blog

Focus Friday: TPRM Insights On Critical Vulnerabilities in Wing FTP, ScreenConnect, LiteSpeed, Authlib, and File Browser

Published

Mar 20, 2026

Introduction

Welcome to another edition of Focus Friday. As digital supply chains grow increasingly complex, a single compromised server or a hidden authentication flaw within your vendor ecosystem can rapidly escalate into a direct threat to your own operations. This week, we are analyzing a diverse set of high-severity vulnerabilities that require immediate attention from Third-Party Risk Management (TPRM) professionals. We will examine active, in-the-wild exploitation targeting Wing FTP Servers, high-impact OS command injection in LiteSpeed web environments, critical cryptographic and authentication bypass flaws in the Authlib Python library, and a catastrophic "instant hijack" vulnerability affecting File Browser deployments. Let's break down how these specific threats impact your third-party network and the actionable steps you can take to secure your supply chain.

Filtered view of companies with Wing FTP Server FocusTag® on the Black Kite platform.

Wing FTP Server (CVE-2025-47813)

What is the Wing FTP Server Information Disclosure Vulnerability?

CVE-2025-47813 is a Medium-severity information disclosure vulnerability impacting Wing FTP Server. Carrying a CVSS score of 4.3 and an EPSS score of 20.96%, this flaw originates from improper validation of the "UID" session cookie. When a server processes a UID cookie with an excessively long value that exceeds the underlying operating system's maximum path size, it generates an error message revealing the full local installation path of the application.

Initially discovered by researchers and published in mid-2025, the vulnerability has recently seen a severe escalation in threat activity. Threat actors are actively exploiting this vulnerability in the wild, specifically leveraging it in attacks associated with the RondoDox malware family. By uncovering the exact local server paths, attackers can chain this information disclosure with other critical flaws—such as the remote code execution vulnerability CVE-2025-47812—to achieve full system compromise. Recognizing the active threat, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-47813 to its Known Exploited Vulnerabilities (KEV) catalog on March 16, 2026, mandating federal agencies to apply mitigations by March 30, 2026.

Why Should TPRM Professionals Care About the Wing FTP Server Vulnerability?

Wing FTP Server is designed to facilitate the secure transfer of files across multiple protocols, meaning it inherently handles highly sensitive corporate data, intellectual property, and confidential client information. For Third-Party Risk Management professionals, an actively exploited flaw in a vendor’s managed file transfer infrastructure represents a direct risk to data confidentiality.

Although CVE-2025-47813 is classified as an information disclosure flaw, it serves as a critical reconnaissance stepping stone for cybercriminals. If a vendor's FTP server is compromised through a chained exploit utilizing this path disclosure, attackers could intercept file transfers, exfiltrate proprietary data, or deploy ransomware across the vendor's network. A breach of this nature directly exposes your organization's shared data and disrupts essential supply chain operations.

What questions should TPRM professionals ask vendors about this Wing FTP Server vulnerability?

To accurately gauge the security posture of your third parties regarding this specific flaw, consider asking the following technical questions:

Have you updated your Wing FTP Server to the latest patched version to mitigate the risk of CVE-2025-47813?
Have you implemented Web Application Firewalls (WAF) to filter out malformed or excessively long UID cookie requests as recommended in the advisory?
Are you monitoring your network traffic and server logs for unusually long UID cookie values or unexpected error generation, which are indicators of potential exploitation of CVE-2025-47813?
Given the known association of this vulnerability with the RondoDox malware family, have you taken any specific measures to detect and mitigate this malware in your environment?

Remediation Recommendations for Vendors subject to this risk

Vendors operating Wing FTP Server must take immediate technical actions to prevent path disclosure and subsequent exploitation:

Upgrade the Application: Immediately update Wing FTP Server to the latest patched version provided by the vendor to correct the UID cookie validation logic.
Deploy WAF Protections: Implement Web Application Firewalls (WAF) to actively inspect and filter out incoming requests containing malformed or excessively long cookie values.
Enhance Log Monitoring: Monitor server error logs and network traffic specifically for anomalies related to UID cookies and path disclosure errors.
Check for Indicators of Compromise: Perform a thorough scan of the host operating system to ensure no secondary payloads, such as RondoDox-related malware or unauthorized remote monitoring tools, have been installed.

How TPRM professionals can leverage Black Kite for this vulnerability

To help organizations rapidly identify exposure within their supply chain, Black Kite published the Wing FTP Server [Suspected] FocusTag® on March 17, 2026. This release serves as an updated tag related to our previous Wing FTP Server research originally created on July 2, 2025, now incorporating the latest intelligence on active in-the-wild exploitation.

TPRM teams can operationalize this intelligence by filtering their vendor ecosystem to isolate companies tagged with this specific vulnerability. A major differentiator of the Black Kite platform is the provision of precise asset information—including the exact IP addresses and subdomains posing the risk. By arming TPRM professionals with this granular data, they can bypass broad inquiries and directly request that affected vendors patch the specific externally facing FTP servers identified by the platform.

Black Kite's Wing FTP Server FocusTag® details critical insights on the event for TPRM professionals

ScreenConnect - Mar2026 (CVE-2026-3564)

What is the ConnectWise ScreenConnect Cryptographic Signature Vulnerability?

CVE-2026-3564 is a Critical-severity Improper Verification of Cryptographic Signature vulnerability (CWE-347) impacting ConnectWise ScreenConnect. Carrying a CVSS score of 9.0 and an EPSS score of 0.02%, this flaw stems from how earlier versions of the software handled server-level cryptographic material. Under specific conditions, an actor with access to the server configuration files—where unique machine keys were stored per instance—could extract this material and misuse it to forge session authentication. This allows the attacker to obtain unauthorized access, including elevated privileges, in scenarios where server integrity may already be compromised.

Published by ConnectWise on March 17, 2026, the vulnerability impacts all on-premise ScreenConnect versions prior to 26.1. The newly released version 26.1 introduces enhanced protections for machine key handling, including encrypted storage and management. Currently, public Proof-of-Concept (PoC) exploits have not yet been reported, and there are no confirmed reports of active exploitation in the wild or specific threat actor campaigns. Consequently, CVE-2026-3564 is not listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog. However, it is tracked in the European Union's Vulnerability Database under the identifier EUVD-2026-12574.

Why Should TPRM Professionals Care About the ScreenConnect Vulnerability?

ConnectWise ScreenConnect is a highly privileged Remote Monitoring and Management (RMM) and remote access solution. IT teams and managed service providers use it to gain full, unattended administrative control over endpoints and servers across an organization's network.

For Third-Party Risk Management professionals, a critical authentication vulnerability in a vendor's remote access infrastructure represents an extreme operational and supply chain risk. If a threat actor manages to bypass authentication and gain elevated privileges within a vendor's ScreenConnect environment, they essentially hold the "keys to the kingdom." Attackers frequently target RMM tools to bypass traditional perimeter defenses, enabling them to deploy ransomware silently across the vendor's entire fleet of managed devices, exfiltrate sensitive data, or pivot laterally into connected client environments—including yours. Because this software relies on deep system integration, a compromise here threatens the core confidentiality and availability of the vendor's services.

What questions should TPRM professionals ask vendors about the ScreenConnect vulnerability?

To accurately assess how your third-party ecosystem is securing its remote management infrastructure, consider asking vendors the following specific technical questions:

Have you immediately upgraded all on-premise instances of ConnectWise ScreenConnect to version 26.1 or later to address the cryptographic signature flaw (CVE-2026-3564)?
Have you audited your server configuration files and internal logs for any signs of unauthorized access or extraction of machine keys prior to applying the patch?
Can you confirm that your ScreenConnect instances are adequately segmented from critical internal networks, and that the principle of least privilege is enforced for all users interacting with the application?
Do you maintain isolated, regular backups of your ScreenConnect configurations and data to ensure rapid recovery in the event of a successful exploitation?

Remediation Recommendations for Vendors subject to this risk

Vendors utilizing on-premise versions of ConnectWise ScreenConnect must take immediate action to secure their remote access environments:

Apply Patches Immediately: On-premise users must upgrade to ScreenConnect version 26.1 or later immediately. This update enforces encrypted storage and management of machine keys. (Cloud instances are automatically remediated by ConnectWise).
Monitor ConnectWise Official Channels: Regularly review ConnectWise security bulletins and advisories for any newly released intelligence or secondary patches regarding CVE-2026-3564.
Implement Network Segmentation and Least Privilege: Ensure that the servers hosting ScreenConnect are strictly segmented from critical internal networks. Continuously review and enforce the principle of least privilege for all user accounts and service integrations.
Maintain Regular Backups: Implement a routine schedule to back up ScreenConnect configurations and databases. Store these backups offline or in an isolated environment to facilitate recovery if the system is compromised.

How TPRM professionals can leverage Black Kite for this vulnerability

To help organizations rapidly detect this critical exposure within their supply chains, Black Kite published the "ScreenConnect - Mar2026" FocusTag® on March 18, 2026, with a "Very High" confidence level.

TPRM teams can operationalize this intelligence by filtering their entire vendor inventory to isolate organizations running exposed or vulnerable on-premise ScreenConnect instances. The most significant differentiator of the Black Kite platform is its ability to provide precise asset information—identifying the exact IP addresses and subdomains where the vulnerable remote access portal is exposed to the internet. Instead of sending out broad questionnaires and waiting for responses, TPRM professionals can use this granular data to directly alert high-risk vendors about their specific externally facing infrastructure and demand immediate proof of patching to version 26.1.

Black Kite's ScreenConnect - Mar2026 FocusTag® details critical insights on the event for TPRM professionals.

LiteSpeed - Mar2026 (CVE-2026-31386)

What is the LiteSpeed Web Server OS Command Injection Vulnerability?

CVE-2026-31386 is a High-severity OS Command Injection vulnerability affecting the LiteSpeed WebAdmin component across all versions of OpenLiteSpeed and LiteSpeed Web Server (LSWS) Enterprise. Carrying a CVSS score of 8.6 and an EPSS score of 0.16%, this flaw (CWE-78) originates from the improper neutralization of input used to construct operating system commands within the management console.

Because the WebAdmin console runs with high privileges to manage server configurations, an authenticated attacker with administrative access can input specially crafted commands that break out of the application’s logic. These inputs are then interpreted directly by the host's shell, allowing the attacker to execute arbitrary system-level commands with elevated permissions.

Published in mid-March 2026, this vulnerability fundamentally breaks the isolation between the web server application and the host operating system. Currently, there is no public Proof-of-Concept (PoC) exploit available, and there are no confirmed reports of active exploitation or specific threat actor campaigns in the wild. Consequently, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog, and CISA has not issued a specific advisory. However, the flaw is formally listed in the European Union's Vulnerability Database under the identifier EUVD-2026-12333.

Why Should TPRM Professionals Care About the LiteSpeed WebAdmin Vulnerability?

LiteSpeed Web Server is a core infrastructure component used by vendors to host high-traffic web applications, customer portals, and enterprise platforms. The WebAdmin console specifically acts as the control center for this entire web environment.

For Third-Party Risk Management professionals, a vulnerability granting OS-level command execution within a core web server presents a severe threat to supply chain integrity and data confidentiality. If a threat actor manages to compromise a vendor's WebAdmin console—perhaps through credential stuffing or phishing an administrator—they can leverage this vulnerability to execute commands as the host. This allows them to install persistent backdoors, alter web application logic to harvest credentials, or pivot deeper into the vendor's internal network to access databases stored entirely outside the web root. A compromised web server infrastructure directly jeopardizes any proprietary data or customer interactions facilitated by that vendor.

What questions should TPRM professionals ask vendors about the LiteSpeed vulnerability?

To accurately assess the risk exposure within your third-party ecosystem, consider asking vendors the following specific technical questions regarding this command injection flaw:

Have you upgraded all instances of ConnectWise ScreenConnect to version 26.1 or later to mitigate the risk of CVE-2026-3564?
Can you confirm if you have implemented network segmentation and least privilege for all users and services interacting with ScreenConnect to prevent potential exploitation of CVE-2026-3564?
Are you regularly monitoring the ConnectWise security bulletins and advisories for official patches and detailed information regarding CVE-2026-3564?
Have you established a regular backup routine for ScreenConnect configurations and data to facilitate recovery in the event of a successful exploitation of CVE-2026-3564 or system compromise?

Remediation Recommendations for Vendors subject to this risk

Vendors utilizing OpenLiteSpeed or LSWS Enterprise must take immediate architectural and administrative actions to secure their environments against command injection:

Restrict WebAdmin Access: Immediately isolate the port used by the WebAdmin console from the public internet. Ensure it is only accessible via internal, trusted network segments.
Implement IP Whitelisting: Configure strict firewall policies (such as iptables, ufw, or cloud security groups) to explicitly allow incoming connections to the WebAdmin console only from known, static administrative IP addresses.
Enforce VPN Usage: Mandate that all technical staff establish a secure, authenticated VPN connection before they can route traffic to the management port.
Audit Administrative Logs: Continuously monitor the server’s system and administrative logs for unauthorized login attempts, unusual command executions, or signs of privilege escalation.
Apply Developer Patches: Monitor official LiteSpeed release channels closely for incoming firmware updates or security patches that correct this logic flaw, and deploy them immediately upon release.

How TPRM professionals can leverage Black Kite for this vulnerability

To help organizations rapidly detect exposure to this high-severity infrastructure flaw, Black Kite published the "LiteSpeed - Mar2026" FocusTag® on March 17, 2026, with a "Very High" confidence level.

TPRM teams can operationalize this intelligence by filtering their entire vendor inventory to identify organizations running exposed LiteSpeed WebAdmin consoles. A critical differentiator of the Black Kite platform is its ability to provide specific asset information—identifying the exact IP addresses and subdomains where the vulnerable WebAdmin interface is exposed to the internet. Instead of sending broad questionnaires, TPRM professionals can use this precise asset data to contact at-risk vendors directly, demanding immediate network isolation and proof of IP whitelisting for the identified endpoints.

Black Kite’s LiteSpeed - Mar2026 FocusTag® details critical insights on the event for TPRM professionals

Authlib (CVE-2026-28490, CVE-2026-28498, CVE-2026-27962)

What are the Authlib Critical Vulnerabilities?

The Authlib Python library is currently impacted by a cluster of severe vulnerabilities that can lead to unauthorized access, authentication bypass, and internal network exposure:

CVE-2026-28490 (High Severity): Carrying a CVSS score of 8.3 and an EPSS score of 0.02%, this is a JWT signature bypass vulnerability within the jwk.JsonWebKey.generate_key function. The flaw occurs due to improper validation of the crv parameter for specific curve types (e.g., Ed25519, P-256), allowing an attacker to forge JWT signatures and impersonate users.
CVE-2026-28498 (High Severity): Carrying a CVSS score of 8.2 and an EPSS score of 0.02%, this authentication bypass vulnerability stems from incorrect handling of nonce values in the oauth2.rfc6749.Client.parse_id_token function. Attackers can exploit this by reusing an old nonce value to bypass authentication mechanisms entirely.
CVE-2026-27962 (Critical Severity): Carrying a CVSS score of 9.1 and an EPSS score of 0.02%, this is a Server-Side Request Forgery (SSRF) vulnerability in the oauth2.rfc7523.Client.fetch_jwk_set function. By supplying a malicious URL for the JSON Web Key (JWK) set, attackers can force the server to make unauthorized outbound requests, leading to internal network scanning or information disclosure.

Published in mid-March 2026, these flaws impact every Authlib release through version 1.6.8. Currently, public Proof-of-Concept (PoC) exploits have not been reported, and there is no confirmed active exploitation in the wild. Consequently, these vulnerabilities are not listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog, and CISA has not issued a dedicated advisory. They are, however, tracked in the European Union's Vulnerability Database.

Why Should TPRM Professionals Care About the Authlib Vulnerabilities?

Authlib serves as a foundational building block for developers implementing OAuth 2.0 and OpenID Connect servers. For Third-Party Risk Management professionals, an authentication library represents the absolute core of a vendor's identity and access management (IAM) security.

If a third-party partner relies on a vulnerable version of Authlib for their SaaS platforms, client portals, or internal APIs, the "front door" to their environment is fundamentally compromised. By exploiting the JWT forgery or nonce reuse flaws, cybercriminals can bypass login screens and impersonate legitimate users or administrators without needing stolen passwords. Furthermore, the SSRF vulnerability allows attackers to use the vendor's authentication server as a proxy to attack deeper internal network resources. A breach of a vendor's authentication framework puts all shared proprietary data, customer records, and integrated supply chain connections at immediate risk of unauthorized exposure.

What questions should TPRM professionals ask vendors about the Authlib vulnerabilities?

To accurately assess how your third-party ecosystem is managing this specific authentication risk, consider asking vendors the following targeted technical questions:

Have you updated all instances of Authlib to version 1.6.9 or later to mitigate the risk of CVE-2026-28490, CVE-2026-28498, and CVE-2026-27962?
Can you confirm if you have implemented strict JWT validation practices, especially for cryptographic curve (`crv`) values and signatures, to prevent forging and mitigate the risk of CVE-2026-28490?
Have you enforced robust nonce validation for OAuth 2.0 to prevent reuse and subsequent authentication bypass attacks, as recommended to address the vulnerability CVE-2026-28498?
Have you implemented strict firewall rules and network segmentation to limit outbound connections from servers running Authlib, mitigating the impact of potential SSRF vulnerabilities as described in CVE-2026-27962?

Remediation Recommendations for Vendors subject to this risk

Vendors utilizing affected versions of Authlib must take immediate action to secure their authentication infrastructure:

Update the Library: The most definitive fix is to immediately upgrade the Authlib library to version 1.6.9 or a subsequent secure release.
Implement Strict JWT Validation: Beyond simply updating the library, ensure that your custom application code explicitly validates all incoming JWT parameters, paying close attention to cryptographic curve values to prevent signature forgery.
Enforce Nonce Validation: Review your OAuth 2.0 implementation to verify that nonce parameters are strictly validated and tracked to prevent reuse during the authentication flow.
Restrict Outbound Network Access: Implement robust network segmentation and firewall rules to limit outbound connections from the servers hosting the Authlib implementation, mitigating the SSRF vector.
Conduct Security Audits: Perform thorough code reviews on any applications utilizing Authlib to ensure custom code does not reintroduce similar logic flaws or misconfigurations.

How TPRM professionals can leverage Black Kite for these vulnerabilities

To help organizations rapidly identify this critical authentication risk within their supply chain, Black Kite published the "Authlib" FocusTag® on March 18, 2026, with a "High" confidence level.

TPRM teams can operationalize this intelligence by filtering their entire vendor inventory to pinpoint organizations utilizing vulnerable Authlib implementations. A major differentiator of the Black Kite platform is its ability to provide precise asset information—identifying the exact IP addresses and subdomains associated with the vulnerable infrastructure. Armed with this granular data, TPRM professionals can bypass generic security questionnaires and directly engage with high-risk vendors, providing them with the exact external-facing assets that require immediate remediation and proof of patching.

Black Kite’s Authlib FocusTag® details critical insights on the event for TPRM professionals

File Browser (CVE-2026-32760)

What is the File Browser Instant Hijack Vulnerability?

CVE-2026-32760 is a Critical-severity Broken Access Control and Improper Privilege Management vulnerability impacting File Browser. Carrying a maximum CVSS score of 10.0, this flaw allows for an "instant hijack" of the affected system.

Published in mid-March 2026, the vulnerability exists within the application's account registration logic. When a File Browser administrator enables public self-registration (signup = true) and misconfigures the default user permissions to include administrative rights (perm.admin = true), the application's signup handler blindly applies these settings to all new accounts. Consequently, any unauthenticated visitor can browse to the signup page, register an account, and instantly be granted full administrative control over the server. This allows the attacker to read, modify, or delete any file, manage other users, alter server settings, and potentially execute arbitrary commands if the enableExec feature is active.

Currently, Public Proof-of-Concept (PoC) exploits have been released demonstrating how to exploit this logic flaw to obtain an admin token. However, there are no confirmed reports of active exploitation in the wild or specific threat actor campaigns leveraging the vulnerability. As a result, CVE-2026-32760 is not listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog, and CISA has not issued a dedicated advisory for it.

Why Should TPRM Professionals Care About the File Browser Vulnerability?

File Browser is a web-based file manager used by organizations to host, upload, and share data across teams or with external clients. Because its primary function is direct file management, it is often connected to sensitive directories containing proprietary source code, confidential documents, or customer Personally Identifiable Information (PII).

For Third-Party Risk Management professionals, a CVSS 10.0 vulnerability in a vendor's file management system is a catastrophic risk to data confidentiality and integrity. If a vendor has deployed File Browser with public registration enabled and default admin permissions, the barrier to entry for an attacker is essentially zero—they do not need to exploit complex memory corruption or bypass authentication; they simply create an account. Once inside, an attacker can exfiltrate shared data, deploy ransomware payloads directly onto the host, or delete critical business files. Ensuring vendors correctly configure their file-sharing infrastructure is paramount to preventing unauthorized access to your shared assets.

What questions should TPRM professionals ask vendors about the File Browser vulnerability?

To accurately assess how your third-party ecosystem is securing its file-sharing environments, consider asking vendors the following specific technical questions:

Can you confirm if you have updated all instances of FileBrowser to version 2.62.0 or later to mitigate the risk of CVE-2026-32760?
Have you reviewed the "Global Settings" configuration and ensured that perm.admin is explicitly set to false for all default or newly created user profiles as recommended in the advisory?
Have you disabled the signup feature in FileBrowser to minimize exposure and reduce the attack surface as per the recommended actions?
Can you confirm if you have implemented network segmentation, firewall rules, or VPN-only access to limit access to FileBrowser instances, especially for internet-exposed deployments?

Remediation Recommendations for Vendors subject to this risk

Vendors utilizing affected versions of File Browser (up to and including 2.61.2) must take immediate action to secure their file management infrastructure:

Update Immediately: Upgrade the File Browser installation to version 2.62.0 or a subsequent secure release to address the underlying vulnerability.
Audit Default Permissions: Review the "Global Settings" configuration immediately. Ensure that the perm.adminflag is explicitly set to false so that new users are never automatically granted administrative rights.
Disable Public Registration: If public signup is not a strict business requirement, disable the feature entirely to minimize external exposure.
Review User Accounts: Scrutinize all currently registered accounts and immediately delete any unauthorized, unrecognized, or suspicious profiles possessing administrative privileges.
Restrict Network Access: Limit access to File Browser instances by placing them behind strict firewall rules, implementing network segmentation, or requiring VPN-only access to prevent unauthorized external connections.

How TPRM professionals can leverage Black Kite for this vulnerability

To assist organizations in rapidly identifying this critical exposure within their supply chains, Black Kite published the "File Browser" FocusTag® on March 18, 2026, with a "High" confidence level.

TPRM teams can operationalize this intelligence by filtering their vendor inventory to isolate organizations running exposed File Browser instances. The most significant differentiator of the Black Kite platform is its ability to provide exact asset information—pinpointing the specific IP addresses and subdomains where the vulnerable File Browser application is exposed to the internet. Instead of sending out broad questionnaires and waiting for responses, TPRM professionals can use this precise data to directly alert high-risk vendors about their exposed infrastructure and demand immediate configuration audits and patching.

Black Kite's File Browser FocusTag® details critical insights on the event for TPRM professionals.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

To help organizations rapidly detect and manage this diverse set of critical exposures within their supply chains, Black Kite published a series of targeted FocusTags® on March 17 and 18, 2026.

The most significant differentiator of the Black Kite platform is its ability to provide precise asset information. Instead of relying on broad, generic questionnaires and waiting for responses, TPRM teams can operationalize this intelligence by filtering their entire vendor inventory to isolate affected organizations. Black Kite pinpoints the exact IP addresses and subdomains where these vulnerable applications and interfaces are exposed to the internet.

Armed with this granular data, TPRM professionals can directly engage with high-risk vendors and demand immediate, evidence-based remediation tailored to each specific threat:

ScreenConnect - Mar2026: Alert vendors about exposed on-premise remote access portals and demand immediate proof of patching to version 26.1.
Wing FTP Server: Utilizing this tag—updated from our July 2025 research to include the latest active in-the-wild exploitation intelligence—teams can request immediate patching of specific, externally facing FTP servers.
LiteSpeed - Mar2026: Contact at-risk vendors directly to enforce immediate network isolation and strict IP whitelisting for identified WebAdmin console endpoints.
Authlib: Pinpoint organizations utilizing vulnerable implementations and provide them with the exact external-facing assets that require immediate cryptographic and authentication patching.
File Browser: Directly alert high-risk vendors about their exposed file management infrastructure to demand immediate configuration audits (such as disabling public signup) and software upgrades.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

The sheer diversity of this week's vulnerabilities—ranging from highly privileged remote management tools and actively exploited managed file transfer servers to foundational authentication libraries and administrative web consoles—demonstrates that traditional, questionnaire-based risk assessments are no longer sufficient to keep pace with modern threats. Relying on periodic surveys leaves organizations blind to sudden zero-day disclosures and rapid exploitation cycles. Black Kite’s FocusTags® offer a proactive, intelligence-driven methodology to manage these dynamic risks.

By leveraging FocusTags® for threats like the critical ScreenConnect cryptographic flaw, the Wing FTP exploitation, or the File Browser logic flaws, TPRM teams gain several distinct advantages:

Precision Asset Visibility: Instead of broadly asking hundreds of vendors if they use a vulnerable product, FocusTags® instantly reveal the specific IP addresses and subdomains exposing tools like ScreenConnect, LiteSpeed, or Authlib within your supply chain.
Context-Driven Vendor Engagement: FocusTags® eliminate generic security inquiries. They arm TPRM teams with the exact CVE details, severity scores, and affected assets needed to demand rapid, evidence-based remediation for critical flaws, such as the File Browser "instant hijack" or ScreenConnect authentication bypass.
Strategic Resource Allocation: By filtering your ecosystem to show only the vendors actively exposing high-risk systems, your security analysts can prioritize their time on securing the most critical supply chain nodes first—such as those running the actively targeted Wing FTP Server.
Continuous Threat Tracking: As threat actor playbooks evolve and new proof-of-concept exploits emerge, Black Kite continuously monitors for these exposures, keeping your supply chain security posture current and accurate.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

Wing FTP Server : CVE-2025-47813, Information Disclosure Vulnerability in Wing FTP Server.
ScreenConnect - Mar2026 : CVE-2026-3564, Critical Improper Verification of Cryptographic Signature Vulnerability in ConnectWise ScreenConnect.
LiteSpeed - Mar2026 : CVE-2026-31386, High-Severity OS Command Injection and Privilege Escalation Vulnerabilities in LiteSpeed Web Server.
Authlib : CVE-2026-28490, CVE-2026-28498, CVE-2026-27962, Critical Cryptographic, Authentication Bypass, and Server-Side Request Forgery (SSRF) Vulnerabilities in Authlib.
File Browser : CVE-2026-32760, Critical Broken Access Control and Privilege Escalation Vulnerability in FileBrowser.
Hikvision IP Cameras : CVE-2021-36260, CVE-2017-7921, Critical Remote Code Execution (RCE) and Authentication Bypass Vulnerabilities in Hikvision Systems.
MSSQL - Mar2026 : CVE-2026-21262, CVE-2026-26115, CVE-2026-26116, Multiple Elevation of Privilege Vulnerabilities in Microsoft SQL Server.
SharePoint - Mar2026 : CVE-2026-26105, CVE-2026-26114, CVE-2026-26106, Remote Code Execution (RCE) and Spoofing Vulnerabilities in Microsoft SharePoint Server.
Cloudflare Pingora : CVE-2026-2835, CVE-2026-2833, CVE-2026-2836, Critical Request Smuggling and Cache Flaws in Cloudflare Pingora.
Gogs - Mar2026 : CVE-2025-64111, CVE-2025-64175, CVE-2026-24135, Critical Remote Code Execution, 2FA Bypass, and Path Traversal Vulnerabilities in Gogs.
SAP NetWeaver for ABAP [Suspected] : CVE-2026-24316, CVE-2026-24309, CVE-2026-27688, CVE-2026-27684, Server-Side Request Forgery (SSRF), Missing Authorization Checks, and SQL Injection Vulnerabilities in SAP NetWeaver.
Vaultwarden : CVE-2026-27803, CVE-2026-27802, CVE-2026-27898, High-Severity Privilege Escalation, Improper Authorization, and Broken Access Control Vulnerabilities in Vaultwarden.
Apache ZooKeeper : CVE-2026-24281, CVE-2026-24308, Authentication Bypass and Sensitive Information Disclosure Vulnerabilities in Apache ZooKeeper.
Mail2Shell : CVE-2026-28289, Critical Unauthenticated Remote Code Execution and Time-of-Check to Time-of-Use (TOCTOU) Vulnerabilities in FreeScout.
pac4j : CVE-2026-29000, Critical Authentication Bypass and JWT Token Forging Vulnerability in pac4j-jwt.
MongoDB - Mar2026 : CVE-2026-25611, High-Severity Denial of Service (DoS) Vulnerability in MongoDB.
Django - Mar2026 : CVE-2026-25673, CVE-2026-25674, High-Severity Denial of Service (DoS) and Race Condition Vulnerabilities in Django Web Framework.
Langflow : CVE-2026-27966, Critical Remote Code Execution (RCE) Vulnerability in Langflow AI Data Workflows.
RustFS : CVE-2026-27822, Medium-Severity Cross-Site Scripting (XSS) Vulnerability in RustFS S3 Storage Management Console.
Apache Superset - Mar2026 : CVE-2026-23984, CVE-2026-23982, CVE-2026-23980, High-Severity Data Access Control Bypass and SQL Injection Vulnerabilities in Apache Superset.
SolarWinds Serv-U - Feb2026 : CVE-2025-40541, CVE-2025-40540, CVE-2025-40539, CVE-2025-40538, Critical Remote Code Execution (RCE) flaws that could allow unauthenticated attackers to gain root-level access.
Jenkins - Feb2026 : CVE-2026-27099, CVE-2026-27100, High-severity stored XSS in node descriptions and information disclosure via Run Parameters.
Cisco Catalyst SD-WAN : CVE-2026-20127, CVE-2022-20775 — Critical 10.0 CVSS authentication bypass exploited in the wild, chained with privilege escalation for full root access.
n8n - Feb2026 (Latest) : CVE-2026-27497, CVE-2026-27577, CVE-2026-27495 — Triple critical RCE vulnerabilities in sandbox and node execution allowing host server takeover.
BeyondTrust RA & PRA : CVE-2026-1731, Remote Code Execution (RCE) vulnerability in BeyondTrust RA & PRA.
Zimbra - Feb2026 : CVE-2020-7796, Critical Server-Side Request Forgery (SSRF) vulnerability in the Zimbra’s WebEx Zimlet.
PostgreSQL - Feb2026 : CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, Arbitrary Code Execution and Buffer Overflows Vulnerabilities in PostgreSQL.