Focus Friday: TPRM Insights Into SonicWall SSL VPN, Grafana Enterprise SCIM, Apache SkyWalking Vulnerabilities, and Gainsight Client Incident

INTRODUCTION

Welcome to this week’s Focus Friday, where we examine the latest high-impact cybersecurity events through a Third-Party Risk Management (TPRM) lens. As organizations continue expanding their digital ecosystems, weaknesses in widely adopted technologies and integrations—such as SonicWall SonicOS SSLVPN, Grafana Enterprise SCIM provisioning, Apache SkyWalking observability dashboards, and the recently exposed Gainsight–Salesforce integration pathway—can rapidly extend risk across entire vendor networks.

This week’s analysis brings together four significant areas of concern spanning network infrastructure, identity provisioning, monitoring platforms, and third-party SaaS integrations. Each has the potential to disrupt vendor environments, expose sensitive operational data, or create supply-chain access pathways. The sections that follow break down each event and demonstrate how TPRM teams can use Black Kite’s Focus Tags to identify vendor exposure with precision and strengthen their risk workflows.

Filtered view of companies with SonicWall SSL VPN - Nov2025 FocusTag™ on the Black Kite platform.

CVE-2025-40601 (SonicOS SSLVPN)

What is the SonicWall SonicOS SSLVPN Vulnerability?

CVE-2025-40601 is a pre-authentication, stack-based buffer overflow vulnerability in the SonicOS SSLVPN service. The flaw, rated High severity (CVSS 7.5) with an EPSS score of 0.05%, allows a remote, unauthenticated attacker to send crafted traffic to the SSLVPN interface and trigger a Denial-of-Service (DoS) condition. When exploited, the firewall crashes, disrupting business-critical VPN availability.

This vulnerability was publicly disclosed in November 2025. It affects multiple generations of SonicWall hardware and virtual firewalls, particularly where the SSLVPN service or interface is enabled. Devices not using SSLVPN are not exposed.

Public reports note no confirmed exploitation in the wild. Although proof-of-concept exploit discussions exist, no reliable, weaponized exploit has been confirmed. CVE-2025-40601 is not listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog, and no CISA advisory has been issued for this vulnerability as of the latest information. It does, however, appear in the European Union Vulnerability Database under EUVD-2025-198277.

Affected Versions (from vendor guidance):

• Gen7 Hardware & Virtual Firewalls (TZ Series, NSa Series, NSsp Series, and NSv Series running SonicOS)
• • Versions 7.3.0-7012 and older are vulnerable.
  • The 7.0.1 branch is not affected.
• Gen8 Firewalls
• • Versions 8.0.2-8011 and older are vulnerable.

The vendor has released patched versions for all affected platforms.

Why should TPRM professionals care about this vulnerability?

From a third-party risk management perspective, CVE-2025-40601 presents a critical availability and operational continuity risk. SonicWall firewalls are commonly used as perimeter gateways and VPN access points. If a vendor’s firewall crashes due to exploitation:

• Remote workers, contractors, or operational teams may lose access to the vendor’s internal systems.
• Vendor-hosted services and applications may temporarily become unreachable, causing service disruptions for your organization.
• Vendors relying on SSLVPN for managed services or support channels may be unable to fulfill contractual obligations.
• The vulnerability is remotely exploitable without authentication, meaning any internet-exposed SSLVPN interface becomes a high-risk asset until patched.

Although this vulnerability does not enable code execution or data theft, its DoS impact can create meaningful downstream risk for organizations that depend on affected vendors for continuous service availability, secure connectivity, or time-sensitive operations.

What questions should TPRM professionals ask vendors?

TPRM teams should use targeted, vulnerability-specific questions such as:

1. Can you confirm if you have updated all instances of SonicWall hardware and virtual firewalls to the fixed versions provided by SonicWall to mitigate the risk of CVE-2025-40601?
2. Have you disabled the SSLVPN service from untrusted internet sources or limited SSLVPN access to only trusted sources as a temporary mitigation measure until patches are deployed?
3. Can you confirm if the SSLVPN interface or service is enabled on your devices, making them potentially vulnerable to the pre-authentication stack-based buffer overflow vulnerability (CVE-2025-40601)?
4. Have you applied the official security patches provided by SonicWall for your specific hardware and virtual firewalls to remediate the pre-authentication stack-based buffer overflow vulnerability (CVE-2025-40601)

Remediation recommendations for vendors

Vendors that may be exposed to this vulnerability should take the following steps:

• Apply the official security patches immediately for all affected SonicOS versions.
• Audit all firewall assets—hardware and virtual—to confirm which devices have SSLVPN enabled.
• Limit SSLVPN access to trusted IP sources or internal management networks until patching is completed.
• Disable SSLVPN service from untrusted sources if access restriction is not feasible.
• Monitor system logs and crash reports for repeated or unusual SSLVPN activity that may indicate probing or exploitation attempts.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite’s Focus Tag “SonicWall SSL VPN – Nov2025” enables organizations to efficiently identify exactly which vendors expose SonicWall SSLVPN services that match the affected versions. Instead of issuing broad, time-consuming questionnaires to all vendors, Black Kite narrows the scope by pinpointing:

• Vendors operating SonicOS SSLVPN services
• The associated internet-facing IPs and subdomains where those services are detected
• Whether those assets map to versions known to be vulnerable.

Black Kite’s SonicWall SSL VPN - Nov2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-41115 (Grafana Enterprise SCIM)

What is the Grafana Enterprise SCIM privilege escalation vulnerability?

CVE-2025-41115 is a critical incorrect privilege assignment and identity-mapping flaw in the SCIM (System for Cross-domain Identity Management) provisioning feature of Grafana Enterprise. The vulnerability allows a malicious or compromised SCIM client to provision a user with a numeric externalId that gets interpreted directly as an internal user.uid. If the numeric value matches a privileged user ID—such as the built-in administrator—the attacker can gain full administrative control through impersonation.

This flaw is rated Critical with a CVSS score of 10.0, and for this Focus Tag the EPSS score is 0.02%. The issue was publicly disclosed in November 2025 and affects environments where SCIM provisioning is enabled with both enableSCIM = true and user_sync_enabled = true under the [auth.scim] configuration.

Current data indicates no confirmed exploitation in the wild. Although the attack path is straightforward, no verified threat campaigns are associated with it at this time. The vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog, and CISA has not issued any standalone advisory for it.

Affected Grafana Enterprise versions:

• 12.0.0–12.0.5
• 12.1.0–12.1.2
• 12.2.0

Grafana Cloud is not impacted because cloud environments were already secured, and Grafana OSS is unaffected as it does not include the SCIM feature.

Patched versions:

• 12.3.0
• 12.2.1
• 12.1.3
• 12.0.6

Why should TPRM professionals care about CVE-2025-41115?

Grafana Enterprise is widely used for centralized monitoring, observability, and dashboard-based operational analytics. When compromised, it can expose sensitive internal metrics, logs, performance data, API configuration details, and infrastructure topology.

For vendors using Grafana Enterprise to monitor systems that support your services, exploitation of this vulnerability could lead to:

• Unauthorized access to sensitive dashboards containing operational or security data
• Manipulation of alerting configurations, potentially suppressing detections in other parts of the environment
• Access to data source credentials stored within Grafana, which may enable lateral movement
• Multi-tenant exposure for vendors who consolidate multiple customer dashboards into the same Grafana infrastructure

From a TPRM perspective, this transforms the issue into a high-impact identity and monitoring risk. A vendor’s compromised Grafana instance directly weakens their ability to detect incidents, protect sensitive operational information, and maintain the integrity of the services they provide to your organization.

What questions should TPRM professionals ask vendors about this vulnerability?

To assess risk accurately, the following targeted questions are recommended:

1. Can you confirm if you have updated all instances of Grafana Enterprise to the patched versions 12.3.0, 12.2.1, 12.1.3, or 12.0.6 to mitigate the risk of CVE-2025-41115?
2. Have you reviewed your Grafana Enterprise configuration to verify if the SCIM provisioning feature is enabled and actively in use? Specifically, are the `enableSCIM` and ‘user_sync_enabled’ settings set to `true` under ‘[auth.scim]’?
3. Have you observed any unusual user provisioning attempts, unexpected privilege changes, or signs of user impersonation, especially related to SCIM integration, in your logs?
4. If you are using GitHub Enterprise, have you taken any additional measures to mitigate the risk associated with CVE-2025-41115?

These questions help differentiate between vendors who merely acknowledge the vulnerability and those who have completed thorough verification and remediation.

Remediation recommendations for vendors subject to this risk

Vendors exposed to this vulnerability should take the following actions:

• Upgrade immediately to a patched Grafana Enterprise version.
• Review SCIM configuration to confirm whether it is enabled and necessary. If not mission-critical, temporarily disable SCIM or set user_sync_enabled = false until patching and validation are complete.
• Ensure identity hygiene by enforcing stable, non-numeric externalId values for SCIM-managed identities to prevent collisions with internal user IDs.
• Audit logs thoroughly, especially SCIM provisioning entries, for unusual activity such as new accounts inheriting administrative access or being created with simple integer identifiers.
• Rotate or invalidate credentials stored within Grafana data sources if there is any sign that administrative controls may have been compromised.

How TPRM professionals can leverage Black Kite for this vulnerability

The Grafana Enterprise – Nov2025 Focus Tag allows TPRM teams to pinpoint which vendors in their ecosystem are likely operating affected versions of Grafana Enterprise. Black Kite surfaces:

• Vendors with assets showing Grafana Enterprise technology fingerprints
• Specific IP addresses and subdomains tied to exposed Grafana instances
• Version indicators aligning with the affected release ranges
• Signals suggesting SCIM-enabled configurations in enterprise environments

Black Kite’s Grafana Enterprise - Nov2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-54057 (Apache SkyWalking)

Apache SkyWalking is an open-source application performance monitoring and observability platform designed for microservices, cloud-native systems, and distributed architectures. It provides tracing, metrics, service topology, and monitoring dashboards to help organizations understand and troubleshoot complex service interactions.

What is the Apache SkyWalking stored XSS vulnerability?

CVE-2025-54057 is a stored cross-site scripting (XSS) vulnerability affecting the web interface of Apache SkyWalking. The issue arises from insufficient neutralization of script-related HTML tags in widget URLs used within dashboards. Because these URLs were not properly validated, an attacker could embed malicious scripts that become permanently stored inside the monitoring interface.

When a legitimate user or administrator later views a dashboard containing the malicious payload, the script executes automatically in their browser. This can enable several types of malicious behavior, including:

• Theft of session cookies
• Unauthorized actions under the victim’s identity
• Forced redirects to attacker-controlled sites
• Manipulation of displayed metrics to hide malicious activity or create false signals

The vulnerability is rated High severity with a CVSS score of 7.5 and an EPSS score of 0.02%. It was disclosed on 2025-11-27 and patched in Apache SkyWalking version 10.3.0.

No public proof-of-concept exploit has been confirmed as of the publication date. There is no evidence of active exploitation in the wild, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. CISA has not issued an advisory specific to this CVE.

Affected Versions:

• All Apache SkyWalking versions up to and including 10.2.0

Fixed Versions:

• Apache SkyWalking 10.3.0 and later

Why should TPRM professionals care about CVE-2025-54057?

Apache SkyWalking is widely used as a distributed tracing and application performance monitoring (APM) platform, making it central to how organizations observe microservices, cloud-native systems, and operational telemetry.

Because CVE-2025-54057 is a stored XSS issue, a single successful injection can persist indefinitely, silently affecting every user who opens the compromised dashboard. From a third-party risk perspective, this creates several concerns:

• Compromise of vendor monitoring accounts: An attacker who hijacks an administrator’s session could gain extensive visibility and control inside a vendor’s observability environment.
• Exposure or manipulation of operational data: Dashboards may display sensitive service performance details or infrastructure metadata. Malicious scripts could alter or falsify the presented data.
• Suppressed alerts or misleading metrics: Attackers could distort the user interface to obscure performance issues or malicious activity occurring within the vendor’s environment.
• Potential pivoting: If SkyWalking connects to other systems (incident dashboards, ticketing, authentication flows), attackers may exploit exposed tokens or credentials.

For organizations depending on vendors that use Apache SkyWalking, a compromised SkyWalking instance can diminish the vendor’s ability to detect, analyze, and respond to incidents—which directly impacts operational reliability and shared security outcomes.

What questions should TPRM professionals ask vendors about this vulnerability?

To determine a vendor’s exposure, ask direct, configuration-aware questions such as:

1. Have you upgraded all instances of Apache SkyWalking to version 10.3.0 or later to mitigate the risk of the Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-54057)?
2. Have you implemented a robust Content Security Policy (CSP) for the SkyWalking UI to restrict the sources from which scripts and other assets can be loaded, as recommended in the advisory?
3. Have you conducted a thorough review of existing dashboard configurations and widget URLs in Apache SkyWalking for any previously injected malicious payloads, especially if there's suspicion of compromise?
4. Have you provided security awareness training for administrators on identifying suspicious redirects or unusual behavior within the monitoring interface, as an extra layer of defense against potential exploitation of this vulnerability?

These questions help differentiate whether a vendor truly validated their environment or only applied surface-level patching.

Remediation recommendations for vendors subject to this risk

Vendors potentially exposed to CVE-2025-54057 should take the following steps:

• Upgrade immediately to Apache SkyWalking 10.3.0 or newer across all environments.
• Inspect dashboards and widget URLs to detect and remove potentially malicious scripts that may have been inserted prior to patching.
• Strengthen security controls by applying strict Content Security Policies (CSPs), limiting allowed script sources, and reinforcing browser security settings for the web interface.
• Enforce least-privilege access for users managing SkyWalking dashboards and ensure that only trusted personnel can create or modify widgets.
• Monitor for anomalous dashboard or widget changes, including unusual parameters, unexpected URLs, or sudden additions of new widgets.
• Review and rotate credentials or tokens if the SkyWalking instance integrates with other systems and there is suspicion of compromise.

How TPRM professionals can leverage Black Kite for this vulnerability

The Apache SkyWalking Focus Tag allows TPRM teams to instantly identify vendors whose digital footprints suggest the use of SkyWalking in versions affected by CVE-2025-54057. Instead of sending broad questionnaires to all vendors, Black Kite enables targeted investigation by:

• Highlighting specific vendors whose external attack surface signals the presence of Apache SkyWalking.
• Presenting the IP addresses and subdomains tied to potential SkyWalking deployments, enabling precise and actionable follow-up.
• Flagging vendors operating versions aligned with the vulnerable releases.
• Supporting continuous monitoring—when a vendor upgrades to a patched version, updated asset intelligence reflects the change.

Black Kite’s Apache SkyWalking FocusTagTM details critical insights on the event for TPRM professionals.

Gainsight Clients — Potential impact due to Gainsight-Salesforce integration incident

What happened in the Gainsight-Salesforce integration incident?

In mid-November 2025, Salesforce detected unusual activity originating from OAuth tokens issued to Gainsight-published applications. The behavior indicated unauthorized access attempts involving the permissions granted to the Gainsight Connected Apps rather than a flaw in the Salesforce platform itself.

On November 20, 2025, Salesforce revoked all active access and refresh tokens used by Gainsight applications and temporarily removed the applications from the AppExchange to stop ongoing misuse. Gainsight simultaneously acknowledged the operational disruption and initiated its own investigation.

Threat actor claims later surfaced from a group associated with ShinyHunters, stating they had accessed data belonging to hundreds of organizations by abusing the compromised tokens. Screenshots allegedly taken from well-known companies circulated on underground channels, and the actors threatened a broader data dump scheduled for November 24, 2025.

The incident was a supply-chain style intrusion. Instead of exploiting a Salesforce vulnerability, threat actors abused the OAuth scopes previously granted to Gainsight’s integrations. Organizations with active Gainsight connections before November 20 were potentially exposed to unauthorized data access or exfiltration.

Why should TPRM professionals care about this incident?

This incident illustrates how a trusted integration can become the entry point for widespread exposure. Vendors using Gainsight to support customer success operations often grant the application broad access to CRM records such as Contacts, Accounts, Opportunities, support case history, or internal metadata. If threat actors accessed or exported this information, downstream organizations that rely on those vendors may face:

• Leakage of sensitive business relationships or operational details
• Exposure of customer or partner information
• Unauthorized access to internal communication or support workflows
• Compromise of API-related secrets if stored in accessible fields
• Impact on the integrity of CRM-driven processes used to deliver services

Since the activity occurred through authenticated OAuth channels, vendor environments may not immediately detect the access unless audit logging is reviewed. For TPRM teams, this incident shows that vendor assessments must also evaluate integration risk — not only CVEs or patching posture.

What questions should TPRM professionals ask vendors about the incident?

Vendors using Gainsight or similar CRM-integrated applications should be asked:

1. Did you have an active Gainsight integration connected to your Salesforce instance prior to November 20, 2025?
2. Have all OAuth tokens previously issued to Gainsight applications been revoked and replaced with new ones only after vendor-verified remediation?
3. Have you reviewed Salesforce audit logs, login history, and API usage for unusual activity between mid-November and November 21, including bulk export events or unexpected IP addresses?
4. Did any integration user associated with Gainsight have permissions that extended beyond the minimum required scopes?
5. Have you rotated any credentials, API keys, or sensitive data stored in Salesforce fields accessible to the Gainsight integration?
6. Do you maintain a continuous monitoring process for connected apps, including routine reviews of OAuth scopes and token expiration?

Remediation recommendations for vendors subject to this risk

Vendors that may have been exposed should:

• Revoke all OAuth tokens issued to Gainsight-published apps and re-authenticate only after an updated, verified package is provided.
• Rotate all potentially exposed secrets, including API keys or credentials stored in fields accessible to the integration.
• Conduct a thorough audit of API logs, focusing on export-heavy SOQL queries or unusual traffic patterns from November 15–21.
• Apply strict least-privilege permissions when re-installing Gainsight or similar integrations, reducing OAuth scopes to essential access only.
• Assess whether any data accessed by the compromised tokens could create secondary risk in downstream systems or partner environments.
• Implement processes to periodically review third-party application scopes, token usage, and integration activity across all critical SaaS platforms.

How TPRM professionals can leverage Black Kite for this incident

Black Kite’s “Gainsight Client” Focus Tag enables TPRM teams to quickly identify which vendors in their ecosystem are likely to have active or historical Gainsight integrations.

The tag combines multiple intelligence sources — such as Gainsight’s public customer references, Black Kite’s big-data analytics, external records, and subdomain-level indicators — to flag organizations associated with Gainsight.

Through this Focus Tag, TPRM teams can:

• Prioritize vendors that had active Gainsight connections during the incident window
• Issue targeted questionnaires rather than broad requests across the entire vendor population
• Validate whether corrective actions (token revocation, audit log review, credential rotation) were completed
• Monitor whether vendors re-enable Gainsight integrations and whether they do so using improved permission practices

Black Kite’s Gainsight Client FocusTagTM details critical insights on the event for TPRM professionals.

ENHANCING TPRM PROGRAMS WITH BLACK KITE’S FOCUS TAGS™

Managing third-party cyber risk today requires more than broad assessments—it demands precision. With complex vendor ecosystems and fast-moving incidents, organizations need a reliable method to identify which vendors matter most for each new event. Black Kite’s Focus Tags enable this by converting technical intelligence into targeted, vendor-specific insights.

When dealing with issues such as a pre-authentication buffer overflow in SonicWall SSLVPN, privilege escalation through Grafana Enterprise SCIM provisioning, stored XSS within Apache SkyWalking dashboards, or a supply-chain intrusion through compromised Gainsight–Salesforce integrations, Focus Tags deliver substantial advantages:

Focused Exposure Identification

Instead of distributing universal questionnaires across the entire vendor base, Focus Tags highlight only the vendors that align with the affected technologies or integrations—allowing teams to concentrate on the relationships that require immediate review.

Actionable Risk Prioritization

By correlating asset data, version details, integration indicators, and incident intelligence, Focus Tags help TPRM teams determine where potential impact is highest. This drives faster and more informed triage based on a vendor’s role, criticality, and technical footprint.

Strengthened Vendor Communication

With precise context—such as the presence of an SSLVPN interface, SCIM provisioning in Grafana Enterprise, exposed SkyWalking dashboards, or active Gainsight integrations—TPRM teams can ask highly relevant, incident-specific questions. These focused inquiries support clearer communication and more effective remediation outcomes.

A More Resilient Risk Management Strategy

As new vulnerabilities, identity-related weaknesses, and supply-chain incidents emerge, Focus Tags deliver an evolving intelligence layer that helps organizations stay ahead of potential impacts. Rather than responding reactively, teams gain a structured and data-driven view of vendor exposure.

Black Kite’s Focus Tags enable TPRM teams to convert complex vulnerability and incident data into prioritized, actionable steps. This strengthens vendor oversight, increases operational resilience, and supports a more consistent approach to managing third-party cyber risk across the entire ecosystem.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• SonicWall SSL VPN – Nov2025 : CVE-2025-40601, Pre-Authentication Stack-Based Buffer Overflow Vulnerability in SonicWall SonicOS SSLVPN Service Leading to Denial of Service.
• Grafana Enterprise – Nov2025 : CVE-2025-41115, Incorrect Privilege Assignment Vulnerability Allowing Privilege Escalation and User Impersonation via SCIM Provisioning in Grafana Enterprise.
• Apache SkyWalking : CVE-2025-54057, Stored Cross-Site Scripting (XSS) Vulnerability Allowing Persistent Script Injection in Apache SkyWalking Monitoring Dashboards.
• Gainsight Client – Nov2025 : Integration-Token Abuse Incident, Unauthorized Access and Potential Data Exfiltration Through Compromised OAuth Tokens in Gainsight–Salesforce Connected Applications.
• FortiWeb [Suspected] : CVE-2025-64446, CVE-2025-58034, Authentication Bypass Vulnerability, Path Traversal Vulnerability, OS Command Injection Vulnerability in Fortinet FortiWeb Web Application Firewall.
• SolarWinds Serv-U - Nov2025 : CVE-2025-40547, CVE-2025-40548, CVE-2025-40549, Logic Error Vulnerability, Improper Authorization Vulnerability, Path Traversal Vulnerability, Remote Code Execution Vulnerabilities in SolarWinds Serv-U.
• OAuth2 Proxy : CVE-2025-64484, Improper Neutralization Of HTTP Headers For Scripting Syntax Vulnerability, Header Smuggling Vulnerability, Potential Privilege Escalation Vulnerability in OAuth2 Proxy.
• pgAdmin - Nov2025 : CVE-2025-12762, CVE-2025-12763, CVE-2025-12764, CVE-2025-12765, Remote Code Execution Vulnerability, Command Injection Vulnerability, LDAP Injection Vulnerability, TLS Certificate Verification Bypass Vulnerability in pgAdmin.
• W3 Total Cache - Nov2025 : CVE-2025-9501, Command Injection Vulnerability, Remote Code Execution Vulnerability in W3 Total Cache WordPress Plugin.
• Microsoft SharePoint - Nov2025 : CVE-2025-62204, Deserialization of Untrusted Data Vulnerability, Remote Code Execution Vulnerability in Microsoft Office SharePoint.
• MSSQL - Nov2025 : CVE-2025-59499, Improper Neutralization of Special Elements in SQL Commands, SQL Injection Vulnerability, Privilege Escalation Vulnerability in Microsoft SQL Server.
• Elastic Kibana - Nov2025 : CVE-2025-37734, CVE-2025-59840, Server-Side Request Forgery (SSRF) Vulnerability, DOM-based Cross-site Scripting (XSS) Vulnerability, Improper Input Validation Vulnerability in Elastic Kibana.
• Django - Nov2025 : CVE-2025-59681, CVE-2025-59682, SQL Injection Vulnerability, Directory Traversal Vulnerability, Improper Input Sanitization Vulnerability in Django Web Framework.
• Open WebUI - Nov2025 : CVE-2025-64495, Stored DOM XSS Vulnerability, Account Takeover Vulnerability, Remote Code Execution Vulnerability in Open WebUI.
• MOVEit - Oct2025 : CVE-2025-10932, Uncontrolled Resource Consumption Vulnerability, Denial of Service Vulnerability in Progress MOVEit Transfer.
• Redis - Nov2025 : CVE-2025-62507, Improper Input Validation Vulnerability, Stack-based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability in Redis.
• Control Web Panel (CWP) : CVE-2025-48703, Remote Code Execution Vulnerability, OS Command Injection Vulnerability in CentOS Control Web Panel.
• DNN Software - Oct2025 : CVE-2025-64095, Improper Access Control Vulnerability, Unrestricted Upload of File Vulnerability, Arbitrary File Write Vulnerability, Remote Code Execution Vulnerability, Cross-site Scripting Vulnerability in DNN Software.
• XWiki Platform : CVE-2025-24893, Remote Code Execution Vulnerability in XWiki Platform.
• MikroTik RouterOS & SwOS : CVE-2025-61481, Arbitrary Code Execution Vulnerability, Man-in-the-Middle (MITM) Attack Vulnerability in MikroTik RouterOS & SwOS.
• Apache Tomcat - Oct2025 : CVE-2025-55752, CVE-2025-55754, CVE-2025-61795, Remote Code Execution, Authorization Bypass, Path Traversal, File Upload, Improper Neutralization of Escape, Meta, or Control Sequences, Improper Resource Shutdown or Release, Improper Input Validation, Authentication Bypass, Denial of Service Vulnerabilities in Apache Tomcat.
• Vault - Oct2025 : CVE-2025-12044, CVE-2025-11621, Denial of Service, Allocation of Resources Without Limits or Throttling, Authentication Bypass, Improper Authentication Vulnerabilities in Vault.
• LiteSpeed - Oct2025 : CVE-2025-12450, Cross-site Scripting (XSS) Vulnerability in LiteSpeed.
• Samba Server : CVE-2025-10230, Remote Code Execution Vulnerability in Samba servers.

See Black Kite’s full CVE Database and the critical TPRM vulnerabilities that have an applied  FocusTag^TM at https://blackkite.com/cve-database/.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-40601

https://securityonline.info/sonicwall-warns-of-new-sonicos-sslvpn-pre-auth-buffer-overflow-vulnerability-cve-2025-40601/

https://nvd.nist.gov/vuln/detail/CVE-2025-41115

https://securityonline.info/grafana-patches-critical-scim-flaw-cve-2025-41115-cvss-10-allowing-privilege-escalation-and-user-impersonation/

https://grafana.com/blog/2025/11/19/grafana-enterprise-security-update-critical-severity-security-fix-for-cve-2025-41115/

https://securityonline.info/security-alert-apache-skywalking-stored-xss-vulnerability-cve-2025-54057/
https://seclists.org/oss-sec/2025/q4/210

https://status.salesforce.com/generalmessages/20000233

https://status.gainsight.com/incidents/gvng0kly8vwf

https://www.bleepingcomputer.com/news/security/salesforce-cuts-off-access-to-third-party-app-after-discovering-unusual-activity/

https://www.securityweek.com/salesforce-instances-hacked-via-gainsight-integrations/

https://thehackernews.com/2025/11/salesforce-flags-unauthorized-data.html