Written by: Ferdi Gül

We can say that March has been one of the critical months in terms of vulnerabilities. In addition to the critical vulnerabilities this month, another major topic in the news this week was the Oracle data breach. You can read the article we shared yesterday on this topic: “Oracle Cloud Breach: Claims, Denials, and the Reality of Cloud Security Risks in TPRM.”

This week’s Focus Friday blog explores three high-profile vulnerabilities affecting widely used systems: Kubernetes Ingress NGINX Controller, Synology DiskStation Manager (DSM), and the Synapse Server. From critical unauthenticated remote code execution risks to denial-of-service vulnerabilities actively exploited in the wild, these flaws not only pose technical threats but also carry deep implications for third-party risk management (TPRM) programs.

For organizations managing complex digital supply chains, knowing which vendors are affected and how they are impacted is critical for prioritizing response and minimizing downstream risk. In this post, we provide in-depth analysis of each vulnerability, highlight questions TPRM professionals should ask their vendors, and demonstrate how Black Kite’s FocusTags™ help streamline risk identification and vendor engagement.

Filtered view of companies with Kubernetes Ingress NGINX FocusTag™ on the Black Kite platform.

CVE-2025-1974: Ingress NGINX Controller Remote Code Execution Vulnerability

What is the Ingress NGINX Controller RCE Vulnerability?

CVE-2025-1974 is a critical vulnerability in the Ingress NGINX Controller for Kubernetes that permits unauthenticated remote code execution (RCE), potentially leading to full cluster compromise. This flaw arises from improper isolation and compartmentalization within the admission controller component. With a CVSS score of 9.8 and an EPSS score of 75.73%, it underscores a significant security risk. Discovered by Wiz Research, the vulnerability was publicly disclosed on March 24, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Attack Vector Overview:

‘IngressNightmare’ is a multi-step attack targeting the Ingress NGINX Controller’s admission controller, which is often exposed over the network without authentication by default. The following flow illustrates how attackers exploit this weak point to achieve full cluster compromise.

IngressNightmare Vulnerability Attack Flow

Why Should TPRM Professionals Be Concerned About This Vulnerability?

The Ingress NGINX Controller is widely used to manage external access to Kubernetes services. A successful exploit of CVE-2025-1974 could allow attackers to execute arbitrary code within the controller’s pod, leading to unauthorized access to all secrets across namespaces and potential full control over the Kubernetes cluster. This poses severe risks, including data breaches, service disruptions, and unauthorized lateral movement within the network.

What questions should TPRM professionals ask vendors regarding this vulnerability?

  1. Have you updated your Ingress NGINX Controller to versions 1.12.1, 1.11.5, or 1.10.7 to mitigate the risk of the ‘IngressNightmare’ vulnerabilities (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974)?
  2. Have you implemented strict network policies to limit access to the admission controller as recommended in the advisory to prevent potential exploitation of the ‘IngressNightmare’ vulnerabilities?
  3. Can you confirm if you have taken measures to ensure only the Kubernetes API server can access the admission controller, as a part of your response to the ‘IngressNightmare’ vulnerabilities?
  4. Have you utilized the pre-built query and advisory in the Wiz Threat Center and the Wiz Dynamic Scanner as recommended in the advisory to monitor for anomalies and detect potential exploitation of the ‘IngressNightmare’ vulnerabilities?

Remediation Recommendations for Vendors Subject to This Risk

  • Immediate Patching: Upgrade the Ingress NGINX Controller to versions 1.12.1, 1.11.5, or 1.10.7 to address the vulnerability.​
  • Restrict Access: Configure network policies to ensure that only the Kubernetes API server can communicate with the admission controller.​
  • Disable Admission Controller: If the admission controller is not essential, consider disabling it to reduce the attack surface.​
  • Monitor Systems: Implement continuous monitoring to detect any unusual activity or potential exploitation attempts.​

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite has issued a FocusTag™ titled “Kubernetes Ingress NGINX,” highlighting organizations potentially exposed to the ‘IngressNightmare’ vulnerabilities, including CVE-2025-1974. Released on March 25, 2025, this tag enables TPRM professionals to identify and prioritize vendors at risk. Black Kite provides detailed asset information, such as IP addresses and subdomains, associated with the vulnerable products within a vendor’s infrastructure. This intelligence allows for targeted risk assessments and informed decision-making, streamlining the remediation process and enhancing overall supply chain security.​

Black Kite’s Kubernetes Ingress NGINX FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-10441: Critical Remote Code Execution Vulnerability in Synology Products

What is the Synology DSM Remote Code Execution Vulnerability?

CVE-2024-10441 is a critical vulnerability identified in Synology’s DiskStation Manager (DSM) and BeeStation Manager (BSM). This flaw arises from improper encoding or escaping of output within the system plugin daemon, allowing remote attackers to execute arbitrary code without authentication. The vulnerability has been assigned a CVSS score of 9.8, indicating its severity. It was publicly disclosed on March 19, 2025.  As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.​

Why Should TPRM Professionals Be Concerned About CVE-2024-10441?

Synology DSM and BSM are widely used for network-attached storage (NAS) solutions, often housing sensitive organizational data. A successful exploit of this vulnerability could lead to unauthorized access, data exfiltration, or deployment of malicious payloads, compromising data integrity and confidentiality. Third-Party Risk Management (TPRM) professionals must assess the potential impact on their supply chain, especially if vendors utilize Synology products, to prevent cascading security breaches.

What questions should TPRM professionals ask vendors regarding CVE-2024-10441?

  1. Have you upgraded all instances of Synology DiskStation Manager (DSM) to the recommended versions (7.2.2-72806-1, 7.2.1-69057-6, 7.2-64570-4, 7.1.1-42962-7, 6.2.4-25556-8) to mitigate the risk of CVE-2024-10441, CVE-2024-10445, and CVE-2024-50629?
  2. Can you confirm if you have implemented firewall rules and intrusion detection/prevention systems specifically to block potential exploitation attempts related to the improper encoding or escaping of output vulnerability (CVE-2024-10441 and CVE-2024-50629) and the improper certificate validation vulnerability (CVE-2024-10445)?
  3. Have you conducted a security audit on affected systems to check for any unauthorized access or signs of exploitation related to the vulnerabilities in Synology BeeStation Manager (BSM), Synology DiskStation Manager (DSM), and Synology Unified Controller (DSMUC)?
  4. Can you confirm if you have strengthened access controls specifically for Synology products to ensure only authorized users have access to vulnerable systems, as a measure to mitigate the risk of CVE-2024-10441, CVE-2024-10445, and CVE-2024-50629?

Remediation Recommendations for Vendors Affected by CVE-2024-10441

  • Upgrade Synology Products: Apply the latest security updates as per Synology’s advisory. For DSM versions, upgrade to at least 7.2.2-72806-1. For BSM, upgrade to version 1.1-65374 or later. ​
  • Restrict Network Access: Limit exposure of Synology devices to untrusted networks to reduce potential attack vectors.​
  • Monitor System Logs: Regularly review logs for unusual activities that may indicate exploitation attempts.​
  • Implement Intrusion Detection Systems (IDS): Deploy IDS to identify and alert on suspicious network traffic targeting Synology devices.​

How Can TPRM Professionals Leverage Black Kite for CVE-2024-10441?

Black Kite has issued a FocusTag™ titled “Synology DSM” to assist in identifying potential exposures to CVE-2024-10441.This tag, published on March 28, 2025, enables TPRM professionals to pinpoint vendors with vulnerable Synology devices. By utilizing this tag, professionals can access detailed asset information, including IP addresses and subdomains, facilitating targeted risk assessments and remediation efforts. This proactive approach aids in safeguarding the supply chain against threats associated with this critical vulnerability.​

Black Kite’s Synology DSM FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-30355: Synapse Server Improper Input Validation Vulnerability

What is the Synapse Server Improper Input Validation Vulnerability?

CVE-2025-30355 is a high-severity improper input validation vulnerability in Synapse, an open-source Matrix homeserver implementation. This flaw allows a malicious server to craft specific events that, when received by a vulnerable Synapse server (versions up to 1.127.0), prevent it from federating with other servers, effectively isolating it from the broader Matrix network. The vulnerability has a CVSS score of 7.1 and an EPSS score of 0.06%. It was publicly disclosed on March 26, 2025, and has been exploited in the wild. As of now, it has not been added to CISA’s Known Exploited Vulnerabilities catalog, and no CISA advisory has been published regarding this issue.​

Why should TPRM professionals be concerned about CVE-2025-30355?

Synapse servers are integral to organizations relying on Matrix for secure, real-time communication. A successful exploitation of CVE-2025-30355 can disrupt inter-server communication, leading to potential isolation from the Matrix network. This disruption can result in significant operational downtime and hinder collaboration, posing substantial risks to business continuity and data integrity.​

What questions should TPRM professionals ask vendors regarding CVE-2025-30355?

  1. Can you confirm if you have upgraded all instances of Synapse servers to version 1.127.1 to mitigate the risk of CVE-2025-30355?
  2. Are you actively monitoring your Synapse servers for any signs of unusual activity, specifically related to the Federation Denial-of-Service via Malformed Events?
  3. Can you confirm if your Synapse servers are operating in a closed federation environment consisting of trusted servers or non-federating installations, which are not affected by this vulnerability?
  4. Have you reviewed and reinforced your security best practices for server administration in light of the CVE-2025-30355 vulnerability?

Remediation Recommendations for Vendors subject to this risk

  • Immediate Update: Upgrade all Synapse servers to version 1.127.1 or later to address CVE-2025-30355.​
  • Monitoring: Implement continuous monitoring of Synapse servers for signs of unusual activity that may indicate exploitation attempts.​
  • Access Controls: Review and reinforce access controls to ensure only authorized servers can federate, reducing exposure to malicious entities.​
  • Incident Response: Develop and test an incident response plan specifically addressing scenarios involving Synapse server isolation due to exploitation.​

How can TPRM professionals leverage Black Kite for this vulnerability?

Black Kite has published a FocusTag™ titled “Synapse Server” on March 27, 2025, to assist in identifying vendors potentially exposed to CVE-2025-30355. This tag provides detailed information about the vulnerability, including affected versions and remediation steps. TPRM professionals can utilize Black Kite to:​

  • Identify third-party vendors using vulnerable Synapse server versions.​
  • Access asset information such as IP addresses and subdomains associated with the vendors’ Synapse servers, facilitating targeted risk assessments.​
  • Monitor vendors’ remediation efforts and ensure timely updates to mitigate the vulnerability.​
Black Kite’s Synapse Server FocusTagTM details critical insights on the event for TPRM professionals.

Enhancing TPRM Visibility With Black Kite’s FocusTags™

In an era where vulnerabilities like IngressNightmare, critical flaws in Synology DSM, and zero-day DoS risks in Synapse servers emerge with growing frequency, Black Kite’s FocusTags™ serve as a pivotal asset for Third-Party Risk Management (TPRM) teams.

Here’s how these tags elevate TPRM outcomes:

  • Immediate Exposure Mapping: Instantly surface vendors using affected products—such as Kubernetes Ingress, Synology DSM, or Synapse—so that teams can take swift, informed action.
  • Risk-Based Vendor Prioritization: Evaluate vendors not just by their importance to your organization but also by their exposure to specific, high-severity vulnerabilities.
  • Precision Questionnaires: Guide focused conversations by targeting relevant risk areas, reducing questionnaire fatigue for vendors and ensuring relevance in responses.
  • Actionable Asset Intelligence: Access IPs and subdomains tied to vulnerable products within vendor environments, transforming cyber risk from abstract to tangible.

By integrating Black Kite’s FocusTags™ into their workflows, TPRM professionals can reduce analysis time, minimize uncertainty, and focus their remediation efforts where it matters most—on the vendors and systems that pose real-world risk.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
  • Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
  • Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
  • Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
  • SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
  • MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).
  • DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.
  • VMware ESXi – Mar2025 : CVE-2025-22224, CVE-2025-22225, CVE-2025-22226, Heap Overflow Vulnerability, TOCTOU Race Condition Vulnerability, Arbitrary Write Vulnerability, Information Disclosure Vulnerability in VMware ESXi.
  • Apache Tomcat – Mar2025 : CVE-2025-24813, Remote Code Execution Vulnerability, Information Disclosure and Corruption Vulnerability in Apache Tomcat.
  • Axios HTTP Client : CVE-2025-27152, Server-Side Request Forgery (SSRF) Vulnerability, Credential Leakage in Axios HTTP Server.
  • PostgreSQL – Feb2025: CVE-2025-1094, SQLi Vulnerability, Improper Neutralization of Quoting Syntax in PostgreSQL.
  • Zimbra XSS: CVE-2023-34192, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration Suite (ZCS).
  • PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
  • Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.

References

https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

https://www.darkreading.com/application-security/critical-ingressnightmare-vulns-kubernetes-environments

https://nvd.nist.gov/vuln/detail/CVE-2025-1974

https://nvd.nist.gov/vuln/detail/CVE-2025-24514

https://nvd.nist.gov/vuln/detail/CVE-2025-1098

https://nvd.nist.gov/vuln/detail/CVE-2025-1097

https://github.com/sandumjacob/IngressNightmare-POCs/blob/main/CVE-2025-1974/README.md

https://nvd.nist.gov/vuln/detail/CVE-2024-10441

https://securityonline.info/cve-2024-10441-cvss-9-8-synology-patches-critical-code-execution-flaw-in-multiple-products

https://nvd.nist.gov/vuln/detail/CVE-2025-30355

https://www.synology.com/en-global/security/advisory/Synology_SA_24_20

https://www.synology.com/en-global/security/advisory/Synology_SA_24_23

https://securityonline.info/synapse-servers-at-risk-zero-day-dos-in-the-wild

https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6

https://blackkite.com/blog/oracle-cloud-breach-claims-denials-and-the-reality-of-cloud-security-risks-in-tprm