Written by: Ferdi Gül

This week’s Focus Friday highlights four high-priority vulnerabilities affecting widely used enterprise technologies: SysAid On-Premises, Apache ActiveMQ, Webmin, and Couchbase Server. Each of these products serves a critical function—whether facilitating IT service management, message brokering, system administration, or database operations. Their importance makes them prime targets for exploitation, and this week’s disclosures demonstrate both the breadth and depth of third-party risks facing modern enterprises.

From pre-authentication remote code execution in SysAid to denial-of-service vulnerabilities in ActiveMQ, privilege escalation flaws in Webmin, and file disclosure issues in Couchbase, the potential for vendor-side compromise is substantial. This week’s blog dissects these incidents through a Third-Party Risk Management (TPRM) lens and explains how Black Kite’s FocusTags™ empower organizations to swiftly identify which vendors are truly at risk and prioritize outreach accordingly.

Filtered view of companies with SysAid On-Premises FocusTag™ on the Black Kite platform.

CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 – SysAid On-Premises XXE Injection Vulnerabilities

What are the SysAid On-Premises Pre-Auth XXE Vulnerabilities?

In March 2025, multiple critical pre-authentication XML External Entity (XXE) injection vulnerabilities were disclosed in SysAid On-Premises, a widely used IT Service Management (ITSM) solution. These flaws—CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777—impact the /mdm/checkin, /mdm/serverurl, and /lshw endpoints respectively. Improper XML parsing in these components allows attackers to inject external entities, enabling unauthenticated access to sensitive local files or performing Server-Side Request Forgery (SSRF).

The vulnerabilities are classified as Critical, each carrying a CVSS score of 9.3, although these scores were not officially published at the time of writing. A working Proof-of-Concept (PoC) exploit is publicly available. While these CVEs are not yet listed in CISA’s Known Exploited Vulnerabilities (KEV), historical precedence—such as the exploitation of CVE-2023-47246 by the Cl0p ransomware group—suggests high likelihood of active weaponization.

All three vulnerabilities are patched in SysAid On-Premises version 24.4.60 b16, released in March 2025. Earlier versions remain susceptible, including v23.3.40, the version confirmed to be vulnerable by researchers.

Why Should TPRM Professionals Be Concerned About These SysAid Vulnerabilities?

SysAid On-Premises is more than just helpdesk software—it is a business-critical, internet-facing ITSM platform. It manages internal tickets, configuration data, asset inventories, and privileged workflows across an enterprise. As such, any compromise could cascade across multiple internal systems.

The pre-authentication nature of these vulnerabilities significantly lowers the exploitation barrier, especially since one of the attack paths exposes the plaintext administrator password stored in the InitAccount.cmd file. With that credential, attackers gain privileged access to the SysAid environment, and in known exploit chains, this leads to Remote Command Execution (RCE) via a separate post-auth command injection vector.

Vendors using SysAid On-Premises are at elevated risk of compromise through:

  • Data theft from internal ticketing systems
  • Hijacking of asset and configuration repositories
  • Leveraging helpdesk channels for internal spear-phishing
  • Deployment of ransomware through administrative access

These risks multiply when threat actors use the platform as a pivot to access more sensitive parts of a vendor’s network.

What Questions Should TPRM Professionals Ask Vendors About These SysAid Vulnerabilities?

Organizations managing third-party risk should direct the following questions to vendors potentially using SysAid On-Premises:

  1. Have you updated all instances of SysAid On-Premises to version 24.4.60 b16 or later to mitigate the risk of CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777?
  2. Can you confirm that all external access points to SysAid endpoints (/mdm/checkin, /mdm/serverurl, /lshw) have been appropriately secured or restricted from unauthorized external connections to prevent XML External Entity (XXE) injection and Server-Side Request Forgery (SSRF)?
  3. Have you implemented monitoring measures to detect suspicious or malicious requests targeting the SysAid endpoints (/mdm/checkin, /mdm/serverurl, /lshw) that were previously vulnerable to XXE injection and SSRF?
  4. Have you reviewed and updated your incident response procedures to ensure rapid identification and remediation capabilities for XXE-based vulnerabilities, specifically those identified in CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following remediation steps to mitigate these vulnerabilities:

  • Upgrade Immediately to SysAid On-Premises version 24.4.60 b16 or later.
  • Restrict or firewall external access to /mdm/checkin, /mdm/serverurl, and /lshw endpoints to limit exposure.
  • Audit the file system for the presence of InitAccount.cmd or other artifacts containing plaintext credentials and securely delete them.
  • Continuously monitor logs for anomalous or suspicious activity directed at the vulnerable endpoints.
  • Implement server-side XML parsing hardening practices across all Java-based services to prevent future XXE flaws.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the SysAid On-Premises [Suspected] FocusTag™ on May 7, 2025, identifying vendors potentially exposed to CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777. The FocusTag enables third-party risk managers to zero in on vendors that are running vulnerable assets, significantly reducing the time required to triage broad vulnerabilities.

The tag includes:

  • Asset-level attribution such as IP addresses and subdomains hosting vulnerable versions
  • Vendor-specific insights into deployment confidence levels (Medium in this case)
  • References to public exploit code and vulnerability details

This tag empowers TPRM professionals to focus only on vendors truly at risk, minimizing redundant outreach and enabling faster remediation.

Black Kite’s SysAid On-Premises FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-27533 in Apache ActiveMQ

What is CVE-2025-27533 in Apache ActiveMQ?

CVE-2025-27533 is a medium-severity vulnerability identified in Apache ActiveMQ, a widely used open-source message broker. The flaw arises from improper validation of buffer sizes during the unmarshalling of OpenWire commands. An attacker can exploit this vulnerability by sending specially crafted OpenWire packets that trigger excessive memory allocation, leading to memory exhaustion and potential denial-of-service (DoS) attacks.

Exploit Conditions for CVE-2025-27533

An attacker can exploit this vulnerability only if all of the following are true:

  1. OpenWire Protocol Is Reachable
    • The flaw is triggered during the unmarshalling of OpenWire commands.
    • The attacker must be able to send data over OpenWire (the protocol clients use to communicate with the ActiveMQ broker).
  2. Mutual TLS (mTLS) Is Disabled
    • mTLS prevents unauthorized clients from connecting to the broker.
    • When mTLS is turned off (the default setting), attackers can readily establish sessions and deliver malicious OpenWire messages.
  3. Authentication Is Not Enforced
    • If mTLS isn’t required, the broker may accept incoming connections without verifying credentials.
    • This allows unauthenticated, remote attackers to trigger memory exhaustion on the broker.

Although no PoC exploit code is currently available for CVE‑2025‑27533 and it remains tracked under Apache issue AMQ‑6596 without inclusion in CISA’s KEV catalog, its potential for unauthenticated memory‑exhaustion attacks against critical messaging brokers poses a serious reliability and availability risk in enterprise environments.

Why Should TPRM Professionals Care About CVE-2025-27533?

Apache ActiveMQ serves as a critical component in many enterprise environments, facilitating communication between different applications and systems. A DoS attack exploiting this vulnerability could disrupt business operations, leading to service outages and potential data loss. Furthermore, if mutual TLS (mTLS) is not enabled, attackers can exploit this vulnerability remotely without authentication, increasing the risk of widespread impact.

What questions should TPRM professionals ask vendors about CVE-2025-27533?

  1. Have you updated all instances of Apache ActiveMQ to the patched versions (6.1.6 or later, 5.19.0 or later, 5.18.7 or later, 5.17.7 or later, 5.16.8 or later) to mitigate the risk of CVE-2025-27533?
  2. Can you confirm if you have implemented Mutual TLS (mTLS) on your Apache ActiveMQ to prevent unauthorized clients from establishing connections to the broker and potentially exploiting CVE-2025-27533?
  3. Have you set up automated monitoring and alerting for sudden spikes in memory usage or broker performance degradation, which may signal exploitation attempts of CVE-2025-27533?
  4. Have you restricted network access to ActiveMQ broker ports—especially OpenWire (typically TCP port 61616)—to only trusted IP ranges or internal systems to mitigate the risk of CVE-2025-27533?

Remediation Recommendations for Vendors Subject to This Risk

  • Upgrade Immediately: Update Apache ActiveMQ to one of the patched versions: 6.1.6 or later, 5.19.0 or later, 5.18.7 or later, 5.17.7 or later, 5.16.8 or later.
  • Implement Mutual TLS: For affected brokers that cannot yet be upgraded, enforce mutual TLS (mTLS) to mitigate unauthenticated remote access.
  • Restrict Network Access: Limit access to ActiveMQ broker ports—especially OpenWire (typically TCP port 61616)—to only trusted IP ranges or internal systems.
  • Monitor Resource Usage: Set up automated monitoring and alerting for sudden spikes in memory usage or broker performance degradation.
  • Inspect Logs and Network Traffic: Review ActiveMQ logs and network traffic for anomalies or malformed OpenWire command activity.
  • Test Application Compatibility: After upgrading, validate that internal applications depending on ActiveMQ still function as expected.
  • Use Web Application Firewalls (WAF) or Proxies: If possible, front ActiveMQ brokers with reverse proxies or WAFs that can enforce additional traffic validation and rate-limiting.
  • Develop an Incident Response Plan: Prepare your IR team to respond to a broker-level DoS scenario by including procedures for isolating affected brokers, restarting services, and rerouting messaging workloads if necessary.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite provides continuous monitoring and risk assessment capabilities that can help TPRM professionals identify and manage vulnerabilities like CVE-2025-27533. By leveraging Black Kite’s platform, organizations can:

  • Detects the presence of vulnerable Apache ActiveMQ instances within their vendor ecosystem.
  • Assess the potential impact of CVE-2025-27533 on their supply chain.
  • Receive timely alerts and recommendations for remediation actions.

Black Kite’s FocusTag™ for Apache ActiveMQ – May2025, published on May 8, 2025, offers detailed insights into this vulnerability, including affected versions, mitigation strategies, and monitoring recommendations. TPRM professionals can use this information to engage with vendors, ensure timely patching, and enhance their overall risk management posture.

Black Kite’s Apache ActiveMQ – May2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-2774 – Webmin CRLF Injection Privilege Escalation Vulnerability

What is the Webmin CRLF Injection Privilege Escalation Vulnerability?

CVE-2025-2774 is a critical CRLF (Carriage Return Line Feed) injection vulnerability affecting Webmin versions prior to 2.302. This flaw arises from improper neutralization of CRLF sequences in CGI request handling, allowing authenticated attackers to manipulate HTTP headers and execute arbitrary code with root privileges. The vulnerability has a CVSS score of 8.8, indicating high severity and low exploit probability.

Discovered and reported to the vendor on February 28, 2025, the vulnerability was publicly disclosed on May 1, 2025. As of now, there is no evidence of exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Webmin is a widely used web-based system administration tool for Unix-like servers, with over a million installations worldwide. A successful exploit of CVE-2025-2774 could grant attackers root-level access, allowing them to:

  • Modify or disrupt critical server configurations
  • Access, modify, or exfiltrate sensitive data
  • Deploy malware or establish persistent unauthorized access
  • Disrupt services and operations

Given Webmin’s role in managing critical server functions, this vulnerability poses significant risks to organizations relying on it for system administration.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-2774?

  1. Can you confirm if you have updated all your Webmin installations to version 2.302 or later to mitigate the risk of the CRLF Injection Privilege Escalation Vulnerability (CVE-2025-2774)?
  2. Have you implemented robust access controls and limited user permissions to prevent low-privilege Webmin accounts from exploiting this vulnerability?
  3. Are you actively reviewing your server and Webmin logs for signs of unusual or suspicious activities, particularly around CGI request handling, as a measure to detect potential exploitation of CVE-2025-2774?
  4. Have you ensured that your incident response plans include scenarios involving privilege escalation and immediate steps for isolation, investigation, and remediation in the event of a successful exploitation of the CRLF Injection Privilege Escalation Vulnerability (CVE-2025-2774)?

Remediation Recommendations for Vendors Subject to This Risk

  • Immediately update Webmin installations to version 2.302 or later.
  • Restrict Webmin access to trusted networks and enforce strong authentication practices.
  • Review server and Webmin logs diligently for signs of unusual or suspicious activities.
  • Implement and maintain robust access controls, following the principle of least privilege.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the FocusTag for CVE-2025-2774 on May 7, 2025. TPRM professionals can utilize Black Kite’s platform to identify vendors potentially affected by this vulnerability. The platform provides asset information, such as IP addresses and subdomains, associated with the vendors’ systems, enabling organizations to assess and manage third-party risks effectively.

Black Kite’s Webmin FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-46619 – Couchbase Server Local File Inclusion Vulnerability

What is the Couchbase Server Local File Inclusion Vulnerability?

CVE-2025-46619 is a high-severity Local File Inclusion (LFI) vulnerability identified in Couchbase Server versions prior to 7.6.4 (all platforms) and 7.2.7 (Windows builds). Affected Versions are 7.6.3, 7.6.2, 7.6.1, 7.6.0, 7.2.6, 7.2.5, 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x, 5.x, 4.x, 3.x, 2.x.

This flaw allows unauthorized users to access sensitive system files, such as /etc/passwd or /etc/shadow, without proper authorization. The vulnerability arises from improper access controls, enabling attackers to read arbitrary files on the server.

The vulnerability was publicly disclosed on April 30, 2025. As of now, there is no evidence of exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerability’s CVSS score of 7.6 is currently classified as High.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Couchbase Server is a widely-used NoSQL document database, integral to many enterprise applications. Exploitation of CVE-2025-46619 could allow attackers to access sensitive configuration files, leading to potential data breaches or system compromises. Given the prevalence of Couchbase in critical systems, this vulnerability poses a significant risk to organizations relying on it for data management.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-46619?

  1. Have you upgraded all instances of Couchbase Server to version 7.6.4 (cross-platform) or 7.2.7 (Windows) to mitigate the risk of CVE-2025-46619?
  2. Can you confirm that you have implemented monitoring and auditing measures to detect unusual file-read attempts, specifically related to potential exploitation of the Local File Inclusion (LFI) vulnerability in Couchbase Server?
  3. Have you conducted an internal verification to inventory all Windows deployments of Couchbase Server and confirmed they are running versions 7.2.7 or higher?
  4. Have you reviewed and adjusted the configuration of any web-facing interfaces to ensure they do not expose arbitrary file paths, as recommended in the remediation measures for CVE-2025-46619?

Remediation Recommendations for Vendors Subject to This Risk

  • Immediately upgrade Couchbase Server to version 7.6.4 or 7.2.7 (for Windows) to remediate the LFI vulnerability.
  • Restrict database process permissions to prevent unauthorized file reads.
  • Ensure that any web-facing interfaces do not expose arbitrary file paths.
  • Monitor access logs for unusual file-read attempts and conduct regular vulnerability scans.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite published the FocusTag™ for CVE-2025-46619 on May 6, 2025. TPRM professionals can utilize Black Kite’s platform to identify vendors potentially affected by this vulnerability. The platform provides asset information, such as IP addresses and subdomains, associated with the vendors’ systems, enabling organizations to assess and manage third-party risks effectively.

Black Kite’s Couchbase Server FocusTagTM details critical insights on the event for TPRM professionals.

Enhancing Vendor Risk Management with Black Kite’s FocusTags™

In an era where threat actors rapidly pivot to exploit newly disclosed vulnerabilities, organizations need fast, intelligent ways to assess third-party exposure. That’s where Black Kite’s FocusTags™ come into play—especially for critical flaws like those found in SysAid, Apache ActiveMQ, Webmin, and Couchbase Server.

Here’s how Black Kite’s FocusTags™ amplify TPRM efficiency and precision:

  • Vendor-Specific Risk Identification: By tagging vendors with confirmed or suspected exposure to these vulnerabilities, FocusTags™ eliminate guesswork and reduce the number of vendors that require immediate attention.
  • Asset-Level Context: Beyond just naming the vendor, FocusTags™ provide concrete intelligence—such as IP addresses or subdomains hosting vulnerable systems—making the risk truly actionable.
  • Prioritized Outreach: Knowing which vendors are affected and how, enables TPRM teams to send targeted, informed questionnaires rather than blanketed inquiries that burden vendors and slow down triage.
  • Holistic Threat Context: FocusTags™ incorporate exploitation status, CISA KEV presence, patch availability, and severity scoring, giving teams a full-spectrum view of risk.

With Black Kite’s FocusTags™, your organization is empowered to act swiftly and precisely—not just to understand where exposure exists, but to take meaningful, time-sensitive steps to reduce risk in a constantly evolving threat landscape.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • SysAid On-Premises: CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
  • Apache ActiveMQ – May2025: CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
  • Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
  • Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
  • SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
  • Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
  • Fortinet Symlink Backdoor : CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
  • SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
  • Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.
  • Adobe ColdFusion : CVE-2025-24446 CVE-2025-24447 CVE-2025-30281 CVE-2025-30282 CVE-2025-30284 CVE-2025-30285 CVE-2025-30286 CVE-2025-30287 CVE-2025-30288 CVE-2025-30289 CVE-2025-30290, Deserialization of Untrusted Data, Improper Authentication, Improper Access Control, OS Command Injection, Improper Input Validation, Path Traversal Vulnerabilities in Adobe ColdFusion.
  • Beego: CVE-2025-30223, Reflected/Stored XSS Vulnerabilities in Beego Web Framework.
  • Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
  • FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
  • MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
  • Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
  • Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
  • Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
  • Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
  • SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.

References