blog

Focus Friday: TPRM Actions for DJANGO, FREEPBX, and HASHICORP VAULT Vulnerabilities

Published

Sep 5, 2025

Updated

Oct 24, 2025

Authors

Welcome to this week’s edition of Focus Friday. Each week, we take a closer look at high-profile vulnerabilities that carry implications not just for security teams but also for Third-Party Risk Management (TPRM) programs. The goal is to help organizations cut through the noise, understand which incidents matter most, and determine how these issues could affect their vendor ecosystem.

This week’s blog covers three significant developments: a high-severity SQL injection vulnerability in Django, an actively exploited remote code execution flaw in FreePBX, and a denial-of-service vulnerability affecting HashiCorp Vault. Each of these products serves as critical infrastructure for many organizations—ranging from web frameworks and telephony systems to secrets management platforms. Understanding their risks from a TPRM perspective allows you to prioritize your vendor outreach and strengthen resilience across the supply chain.

One of the most notable incidents this week was the supply-chain attack through the Salesloft Drift integration. By exploiting a single chatbot component, attackers gained direct access to the Salesforce environments of hundreds of companies. From there, they pivoted into other systems, exfiltrated sensitive data, and actively hunted for credentials.

You can find our in-depth technical analysis and third-party risk perspective on this incident in our dedicated blog post.

Filtered view of companies with Django FocusTag™ on the Black Kite platform.

CVE-2025-57833 (DJANGO)

What is this SQL Injection Vulnerability in Django’s FilteredRelation?

CVE-2025-57833 is a high-severity SQL injection vulnerability (CVSS 7.1) in Django’s FilteredRelation component. The flaw arises when **kwargs passed to QuerySet.annotate() or QuerySet.alias() are manipulated via a crafted dictionary expansion, enabling arbitrary SQL command execution.

Type: SQL injection
Severity: High
CVSS: 7.1 (as listed)
EPSS score: 0.02%
First Published: September 3, 2025 (security release published by Django)
Exploitation status: No known exploitation in the wild; no public proof-of-concept exists.
CISA KEV Catalog Status: Not listed. There is no indication that CISA has added this to its Known Exploited Vulnerabilities (KEV) catalog.
CISA Advisory: No advisory has been published by CISA for this vulnerability.

Why should TPRM professionals be concerned?

From a third-party risk management (TPRM) standpoint, this vulnerability can be particularly damaging if vendors use Django frameworks in customer-facing or internal applications. A successful SQL injection exploit could lead to unauthorized access, alteration, or deletion of sensitive data. If a vendor’s SaaS platform or web service relies on dynamic query generation with FilteredRelation, the risk is elevated—potential data breaches or downstream fraud could follow.

What questions should TPRM professionals ask vendors?

To understand your exposure related to CVE-2025-57833, please clarify the following:

Can you confirm if you have upgraded all instances of Django to versions 5.2.6, 5.1.12, or 4.2.24 to mitigate the risk of CVE-2025-57833?
Have you reviewed your Django application code for instances where `FilteredRelation` is used in conjunction with `QuerySet.annotate()` or `QuerySet.alias()` with dictionary expansion (using `kwargs`) to understand potential exposure points?
Are there any instances in your Django application where you have used `FilteredRelation` in a non-default configuration, which is considered to have a HIGH confidence level for this vulnerability?
Do you have a process in place to regularly monitor the Django project’s security releases and advisories to ensure timely application of patches for any future vulnerabilities, specifically related to SQL injection vulnerabilities like CVE-2025-57833?

Remediation Recommendations for Vendors

To address this issue, vendors should do the following:

Upgrade Django immediately to one of the patched versions—5.2.6, 5.1.12, or 4.2.24.
Audit code where FilteredRelation is used with QuerySet.annotate() or .alias()—specifically looking for dynamic dictionary expansions (**kwargs) that could be manipulated.
Test thoroughly in staging and production, ensuring that no unexpected SQL behavior occurs post-upgrade.
Review dependency management to ensure automated patching or version enforcement mechanisms are in place for Django security updates.

How can TPRM professionals leverage Black Kite for this vulnerability?

Black Kite’s FocusTag for Django enables TPRM teams to identify precisely which of their vendors may be exposed to CVE-2025-57833. Once the tag is published, it surfaces vendors running unpatched, vulnerable versions. It also provides asset intelligence—such as IP addresses or subdomains where Django is deployed—so security teams can directly target and validate remediation. If the tag gets updated (for example, noting deployment patterns), TPRM teams can transform that into actionable workflows, automating outreach to vendors who remain exposed over time.

Black Kite’s Django FocusTagTM details critical insights on the event for TPRM professionals.

Black Kite’s Django FocusTag™ details critical insights on the event for TPRM professionals.

CVE-2025-57819 (FREEPBX)

FreePBX is an open-source IP PBX (Private Branch Exchange) software. In other words, it allows organizations and individuals to set up and manage their own VoIP (Voice over IP) phone systems.

What is this RCE Vulnerability in FreePBX?

CVE-2025-57819 represents a critical remote code execution vulnerability in the FreePBX “endpoint” module, rooted in insufficient sanitization of user input. This allows unauthenticated attackers to bypass the Administrator Control Panel (ACP), then manipulate the database arbitrarily and achieve RCE, potentially with root-level privileges. The vulnerability carries:

Severity: Critical (CVSS v4: 10.0)
EPSS: 43.74%
Published: Late August 2025, with advisories starting August 26–28
Exploitation: Active exploitation in the wild, traced back to on or before August 21, 2025, particularly on systems with publicly exposed ACP and weak network controls
CISA KEV: Included in CISA’s Known Exploited Vulnerabilities Catalog on August 29, 2025; remediation for federal agencies required by September 19, 2025
CISA Advisory: Confirmed via KEV entry; no separate technical advisory beyond the catalog listing

Why should TPRM professionals be concerned?

FreePBX serves as the administrative interface for VoIP systems based on Asterisk—an integral part of business communications. Exploitation of this vulnerability can result in full system takeover, leading to:

Interception, rerouting, or manipulation of voice calls and voicemail
Unauthorized access to sensitive configuration, billing, or call data
Deployment of malware or firmware-level compromise
Use of compromised PBX as a pivot point into broader enterprise networks
Significant operational disruption and reputational damage to organizations reliant on voice infrastructure

What questions should TPRM professionals ask vendors?

To assess exposure, TPRM teams can ask:

Can you confirm if you have upgraded all instances of FreePBX to the patched versions (15.0.66, 16.0.89, or 17.0.3) to mitigate the risk of CVE-2025-57819?
Have you implemented continuous monitoring of FreePBX systems for unusual activity, unauthorized access attempts, and any signs of privilege escalation or malicious file deployment as recommended in the advisory?
Have you restricted public internet access to the FreePBX administrator control panel and implemented strong IP filtering or Access Control Lists (ACLs) to ensure only trusted networks or hosts can reach the ACP?
Have you checked for the presence of the file \”/var/www/html/.clean.sh\” and reviewed Apache web server logs for suspicious POST requests to \”modular.php\” as part of your scanning for Indicators of Compromise (IoCs)?

Remediation Recommendations for Vendors

Vendors should take immediate actions, including:

Upgrade FreePBX immediately to patched versions: 15.0.66, 16.0.89, or 17.0.3.
Restrict ACP access by limiting it to trusted IP ranges via firewall or access control modules.
Scan for Indicators of Compromise (IoCs) such as unusual files, logs, calls to extension 9998, or suspect users in the database.
Assume compromise if ACP was exposed – disconnect, rebuild from clean backups, rotate credentials (system, SIP, voicemail), and audit call logs for fraud.
Implement continuous monitoring for unusual activity, and enable automated updates or patch notifications.

How can TPRM professionals leverage Black Kite for this vulnerability?

Black Kite’s FocusTag for FreePBX surfaces vendors potentially exposed to CVE-2025-57819. TPRM teams gain visibility into:

Which vendors are running vulnerable FreePBX versions
Assets at risk—including exposed IP addresses or domains with accessible ACP
Whether the tag contains updates over time, enabling workflow automation and prioritized outreach
Operationalization through integration with inventory and patch tracking systems—transforming exposure data into tracking and remediation metrics

Black Kite’s FreePBX FocusTagTM details critical insights on the event for TPRM professionals.

Black Kite’s FreePBX FocusTag™ details critical insights on the event for TPRM professionals.

CVE-2025-6203 (VAULT)

HashiCorp Vault is an open-source tool that helps you securely manage sensitive information, such as API keys, passwords, tokens, certificates, and encryption keys. Rather than hardcoding secrets into your code or leaving them in plain text, Vault gives you a centralized, encrypted system with fine-grained access control.

What is this Denial-of-Service Vulnerability in Vault?

CVE‑2025‑6203 is a high-severity denial‑of‑service (DoS) vulnerability in HashiCorp Vault (Community and Enterprise). A malicious actor can submit a specially crafted, complex JSON payload—within the default maximum request size limit—that triggers excessive CPU and memory consumption. This overload leads to a timeout in Vault’s auditing process, potentially causing the server to become unresponsive. The vulnerability impacts Vault versions from 1.15.0 up to 1.20.2 (including specific intermediate versions), and is patched in the following releases:

Vault Community Edition: 1.20.3
Vault Enterprise Editions: 1.20.3, 1.19.9, 1.18.14, and 1.16.25

Key technical metrics include:

CVSS 3.1 score: 7.5 (High)
EPSS score: 0.05%
Attack vector: Network-based, unauthenticated, low complexity
Availability impact: High (service disruption; confidentiality and integrity unaffected)

The vulnerability was first published on August 28, 2025, with updates following on August 29, 2025.

Currently, there is no evidence of active exploitation by threat actors, nor is it listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog; accordingly, no CISA advisory has been issued.

Why should TPRM professionals care?

Vault serves as a cornerstone for secrets management, facilitating authentication, encryption, and policy enforcement within critical infrastructure environments. A successful exploit of this DoS vulnerability could render Vault unavailable, disrupting authentication flows, secret delivery, and auditing capabilities. For organizations relying on Vault for automated deployments, CI/CD pipelines, or microservice authentication, this can halt operations and expose the organization to broader operational and security risks.

What questions should TPRM professionals ask vendors?

To gauge exposure and readiness, TPRM professionals can ask vendors:

Have you upgraded all instances of HashiCorp Vault Community and Enterprise editions to the patched versions (1.20.3, 1.19.9, 1.18.14, and 1.16.25) to mitigate the risk of CVE-2025-6203?
Have you implemented the new listener configuration options (`max_json_depth`, `max_json_string_value_length`, `max_json_object_entry_count`, and `max_json_array_element_count`) introduced in the patched versions to provide granular control over JSON payload structures and prevent exploitation?
Are you continuously monitoring the memory and CPU utilization of Vault servers for any unusual spikes or anomalies, which could indicate an attempted or successful DoS attack, even after applying patches?
Can you confirm that you have set limits on JSON request payloads using the new listener options (`max_json_depth`, `max_json_string_value_length`, `max_json_object_entry_count`, and `max_json_array_element_count`) to prevent potential Denial-of-Service attacks through complex JSON payloads?

Remediation Recommendations for Vendors

Vendors should act immediately:

Upgrade Vault to the patched versions listed above to eliminate exposure.
Implement new listener settings for granular control over JSON inputs.
Enforce stricter payload constraints at the network or load balancer level as a secondary safeguard.
Continuously monitor system performance, with automated alerts for abnormal CPU or memory usage.
Conduct stress testing to validate that Vault can handle malformed or complex payloads without failure.

How can TPRM professionals leverage Black Kite for this vulnerability?

Once Black Kite publishes the Vault FocusTag (Sep 2025), TPRM teams can:

Identify which vendors are running vulnerable Vault versions.
Receive details on the specific assets (e.g., IPs or domains) where Vault is deployed.
Monitor updates to the tag for new data (e.g., detection of misconfigurations or deployment patterns).
Integrate the tag into outreach and remediation workflows, enhancing efficiency and prioritization.

Black Kite’s Vault – Sep2025 FocusTagTM details critical insights on the event for TPRM professionals.

Black Kite’s Vault – Sep2025 FocusTag™ details critical insights on the event for TPRM professionals.

ENHANCING TPRM STRATEGIES WITH BLACK KITE’S FOCUSTAGS™

Managing third-party risk effectively requires timely insights into which vendors may be impacted by emerging vulnerabilities. That’s where Black Kite’s FocusTags™ make a difference. In this week’s blog, we’ve explored vulnerabilities that span application frameworks, communication systems, and enterprise secrets management. With such a wide impact surface, the ability to quickly identify affected vendors is essential.

Black Kite’s FocusTags™ help by delivering:

Real-Time Exposure Tracking: Surface vendors tied to specific vulnerabilities like Django SQL injection, FreePBX RCE, or Vault DoS, enabling a rapid and focused response.
Prioritized Vendor Risk Assessment: Combine vulnerability severity with vendor importance to direct attention where it matters most.
Actionable Vendor Engagement: Empower TPRM teams to ask informed, targeted questions about patch status, monitoring practices, and exposure controls.
Holistic Risk Oversight: Provide a comprehensive view of vendor ecosystems, ensuring that risks tied to widely deployed open-source and enterprise tools are not overlooked.

By transforming complex threat data into precise, vendor-specific intelligence, Black Kite’s FocusTags™ equip organizations to address third-party risks more effectively and efficiently. This ensures that when vulnerabilities emerge—as they did this week—TPRM teams can move from broad, reactive assessments to targeted, proactive actions that truly strengthen enterprise security.

ABOUT FOCUS FRIDAY

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FOCUSTAGS™ IN THE LAST 30 DAYS:

Django : CVE-2025-57833, SQL Injection Vulnerability in Django.
FreePBX : CVE-2025-57819, Remote Code Execution Vulnerability in Sangoma’s FreePBX.
Vault – Sep2025 : CVE-2025-6203, DoS Vulnerability in HashiCorp Vault.
Citrix NetScaler – Aug2025 : CVE-2025-7775, CVE-2025-7776, CVE-2025-8424, Memory Overflow Vulnerability, Remote Code Execution Vulnerability, DoS Vulnerability, Improper Access Control Vulnerability in Citrix NetScaler ADC/Gateway.
Salesforce Tableau – Aug2025 : CVE-2025-26496, CVE-2025-26497, CVE-2025-26498, CVE-2025-52450, CVE-2025-52451, Type Confusion Vulnerability, Remote Code Execution Vulnerability, Unrestricted File Upload Vulnerability, Path Traversal Vulnerability, Improper Input Validation Vulnerability in Salesforce Tableau.
MadeYouReset HTTP/2 DoS Attack : CVE-2025-8671, CVE-2025-48989, CVE-2025-54500, CVE-2025-55163, CVE-2025-36047, MadeYouReset DoS Vulnerability in HTTP/2.
Ivanti Connect Secure – Aug2025 : CVE-2025-5456, CVE-2025-5462, Out-of-bound Read Vulnerability, DoS Vulnerability, Buffer Overflow Vulnerability in Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti ZTA Gateway, Ivanti Neurons for Secure Access.
PostgreSQL – Aug2025 : CVE-2025-8713, CVE-2025-8714, CVE-2025-8715, Arbitrary Code Injection Vulnerability, Exposure of Sensitive Information Vulnerability in PostgreSQL.
Plesk Obsidian : CVE-2025-54336, Incorrect Comparison Vulnerability in Plesk Obsidian.
Exchange Server – Aug2025 : CVE-2025-53786, CVE-2025-25005, CVE-2025-25006, CVE-2025-25007, CVE-2025-33051, Improper Authentication, Input Validation, and Information Disclosure Vulnerabilities.
MSSQL – Aug2025 : CVE-2025-49758, CVE-2025-24999, CVE-2025-53727, CVE-2025-49759, CVE-2025-47954, Privilege Escalation and SQL Injection Vulnerabilities.
N-able N-Central RMM : CVE-2025-8875, CVE-2025-8876, Command Injection Vulnerability in N-able N-Central RMM.
Squid Proxy – Aug2025 : CVE-2025-54574, Buffer Overflow Vulnerability in Squid Proxy.
SonicWall SSL VPN – Jul2025 : CVE-2025-40600, Denial of Service Vulnerability in SonicWall SSL VPN.
Sophos Firewall : CVE-2025-7382, CVE-2024-13973, and CVE-2024-13974, OS Command Injection Vulnerability, SQL Injection Vulnerability, Remote Code Execution Vulnerability in Sophos Firewall.
Salesforce Tableau : CVE-2025-52446, CVE-2025-52447, CVE-2025-52448, CVE-2025-52449, CVE-2025-52452, CVE-2025-52453, CVE-2025-52454, and CVE-2025-52455, Authorization Bypass Vulnerability, Unrestricted File Upload Vulnerability, Path Traversal Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability in Salesforce Tableau.
SharePoint ToolShell : CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, Code Injection Vulnerability, Improper Authentication Vulnerability, Remote Code Execution Vulnerability, Path Traversal Vulnerability in Microsoft SharePoint.

See Black Kite’s full CVE Database and the critical TPRM vulnerabilities that have an applied FocusTag^TM at https://blackkite.com/cve-database/.