or unauthorized mail forwarding rules.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the “Roundcube Webmail – Jun2025” FocusTag on June 4, 2025, shortly after the public disclosure of CVE-2025-49113. This FocusTag enables TPRM professionals to identify vendors within their supply chain that may be running vulnerable versions of Roundcube Webmail.

The FocusTag provides detailed intelligence, including:

  • Vendor Identification: A list of vendors potentially affected by the vulnerability.
  • Asset Details: Information on exposed assets, such as IP addresses and subdomains, associated with vulnerable Roundcube instances.
  • Risk Assessment: Insights into the potential impact on your supply chain, allowing for prioritized risk mitigation.
Black Kite’s Roundcube Webmail – Jun2025 FocusTagTM details critical insights on the event for TPRM professionals.

Empowering TPRM Precision with Black Kite’s FocusTags™

In today’s high-velocity threat environment, cybersecurity incidents emerge rapidly and can ripple through vendor ecosystems in a matter of hours. Black Kite’s FocusTags™ are designed to empower TPRM teams to respond decisively and with clarity. This week’s tags for ConnectWise ScreenConnect and Roundcube Webmail exemplify how these tools enable strategic, efficient risk management.

  • Timely Exposure Mapping: FocusTags™ highlight vendors operating vulnerable software as soon as critical CVEs are published—offering a head start before threat actors capitalize.
  • Precision Risk Targeting: TPRM professionals can prioritize engagement based on severity and exposure, rather than casting broad, inefficient nets.
  • Focused Dialogue with Vendors: By supplying technical context and proof of exposure (such as IP addresses or subdomains), Black Kite helps streamline vendor communication and remediation verification.
  • Continuous Visibility: With updated intelligence on evolving incidents, FocusTags™ ensure your risk perspective keeps pace with the threat landscape.

Rather than overwhelming TPRM teams with noise, Black Kite’s FocusTags™ deliver curated, context-rich intelligence to enable smarter third-party assessments and faster incident response cycles.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • Roundcube Webmail – Jun2025 : CVE-2025-49113, Remote Code Execution Vulnerability, Deserialization of Untrusted Data in Roundcube Webmail.
  • ScreenConnect – May2025 : CVE-2025-3935, Improper Authentication Vulnerability in ConnectWise ScreenConnect.
  • Zimbra – May2025 : CVE-2024-27443, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration (ZCS).
  • DrayTek Vigor – May2025 : CVE-2024-12987, OS Command Injection Vulnerability in DrayTek  Vigor Routers.
  • Atlassian Jira Data Center : CVE-2025-22157, Privilege Escalation Vulnerability in Jira Core Data Center, Jira Core Server, Jira Service Management Data Center, Jira Service Management Server.
  • Tornado Web Server : CVE-2025-47287, DoS Vulnerability in Tornado Web Server.
  • MDaemon Email Server : CVE-2024-11182, Cross-Site Scripting (XSS) Vulnerability in MDaemon Email Server.
  • Ivanti EPMM – May2025 : CVE-2025-4427, CVE-2025-4428, Authentication Bypass and Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile (EPMM)
  • SysAid On-Premises : CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
  • Apache ActiveMQ – May2025 : CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
  • Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
  • Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
  • SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
  • Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
  • Fortinet Symlink Backdoor : CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
  • SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
  • Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.

See Black Kite’s full CVE Database and the critical TPRM vulnerabilities that have an applied FocusTag at https://blackkite.com/cve-database/.

References