April 25, 2025April 25, 2025

Focus Friday: TPRM Insights Into Fortinet Backdoors, SonicWall SSLVPN, and Redis DoS Vulnerabilities

Welcome to this week’s Focus Friday, where we spotlight emerging cybersecurity threats through the lens of Third-Party Risk Management (TPRM). As organizations continue to rely heavily on digital ecosystems involving hundreds or thousands of vendors, a single vulnerability in a third-party product can ripple across entire supply chains. This week, we analyze three critical issues affecting high-profile technologies used globally: the exploitation of Fortinet SSL-VPN vulnerabilities through a symlink backdoor, a DoS flaw in SonicWall’s Gen7 SSLVPN interface, and a resource exhaustion vulnerability in Redis servers. Each of these poses unique challenges for TPRM professionals seeking to evaluate vendor exposure and reduce systemic risk.

Through the use of Black Kite’s FocusTags™, organizations can more effectively identify which vendors are likely impacted, prioritize mitigation efforts, and streamline communication. Let’s break down the technical and strategic implications of each threat.

*Filtered view of companies with* Fortinet Symlink Backdoor FocusTag™ on the Black Kite platform.

Fortinet Symlink Backdoor: Legacy CVEs Continue to Impact Organizations

What is the Fortinet Symlink Backdoor and Which Vulnerabilities Are Involved?

A newly identified post-exploitation method has come to light, which exploits previously patched FortiGate vulnerabilities—CVE‑2022‑42475, CVE‑2023‑27997, and CVE‑2024‑21762. This technique involves the creation of symbolic links within the SSL-VPN language files directory, effectively leveraging access to gain persistent visibility into the root file system. Upon gaining access to a vulnerable FortiGate device, attackers created symbolic links in the public-facing language folder, enabling them to bypass patching efforts and maintain read access to critical system files—even after the original flaws had been remediated.

CVE-2022-42475: A heap-based buffer overflow vulnerability in FortiOS SSL-VPN, allowing arbitrary code execution. CVSS: 9.8, EPSS: 93.17%
CVE-2023-27997: A heap-based buffer overflow in FortiOS and FortiProxy SSL-VPN, enabling remote code execution. CVSS: 9.8, EPSS: 90.28%
CVE-2024-21762: An out-of-bounds write vulnerability in FortiOS, leading to arbitrary code execution. CVSS: 9.8, EPSS: 91.91%

According to telemetry from the Shadowserver Foundation, over 16,620 FortiGate devices across the globe have been compromised through this symlink backdoor. The majority of these cases are concentrated in Asia, followed by Europe and North America.

Proof-of-concept exploit code for the related vulnerabilities is readily available online. All three CVEs involved were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in 2022, 2023, and 2024, reflecting their known exploitation in real-world attacks. Notably, Black Kite previously issued FocusTags™ for two of these vulnerabilities: CVE‑2024‑21762 was tagged with the “FortiOS SSL VPN [Suspected]” label on February 9, 2024, while CVE‑2022‑42475 was covered under the “APT‑Risk: FortiOS/Zoho” tag on September 7, 2023. Customers who responded to those alerts likely addressed the underlying vulnerabilities proactively. However, this newly emerged post-exploitation technique warrants renewed attention.

Each of these vulnerabilities is known to be actively exploited in the wild. CVE-2022-42475 has been linked to APT5, Volt Typhoon, and UNC3886, and associated with malware families such as BOLDMOVE, Coathanger, and NoName. CVE-2023-27997 has been exploited by Volt Typhoon, APT15, APT31, Fox Kitten, RansomHub, and MirrorFace, with related malware including Coathanger, LODEINFO, NOOPDOOR, and RansomHub. CVE-2024-21762 has also seen confirmed exploitation by Volt Typhoon, often using the Coathanger and Black Basta malware families. While there is no confirmed proof that CVE-2024-21762 was directly used to plant this specific symlink backdoor, its exploitation remains highly probable and cannot be ruled out.

CISA added CVE-2023-27997 to its Known Exploited Vulnerabilities (KEV) catalog on June 13, 2023, and CVE-2024-21762 on February 9, 2024 . CVE-2022-42475 has also been associated with nation-state threat actors.

Why Should TPRM Professionals Be Concerned About This Backdoor?

FortiGate devices are widely used for network security, including firewall and VPN functionalities. A compromised FortiGate device within a vendor’s infrastructure can lead to unauthorized access to sensitive data, configuration files, and network traffic. This persistent access poses significant risks, including data breaches and lateral movement within networks.

What Questions Should TPRM Professionals Ask Vendors Regarding This Issue?

To assess the risk associated with this backdoor, consider asking vendors the following questions:

Have you upgraded your Fortinet devices to the patched FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 to mitigate the risk of CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762?
Have you implemented the recommended actions such as hardening SSL-VPN configurations, continuous monitoring, forensic assessment & cleanup, and deploying AV/IPS signatures to detect and remove the malicious symbolic link?
Can you confirm if you have disabled SSL-VPN if not in use, or restricted access to trusted IPs only, as part of your mitigation strategy against the persistent symlink exploit in Fortinet devices?
Have you conducted a forensic investigation to identify and remove lingering symlinks, reset all credentials, revoke certificates, and rotate secrets that may have been exposed due to the exploitation of CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to mitigate the risk associated with the Fortinet Symlink Backdoor:

Update FortiOS: Upgrade to the latest FortiOS versions that address the known vulnerabilities and remove the symlink backdoor.
Inspect for Indicators of Compromise: Examine FortiGate devices for unauthorized symbolic links and other signs of compromise.
Review SSL-VPN Configurations: Ensure that SSL-VPN settings are secure and do not allow unauthorized access to sensitive directories.
Implement Monitoring and Alerting: Set up continuous monitoring to detect unusual activities or configurations within FortiGate devices.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite provides a FocusTag for the Fortinet Symlink Backdoor, enabling organizations to identify vendors potentially affected by this issue. The FocusTag includes detailed information about the associated vulnerabilities, affected assets, and remediation guidance. By utilizing this FocusTag, TPRM professionals can prioritize their risk assessments, focusing on vendors with known exposures, and facilitate targeted remediation efforts.

*Black Kite’s* Fortinet Symlink Backdoor FocusTag^TM details critical insights on the event for TPRM professionals.

CVE-2025-32818 in SonicWall SSLVPN Gen 7

What is the SonicWall SSLVPN DoS Vulnerability?

CVE-2025-32818 is a high-severity vulnerability impacting the SonicWall SonicOS SSLVPN Virtual Office interface, identified as a Null Pointer Dereference issue. This flaw allows unauthenticated remote attackers to crash the firewall, leading to a Denial-of-Service (DoS) condition. The vulnerability affects Gen7 firewall models and NSv platforms running firmware versions 7.1.1-7040 through 7.1.3-7015, and TZ80 models on version 8.0.0-8037 or earlier.

Disclosed publicly on April 23, 2025, by SonicWall PSIRT (Advisory ID: SNWLID-2025-0009), the vulnerability has a CVSS v3 score of 7.5 and an EPSS score of 0.04%. It is exploitable only if the SSLVPN service is enabled. While proof-of-concept exploit code is not yet publicly available, and the issue is not included in CISA’s Known Exploited Vulnerabilities catalog, proactive mitigation is strongly encouraged. Given the firewall’s critical role in securing remote access, any disruption to its availability can impact business continuity.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

SonicWall Gen7 devices are widely deployed by vendors for secure remote access. These devices protect sensitive traffic through their SSLVPN services, and a crash of such a firewall can mean sudden loss of remote connectivity, disruption of business-critical workflows, and exposure to further compromise during downtime. Even though this vulnerability does not allow code execution or data exfiltration directly, it can be weaponized for targeted service disruption—especially in organizations that rely on 24/7 availability.

From a third-party risk perspective, a vendor with vulnerable or improperly configured SonicWall devices may lose access to essential services or fail to meet service-level agreements (SLAs). If exploited during an incident, the firewall’s unavailability can also delay incident response or containment activities.

What questions should TPRM professionals ask vendors about CVE-2025-32818?

To better understand vendor exposure and readiness, consider asking:

Have you updated your Gen7 NSv & Firewalls to SonicOS 7.2.0-7015 or later, and TZ80 to 8.0.1-8017 or later to mitigate the risk of CVE-2025-32818?
Can you confirm if the SSLVPN service on your SonicWall devices has been disabled to prevent the exploitation of the Null Pointer Dereference issue in the SonicOS SSLVPN Virtual Office interface?
Have you observed any unexpected reboots or service interruptions in your Gen7 NSv (NSv 270, NSv 470, NSv 870), Gen7 Firewalls (TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700: Firmware 7.1.1-7040 through 7.1.3-7015 (7.1.x)) and TZ80: 8.0.0-8037 and earlier, which could indicate a Denial-of-Service attack due to CVE-2025-32818?
Have you implemented strict access controls on all management interfaces and disabled unused services on your SonicWall devices as a part of hardening measures against potential exploitation of CVE-2025-32818?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using SonicWall SSLVPN Gen7 appliances should take the following remediation steps:

Apply Firmware Updates: Upgrade all affected Gen7 Firewalls and NSv platforms to version 7.2.0-7015 or higher, and TZ80 devices to 8.0.1-8017 or higher.
Temporarily Disable SSLVPN: If patching cannot be performed immediately, disable the SSLVPN service to prevent exploitation.
Audit System Logs: Review logs for signs of service crashes or abnormal behavior linked to SSLVPN usage.
Restrict Access: Limit external access to the SSLVPN interface through IP whitelisting and network segmentation.
Review Configuration: Ensure unnecessary services, especially public-facing features like Virtual Office, are disabled when not in use.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the SonicWall SSLVPN Gen7 FocusTag on April 25, 2025, enabling TPRM teams to pinpoint vendors potentially exposed to CVE-2025-32818. This tag provides asset-level visibility, including IP addresses and service banners that indicate the presence of vulnerable configurations.

By using this FocusTag, risk managers can prioritize outreach to vendors actively running impacted SonicWall models and validate whether they’ve implemented mitigation steps. If a vendor has SonicWall SSLVPN publicly exposed, the tag surfaces this directly, significantly reducing the scope of your due diligence efforts.

This tag is especially useful for organizations relying on multiple vendors that use SonicWall for remote access, helping you rapidly assess operational impact and contain downstream availability risks before they escalate.

*Black Kite’s SonicWall SSLVPN Gen7 FocusTag^TM details critical insights on the event for TPRM professionals.*

CVE-2025-21605 in Redis Server

What is the Redis Server DoS Vulnerability?

CVE-2025-21605 is a high-severity Denial-of-Service (DoS) vulnerability impacting Redis servers. The flaw arises due to unlimited growth of output buffers, caused by an unauthenticated client sending commands or triggering repeated “NOAUTH” responses when password authentication is enabled. If exploited, the Redis server’s memory can be completely exhausted, causing the service to crash. This vulnerability carries a CVSS v3 score of 7.5 and an EPSS score of 0.04%.

First publicly disclosed on April 23, 2025, via GitHub Security Advisories (GHSA-r67f-p999-2gff), the issue affects Redis versions from 2.6 up to but not including 7.4.3. Although no proof-of-concept exploit code is publicly available at this time, Redis’s widespread deployment in production environments elevates the concern. As of today, CVE-2025-21605 has not been added to CISA’s Known Exploited Vulnerabilities catalog, and no advisory has been released by CISA.

Redis maintainers have addressed this vulnerability in Redis 7.4.3, where sensible client output buffer limits have been introduced.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Redis servers are commonly used to cache critical application data, manage sessions, and handle real-time information. A service crash triggered by an unauthenticated client could lead to serious disruption in vendor environments, including website outages, application failures, and business process interruptions.

From a TPRM perspective, any vendor relying on exposed or improperly secured Redis instances is at risk of operational downtime without advance warning. In environments where Redis clusters are part of larger SaaS offerings or critical backend systems, a DoS incident could cascade across dependent systems, impacting availability and client trust. Given that Redis by default does not restrict output buffer growth for normal clients, vendors who have not proactively hardened their Redis configurations may be vulnerable.

What questions should TPRM professionals ask vendors about CVE-2025-21605?

To assess third-party exposure related to this Redis vulnerability, consider asking:

Have you updated all instances of Redis Server to version 7.4.3 or later to mitigate the risk of CVE-2025-21605?
Have you configured the client-output-buffer-limit normal <hard-limit> in redis.conf to throttle untrusted clients and prevent unlimited output buffer growth?
Have you enforced TLS and required client-side certificates to ensure only authenticated clients can connect to your Redis servers?
Have you implemented network access controls such as firewalls, iptables, or security groups to restrict unauthenticated access to your Redis servers?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should adopt the following mitigation and remediation strategies:

Upgrade Redis: Update Redis servers to version 7.4.3 or later, where built-in safeguards against buffer exhaustion are implemented.
Apply Manual Controls: Set a strict client-output-buffer-limit for normal clients in the redis.conf configuration file.
Restrict Access: Use firewalls, iptables, or security groups to limit access to Redis servers only to trusted networks or authenticated clients.
Enforce Secure Communication: Enable TLS encryption and require client-side certificates to authenticate users connecting to the Redis server.
Monitor Resource Utilization: Continuously monitor memory usage patterns and set up alerts for unusual output buffer growth.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite released the Redis Server FocusTag on April 23, 2025, allowing organizations to quickly identify vendors potentially exposed to CVE-2025-21605. By using this FocusTag, TPRM teams can pinpoint companies operating vulnerable Redis versions or improperly configured instances that may be susceptible to DoS attacks.

The FocusTag enriches risk assessments by providing asset-level intelligence such as IP addresses and relevant service information. With this insight, TPRM professionals can prioritize outreach and remediation requests, ensuring that critical third-party partners address the vulnerability before it leads to business disruption.

In environments where Redis plays a pivotal backend role, using Black Kite’s FocusTags™ ensures that availability risks are proactively managed, rather than discovered during an unexpected service failure.

*Black Kite’s Redis Server FocusTag^TM details critical insights on the event for TPRM professionals.*

Enabling Proactive TPRM With Black Kite’s FocusTags™

The vulnerabilities explored in this week’s Focus Friday—ranging from backdoor persistence via patched Fortinet SSL-VPN flaws, to denial-of-service conditions in SonicWall appliances and Redis servers—highlight the diverse and evolving nature of third-party cybersecurity risk. In environments where availability, remote access security, and in-memory data handling are mission-critical, even a single overlooked CVE can introduce severe operational and reputational damage.

Black Kite’s FocusTags™ empower TPRM teams to tackle this complexity head-on with:

Asset-Specific Vulnerability Detection: Identify which vendors are operating affected systems based on real asset intelligence, including IP addresses and exposed services.
Risk Triage at Scale: Quickly narrow down vendor lists by severity, exposure type, and system criticality—enabling faster decisions and response planning.
Vendor-Specific Inquiry Support: Use detailed FocusTag insights to pose informed, vulnerability-specific questions during vendor outreach.
Improved Incident Preparedness: Continuously monitor your third-party landscape as new vulnerabilities emerge, ensuring that no critical issue is missed.

With threats targeting everything from network edge devices to internal caching systems, Black Kite’s FocusTags™ offer a powerful lens to see where exposure lies, how to address it, and how to prioritize what matters most—before incidents escalate.

Want to take a closer look at FocusTags™?

Take our platform for a test drive and request a demo today.

Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

Fortinet Symlink Backdoor : CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.
Adobe ColdFusion : CVE-2025-24446 CVE-2025-24447 CVE-2025-30281 CVE-2025-30282 CVE-2025-30284 CVE-2025-30285 CVE-2025-30286 CVE-2025-30287 CVE-2025-30288 CVE-2025-30289 CVE-2025-30290, Deserialization of Untrusted Data, Improper Authentication, Improper Access Control, OS Command Injection, Improper Input Validation, Path Traversal Vulnerabilities in Adobe ColdFusion.
Beego: CVE-2025-30223, Reflected/Stored XSS Vulnerabilities in Beego Web Framework.
Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).
DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.