Written by: Ferdi Gül

Welcome to this week’s Focus Friday blog post, where we explore critical vulnerabilities with significant implications for Third-Party Risk Management (TPRM). In an increasingly interconnected vendor ecosystem, timely awareness of security flaws is paramount. This week, we examine two high-impact cases: multiple severe vulnerabilities in Tridium Niagara, a core platform in building automation, and an improper authorization flaw in Elastic Kibana, a popular observability tool. Both sets of vulnerabilities present unique risks due to their use in operational technology and infrastructure environments. Through Black Kite’s FocusTags™, TPRM professionals gain the clarity and precision needed to identify at-risk vendors, ask the right questions, and take meaningful action. The Black Kite research group issues FocusTags on the most critical vulnerabilities impacting third-party cyber ecosystems from the full CVE Database.

Filtered view of companies with Tridium Niagara FocusTag™ on the Black Kite platform.

CVE-2025-3936 to CVE-2025-3945: Critical Vulnerabilities in Tridium Niagara Framework

What Are the Tridium Niagara Framework Vulnerabilities?

Tridium’s Niagara Framework, a widely adopted platform for building automation and control systems, has been identified with multiple critical vulnerabilities across its versions prior to 4.14.2, 4.15.1, and 4.10.11. These vulnerabilities span various categories, including improper permission assignments, cryptographic weaknesses, input validation flaws, and logging issues. The most severe vulnerabilities have a CVSS score of 9.8, indicating a critical impact.

Key Vulnerabilities:

  • CVE-2025-3936: Incorrect Permission Assignment for Critical Resource – CVSS: 9.8, EPSS: 0.03%
  • CVE-2025-3937: Use of Password Hash With Insufficient Computational Effort – CVSS: 9.8, EPSS: 0.02%
  • CVE-2025-3938: Missing Cryptographic Step – CVSS: 9.8, EPSS: 0.02%
  • CVE-2025-3939: Observable Response Discrepancy – CVSS: 5.3, EPSS: 0.04%
  • CVE-2025-3940: Improper Use of Validation Framework – CVSS: 9.8, EPSS: 0.11%
  • CVE-2025-3941: Alternate Data Stream – CVSS: 9.8, EPSS: 0.45%
  • CVE-2025-3942: Improper Output Neutralization for Logs – CVSS: 7.5, EPSS: 0.03%
  • CVE-2025-3943: Use of GET Request Method With Sensitive Query Strings – CVSS: 7.5, EPSS: 0.03%
  • CVE-2025-3944: Incorrect Permission Assignment for Critical Resource – CVSS: 9.8, EPSS: 0.05%
  • CVE-2025-3945: Argument Injection – CVSS: 9.8, EPSS: 0.06%

As of the latest updates, there are no known public exploits or active exploitation in the wild. PoC is not available, these vulnerabilities are not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, and no specific advisories have been published by CISA regarding these issues. However, the high CVSS scores and the nature of the vulnerabilities necessitate immediate attention.

Why Should TPRM Professionals Be Concerned?

The Niagara Framework is integral to the operation of building management systems, including HVAC, lighting, and security controls. Compromises in this framework can lead to unauthorized access to critical infrastructure, data breaches, and potential physical security risks. For organizations relying on third-party vendors utilizing Niagara, these vulnerabilities could translate into significant operational and security challenges.

What Questions Should TPRM Professionals Ask Vendors?

  1. Have you upgraded all instances of Tridium Niagara to versions 4.14.2, 4.15.1, or 4.10.11 to mitigate the risk of the multiple vulnerabilities including CVE-2025-3936, CVE-2025-3937, CVE-2025-3938, CVE-2025-3939, CVE-2025-3940, CVE-2025-3941, CVE-2025-3942, CVE-2025-3943, CVE-2025-3944, and CVE-2025-3945?
  2. Can you confirm if you have implemented the best practices described in the Niagara Hardening Guide to minimize system attack surface and misconfigurations, specifically in relation to the improper permission assignments and insecure use of cryptographic functions?
  3. Have you enabled logging and alerting for suspicious activity such as unauthorized configuration changes, failed authentication attempts, or unusual input/output patterns to address the logging weaknesses identified in the vulnerabilities?
  4. Can you confirm if you have applied strict input validation and output encoding across the application to prevent injection and log forging attacks, as part of your remediation measures for the flawed validation and input handling mechanisms?

Remediation Recommendations for Vendors

  • Upgrade Systems: Immediately update Niagara Framework and Niagara Enterprise Security to the patched versions: 4.14.2u2, 4.15.1u1, or 4.10.11u.
  • Audit User Accounts: Review and validate all user accounts with access to the Niagara environment. Revoke any unnecessary or unauthorized accounts.
  • Restrict Physical Access: Ensure that only authorized personnel have physical access to systems running the Niagara Framework.
  • Secure Remote Connections: Implement VPNs or other secure communication methods for any remote access to the Niagara environment.
  • Enhance Cryptographic Practices: Adopt strong password hashing algorithms like bcrypt or PBKDF2. Rotate credentials stored under weak conditions.
  • Sanitize Inputs and Logs: Implement strict input validation and ensure that logs do not expose sensitive information.
  • Enforce Code Signing: Require digital signing of all third-party modules and program objects prior to deployment.
  • Apply Hardening Guidelines: Follow the best practices outlined in the Niagara Hardening Guide to minimize system vulnerabilities.
  • Utilize Security Dashboard: Continuously monitor the Niagara Security Dashboard for any warnings or indicators of compromise.
  • Monitor System Behavior: Enable logging and alerting for suspicious activities, such as unauthorized configuration changes or failed authentication attempts.

Leveraging Black Kite for Enhanced TPRM

Black Kite has published a FocusTag for the Tridium Niagara vulnerabilities, providing detailed insights into the affected vendors and associated risks. This includes information on exposed assets, such as IP addresses and subdomains, linked to vulnerable Niagara instances. By utilizing this FocusTag, TPRM professionals can efficiently identify and prioritize vendors that require immediate attention, streamlining the risk assessment and mitigation process.

For organizations not yet utilizing Black Kite’s platform, this presents an opportunity to enhance third-party risk management strategies by gaining access to timely and actionable cybersecurity intelligence.

Black Kite’s Tridium Niagara FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-43706: Elastic Kibana Synthetic Monitoring Improper Authorization

What is the Kibana Synthetic Monitoring Improper Authorization Vulnerability?

CVE-2024-43706 is a high-severity improper authorization flaw in Elastic Kibana’s Synthetic Monitoring feature, affecting versions up to and including 8.12.0. The vulnerability allows authenticated users with low privileges to bypass UI-enforced role restrictions by sending direct HTTP requests to the Synthetic Monitoring API endpoints. This can lead to unauthorized access to monitoring data and the ability to manipulate synthetic monitors. If the Synthetic Monitoring feature is enabled (xpack.uptime.enabled: true), and access controls are misconfigured, attackers can exploit this flaw to gain unauthorized access. The issue has been addressed in Kibana version 8.12.1.

This vulnerability is classified as an Improper Authorization issue with a high severity, carrying a CVSS 3.1 score of 7.6. Despite its critical nature, the EPSS score is low at 0.04%, indicating a minimal likelihood of exploitation. It was published on June 10, 2025, and there are no known instances of exploitation in the wild at this time. Additionally, PoC is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog.

Why Should TPRM Professionals Care About This Vulnerability?

Kibana is widely used for data visualization and monitoring in various organizations. The Synthetic Monitoring feature is crucial for tracking application performance and uptime. If compromised, attackers can access sensitive monitoring data, manipulate synthetic monitors, and potentially disrupt services. For third-party risk management (TPRM) professionals, it’s essential to ensure that vendors using Kibana have addressed this vulnerability to prevent potential data breaches and service disruptions.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-43706?

  1. Have you updated all instances of Kibana to version 8.12.1 or later to mitigate the risk of CVE-2024-43706, which allows unauthorized access to synthetic monitoring data and actions?
  2. Can you confirm if you have disabled the Synthetic Monitoring feature (xpack.uptime.enabled: false in kibana.yml) in all instances of Kibana where it is not in use, as recommended in the advisory?
  3. Have you implemented network restrictions to limit Kibana HTTP access to trusted IPs or via secure proxy, as a mitigation measure against the improper authorization flaw in Kibana’s Synthetic Monitoring feature?
  4. Have you reviewed and tightened your RBAC definitions to ensure only intended roles can access Synthetic Monitoring, and have you set all synthetics-* indices to read-only via dynamic index blocks to prevent unauthorized writes?

Remediation Recommendations for Vendors Subject to This Risk

  • Upgrade Kibana: Update to version 8.12.1 or later to patch the vulnerability.
  • Disable Synthetic Monitoring: If not in use, disable the feature by setting xpack.uptime.enabled: false in the kibana.yml configuration file.
  • Apply Read-Only Blocks: Set the synthetics-* indices to read-only to prevent unauthorized writes.
  • Review Access Controls: Ensure that role-based access controls are properly configured to restrict access to Synthetic Monitoring APIs.
  • Restrict Network Access: Limit access to the Kibana HTTP interface to trusted IP addresses or through secure proxies.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite has published a FocusTag for CVE-2024-43706, providing insights into vendors potentially affected by this vulnerability. The FocusTag includes information on exposed assets, such as IP addresses and subdomains, associated with vulnerable Kibana instances. This enables TPRM professionals to prioritize assessments and remediation efforts for vendors at risk.

By utilizing Black Kite’s FocusTags, organizations can streamline their third-party risk management processes, focusing on vendors that require immediate attention and reducing the overhead of broad-spectrum assessments.For more information on how Black Kite can assist in managing third-party cyber risks, visit Black Kite’s website.

Black Kite’s Elastic Kibana FocusTagTM details critical insights on the event for TPRM professionals.

Enhancing TPRM Readiness with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are purpose-built to bring speed, precision, and intelligence to Third-Party Risk Management—especially when high-severity vulnerabilities like those affecting Tridium Niagara and Elastic Kibana emerge. These tags provide:

  • Proactive Risk Detection: Identify which vendors are potentially impacted by newly disclosed vulnerabilities, without relying solely on questionnaires.
  • Contextual Risk Scoring: Evaluate vendor exposure based on asset intelligence and vulnerability criticality, enabling more informed prioritization.
  • Focused Vendor Communication: Equip risk professionals with the specific technical context needed to engage vendors in productive security discussions.
  • Broader Risk Visibility: Support a panoramic view of the third-party attack surface, highlighting overlooked exposures in operational or development environments.

With vulnerabilities targeting platforms integral to infrastructure and monitoring, the ability to swiftly trace affected vendors and understand the technical conditions for exploitation is not a luxury—it’s a necessity. Black Kite’s FocusTags™ offer the visibility and actionability required to respond efficiently and decisively, turning threat intelligence into measurable TPRM impact.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • Elastic Kibana : CVE-2024-43706, Improper Authorization Vulnerability in Elastic Kibana.
  • Tridium Niagara : CVE-2025-3936, CVE-2025-3937, CVE-2025-3938, CVE-2025-3939, CVE-2025-3940, CVE-2025-3941, CVE-2025-3942, CVE-2025-3943, CVE-2025-3944, and CVE-2025-3945, Multiple Critical Vulnerabilities in Niagara Framework, Niagara Enterprise Security.
  • Roundcube Webmail – Jun2025 : CVE-2025-49113, Remote Code Execution Vulnerability, Deserialization of Untrusted Data in Roundcube Webmail.
  • ScreenConnect – May2025 : CVE-2025-3935, Improper Authentication Vulnerability in ConnectWise ScreenConnect.
  • Zimbra – May2025 : CVE-2024-27443, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration (ZCS).
  • DrayTek Vigor – May2025 : CVE-2024-12987, OS Command Injection Vulnerability in DrayTek  Vigor Routers.
  • Atlassian Jira Data Center : CVE-2025-22157, Privilege Escalation Vulnerability in Jira Core Data Center, Jira Core Server, Jira Service Management Data Center, Jira Service Management Server.
  • Tornado Web Server : CVE-2025-47287, DoS Vulnerability in Tornado Web Server.
  • MDaemon Email Server : CVE-2024-11182, Cross-Site Scripting (XSS) Vulnerability in MDaemon Email Server.
  • Ivanti EPMM – May2025 : CVE-2025-4427, CVE-2025-4428, Authentication Bypass and Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile (EPMM)
  • SysAid On-Premises : CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
  • Apache ActiveMQ – May2025 : CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
  • Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
  • Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
  • SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
  • Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
  • Fortinet Symlink Backdoor : CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
  • SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
  • Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.

See Black Kite’s full CVE Database and the critical TPRM vulnerabilities that have an applied FocusTag at https://blackkite.com/cve-database/.

References