blog

Focus Friday: TPRM Insights on MOVEit, Redis, Control Web Panel, DNN Software, and XWiki Vulnerabilities

Published

Nov 7, 2025

Updated

Nov 7, 2025

Authors

INTRODUCTION

This week’s Focus Friday examines five major vulnerabilities that continue to shape the vendor risk landscape — from the high-severity denial-of-service risk in MOVEit Transfer, to the stack buffer overflow in Redis, the actively exploited RCE flaw in Control Web Panel, the critical file upload issue in DNN Software, and the template injection exploit in XWiki Platform.

Each of these vulnerabilities underscores a vital truth: even a single unpatched system in a vendor’s environment can cascade risk throughout the entire supply chain. For Third-Party Risk Management (TPRM) teams, understanding how these vulnerabilities propagate across vendors, assessing potential exposure, and verifying remediation are critical steps in maintaining operational resilience.

In this edition, we approach these incidents from a TPRM perspective — focusing on how organizations can efficiently identify vendors impacted by these vulnerabilities, what targeted questions to ask, and how to prioritize response efforts using Black Kite’s Focus Tags™.

Filtered view of companies with MOVEit - Oct2025 FocusTag™ on the Black Kite platform.

CVE-2025-10932 (MOVEIT TRANSFER)

WHAT IS THE MOVEIT TRANSFER AS2 MODULE UNCONTROLLED RESOURCE CONSUMPTION VULNERABILITY?

This vulnerability affects the AS2 (Applicability Statement 2) module of MOVEit Transfer, allowing an unauthenticated attacker to send specially crafted AS2 requests that cause uncontrolled consumption of server resources (CPU, memory, I/O) and result in a denial-of-service (DoS) condition.

Type: Uncontrolled Resource Consumption (CWE-400)
Severity: High (CVSS 8.2)
EPSS Score: 0.02% (While writing the Focus Tag)
Discovery/Publication: Publicly disclosed on October 29 2025.
Affected Versions:
- MOVEit Transfer 2025.0.0 → before 2025.0.3
- MOVEit Transfer 2024.1.0 → before 2024.1.7
- MOVEit Transfer 2023.1.0 → before 2023.1.16
Exploitation Status: No public exploit or active campaign has been reported.
KEV Catalogue: Not listed in CISA’s Known Exploited Vulnerabilities (KEV).
Vendor Advisory: Progress Software has released patches and mitigation guidance.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT THIS VULNERABILITY?

For third-party risk management (TPRM) teams, this vulnerability represents a tangible operational risk across the supply chain. MOVEit Transfer is used for secure file exchanges between organizations, often in regulated environments or industries where data flows are mission-critical.

A denial-of-service (DoS) event can disrupt business continuity, delay compliance reporting, and impact contractual obligations. If a vendor’s MOVEit instance is externally exposed with the AS2 module enabled, the vulnerability could cause outages in automated data exchanges with partners or clients.

From a TPRM perspective:

Many vendors might not even realize the AS2 module is active or exposed to the internet.
Attackers can exploit this remotely without authentication.
The product’s role in secure file transfers amplifies the risk, as downtime can directly affect enterprise-to-enterprise data delivery chains.
Since the flaw is not yet included in CISA’s KEV, organizations need to proactively assess exposure instead of waiting for external advisories.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS VULNERABILITY?

To assess vendor exposure, TPRM professionals can ask:

Can you confirm if you have updated all instances of MOVEit Transfer to the patched versions (2025.0.3, 2024.1.7, 2023.1.16) to mitigate the risk of CVE-2025-10932?
Have you applied the recommended hotfixes provided by Progress for all supported branches of MOVEit Transfer to address the Uncontrolled Resource Consumption vulnerability?
If the AS2 feature is not actively used, have you temporarily removed the `AS2Rec2.ashx` and `AS2Receiver.aspx` files from `C:\\MOVEitTransfer\\wwwroot` to block potential attack vectors?
For customers actively using the AS2 module, have you configured IP allowlists by navigating to `Settings → Security Policies → Remote Access → Default Rules`, and under `AS2 Remote Access Rules`, added \"Allow\" rules for trusted trading partners' IP addresses?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Vendors running affected versions should:

Apply the latest updates immediately: Upgrade to 2025.0.3, 2024.1.7, or 2023.1.16.
Configure IP allowlists for trusted trading partners within AS2 Remote Access Rules.
Remove unused AS2 endpoints (AS2Rec2.ashx and AS2Receiver.aspx) if AS2 functionality is not required.
Audit network exposure: Confirm AS2 modules are not externally reachable unless necessary.
Monitor resource utilization and alert on sudden spikes in CPU, memory, or I/O that could indicate DoS activity.
Upgrade legacy branches (e.g., 2023.0 or 2024.0) to a supported release stream to ensure continued security coverage.

HOW TPRM PROFESSIONALS CAN LEVERAGE BLACK KITE FOR THIS VULNERABILITY

Black Kite published the Focus Tag MOVEit – Oct 2025 with high confidence and an expiration date of January 31 2026. The tag identifies organizations potentially exposed to CVE-2025-10932.

Black Kite enables TPRM teams to:

Pinpoint vendors running MOVEit Transfer instances with vulnerable AS2 modules.
Identify assets (IP addresses or subdomains) associated with affected systems.
Prioritize vendor outreach to only those with verified exposure.
Track patch status across the supply chain using continuous monitoring.
Integrate vulnerability intelligence into their TPRM dashboards for automated follow-up.

Black Kite’s MOVEit - Oct2025 FocusTag™ details critical insights on the event for TPRM professionals.

CVE-2025-62507 (REDIS)

WHAT IS THE REDIS STACK BUFFER OVERFLOW IN THE XACKDEL COMMAND?

The vulnerability in Redis identified as CVE-2025-62507 is a stack-based buffer overflow occurring in the XACKDEL command used for stream acknowledgement and deletion. The flaw stems from improper handling of a large number of stream IDs: when the list exceeds a predefined STREAMID_STATIC_VECTOR_LEN, the code fails to correctly reallocate memory, allowing an attacker with authenticated access to overflow the stack and potentially execute arbitrary code within the Redis process.

Type: Stack-based Buffer Overflow → Remote Code Execution
Severity: High, CVSS 7.7
EPSS Score: 0.02%
Discovery/Publication Date: November 5 2025 (as stated in the tag text)
Exploitation Status: No public proof-of-concept exploit has been made available and no known in-the-wild campaign is publicly documented.
KEV Catalog Status: This vulnerability is not listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, as per available records.
Vendor Advisory / Patch Info: Redis has released patches in version 8.2.3 to remediate the issue (affecting versions 8.2.0/1/2). The Focus Tag text indicates that versions “8.2 and later” are vulnerable and fixed in 8.2.3.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT THIS VULNERABILITY?

From a third-party risk management (TPRM) lens, this vulnerability holds particular importance for several reasons:

Redis is widely used as an in-memory data store, cache, message broker or streaming engine in both internal and vendor-supplied infrastructure. A compromise of Redis could lead to remote code execution inside a vendor’s environment—giving an attacker a foothold that could impact confidentiality, integrity and availability of third-party services.
Since the flaw requires authenticated access to Redis, it highlights the need for vendors to properly segment, secure and monitor their Redis deployments. If a vendor exposes Redis externally (or via partner access), the exposure increases.
For TPRM professionals engaging vendors: many may assume Redis is purely internal or low-risk; however this vulnerability elevates it into a critical supply-chain concern. A vendor using an unpatched Redis version exposes the enterprise not only to data integrity issues but also to upstream code execution threats.
The absence of public exploitation, and lack of KEV listing, means this issue may not be prioritized in many vendors’ standard patch cycles — so TPRM professionals should proactively include this risk in their vendor questionnaire and asset-scoping.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS VULNERABILITY?

To assess vendor exposure, consider asking:

Can you confirm if you have upgraded all instances of Redis to version 8.2.3 or later to mitigate the risk of CVE-2025-62507?
Have you implemented Access Control Lists (ACLs) to prevent users from executing the XACKDEL command as a temporary mitigation measure for CVE-2025-62507?
Are you continuously monitoring Redis logs for any unusual activity, especially commands involving XACKDEL with a large number of IDs, which could indicate attempted exploitation of CVE-2025-62507?
Can you confirm if you have taken any additional measures beyond upgrading to version 8.2.3 and implementing ACLs to mitigate the risk of CVE-2025-62507?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

To mitigate the risk posed by CVE-2025-62507, vendors should undertake the following actions:

Immediately upgrade all vulnerable Redis instances to version 8.2.3 (or later) into which the fix has been introduced.
If upgrading promptly is not feasible, restrict access to the XACKDEL command via ACLs—deny or restrict use of that command for users who do not require it.
Ensure Redis instances are not publicly exposed or accessible across untrusted networks; ideally bind to internal-only interfaces and enforce strong authentication.
Monitor Redis logs and metrics for unusual behaviour: large batch XACKDEL operations, unexpected stream operations, memory/stack anomalies, process crashes.
For legacy or branch versions, assess whether Redis is still supported by your vendor or whether you need to migrate to a supported release stream to ensure timely security updates.

HOW TPRM PROFESSIONALS CAN LEVERAGE BLACK KITE FOR THIS VULNERABILITY

Black Kite published the Focus Tag “Redis – Nov 2025” with a confidence level of VERY HIGH, targeting potential exposure to CVE-2025-62507. Using Black Kite, TPRM professionals can:

Identify which third-party vendors have publicly accessible Redis instances, including subdomains or IP addresses potentially running vulnerable versions.
Narrow vendor outreach to only those with detected Redis asset-exposure rather than blanket questionnaires across all vendors.
Integrate the Focus Tag into vendor-risk workflows: filter vendor lists by the tag, track patch-status, and monitor for remediation progress over time.
Feed the information into your vendor-risk dashboards and risk-scoring models—vendors flagged by this Focus Tag warrant elevated review and prioritised remediation confirmation.

Black Kite’s Redis - Nov2025 FocusTagTM details critical insights on the event for TPRM professionals.

Black Kite’s Redis - Nov2025 FocusTag™ details critical insights on the event for TPRM professionals.

CVE-2025-48703 (CONTROL WEB PANEL)

WHAT IS THE CONTROL WEB PANEL REMOTE CODE EXECUTION VULNERABILITY?

CVE-2025-48703 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Control Web Panel (CWP), also known as CentOS Web Panel. The flaw arises from improper handling of the t_total parameter in the file manager’s changePerm request. An attacker who knows a valid non-root username can inject shell commands through this parameter, allowing arbitrary command execution on the underlying server.

Type: Command Injection leading to Remote Code Execution
Severity: Critical (CVSS 9.0)
EPSS Score: 22.39%
Discovery/Publication: Discovered and reported in May 2025; patched on June 18, 2025, in version 0.9.8.1205.
Exploitation Status: Public proof-of-concept (PoC) exploit available; confirmed active exploitation in the wild.
CISA KEV Catalog: Added on November 4, 2025.
Technical details:
- The vulnerability lies in how the server constructs and executes system commands for changing file permissions.
- The parameter t_total, intended to define file permissions, is directly concatenated into a shell command without sanitization.
- Attackers can send crafted HTTP POST requests containing malicious shell code in t_total.
- Exploitation enables attackers to gain shell access and execute arbitrary commands remotely.
Affected Versions: All versions prior to 0.9.8.1205.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT THIS VULNERABILITY?

Control Web Panel is a widely deployed web hosting control platform used by vendors to manage servers, databases, email, and web services. It is often internet-facing, which increases the attack surface dramatically.

From a TPRM standpoint:

Supply chain exposure: Vendors using CWP manage client-facing services and websites. Exploitation could compromise hosted environments, deface web portals, or exfiltrate sensitive data.
Privilege escalation risk: Once an attacker executes code on a CWP server, they can pivot to access databases or internal management tools.
Business continuity impact: Given the number of public-facing instances (over 200,000 found on Shodan in May 2025), downtime or compromise could disrupt essential hosted services.
Vendor hygiene indicator: Vendors failing to patch CWP in time may demonstrate broader deficiencies in patch management or monitoring processes.

This vulnerability’s confirmed exploitation and presence in the KEV list make it a top-priority concern for any organization with hosting or service vendors relying on CWP.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS VULNERABILITY?

To evaluate third-party risk exposure, TPRM professionals should ask:

Have you updated all instances of Control Web Panel (CWP) to version 0.9.8.1205 or later to mitigate the risk of CVE-2025-48703?
Have you implemented robust logging and monitoring for unusual activities, specifically failed login attempts, unexpected command executions, or unusual network connections originating from CWP servers, as recommended in the advisory?
Have you restricted network access to CWP administration interfaces (commonly on ports 2087, 2031, 2083) by placing them behind VPNs or firewalls, and allowing access only from trusted IP ranges?
Have you reviewed and rotated usernames regularly, enforced strong password policies, and considered implementing multi-factor authentication if available for CWP interfaces, given that exploitation requires a valid username?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Vendors running affected versions of CWP should immediately:

Apply official patches: Upgrade to version 0.9.8.1205 or newer.
Harden access control: Restrict admin and user interface access to specific IPs or internal networks only.
Audit user accounts: Enforce strict password policies and remove default or unused accounts since exploitation requires knowledge of a valid username.
Monitor for anomalies: Continuously review CWP logs for unusual commands or activity, especially involving changePerm or shell command executions.
Network segmentation: Isolate CWP servers from critical internal systems to limit lateral movement if compromise occurs.
Threat hunting: Check for indicators of compromise such as unexpected reverse shell connections or modified .bashrc and PHP files.

HOW TPRM PROFESSIONALS CAN LEVERAGE BLACK KITE FOR THIS VULNERABILITY

Black Kite released the Control Web Panel (CWP) Focus Tag on November 4, 2025, with high confidence, marking the vulnerability as actively exploited and critical in nature.

Through Black Kite’s Focus Tag intelligence, TPRM professionals can:

Identify vendors using CWP instances exposed to the internet or known vulnerable versions.
Access asset-level data such as IP addresses or subdomains running affected installations.
Prioritize outreach and remediation tracking for vendors at confirmed risk.
Operationalize the Focus Tag by integrating it into vendor monitoring workflows, enabling automated alerts and updated exposure assessments.

Because CVE-2025-48703 is under active exploitation and has a high EPSS score, leveraging Black Kite allows organizations to narrow remediation efforts to vendors truly exposed, reducing the time and resources spent on unnecessary risk assessments.

Black Kite’s Control Web Panel (CWP) FocusTagTM details critical insights on the event for TPRM professionals

Black Kite’s Control Web Panel (CWP) FocusTag™ details critical insights on the event for TPRM professionals

CVE-2025-64095 (DNN PLATFORM)

WHAT IS THE DNN PLATFORM UNRESTRICTED FILE UPLOAD VULNERABILITY?

CVE-2025-64095 is a critical improper access control and unrestricted file upload vulnerability affecting Dnn.Platform (formerly DotNetNuke). The flaw allows unauthenticated attackers to upload files without validation through the default HTML editor provider, enabling overwriting of existing files on the web server. This can lead to website defacement, arbitrary file write, remote code execution, and cross-site scripting (XSS) injection when chained with other flaws.

Type: Improper Access Control, Arbitrary File Upload, RCE, and XSS
Severity: Critical (CVSS 10.0)
EPSS Score: 12.47%
Discovery/Publication Date: Publicly disclosed on October 28, 2025.
Exploitation Status: No public PoC or active campaigns reported as of early November 2025.
KEV Catalog: Not listed in CISA’s Known Exploited Vulnerabilities Catalog.
Affected Versions: All Dnn.Platform releases prior to 10.1.1.
Patched Version: Dnn.Platform 10.1.1 and later.
Technical Detail:
The vulnerability originates from insecure handling of file upload permissions. The HTML editor’s upload feature lacks file-type validation and directory restrictions, allowing overwriting of existing web content or uploading of malicious files. Attackers can leverage this flaw to inject executable scripts or XSS payloads and compromise the confidentiality, integrity, and availability of the entire platform.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT THIS VULNERABILITY?

DNN Platform is commonly used by vendors for building and maintaining public-facing websites and portals in corporate, government, and educational environments. From a TPRM standpoint:

Widespread exposure: Many vendors use DNN for customer portals or marketing sites, making exploitation paths publicly accessible.
Reputation and data integrity risk: Website defacement can damage corporate credibility, while malicious uploads could distribute harmful scripts or malware to visitors.
Supply chain propagation: If a third-party vendor’s compromised DNN site is embedded within or integrated into enterprise systems, the impact may cascade across multiple partners.
Regulatory implications: Since the vulnerability can lead to unauthorized modification of web content and potential leakage of personal data, it poses compliance risks under GDPR and other data protection laws.

Organizations relying on vendors that host public portals, intranets, or partner logins through DNN should ensure those systems have been patched or secured against this flaw.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS VULNERABILITY?

Can you confirm if you have upgraded all instances of Dnn Platform to version 10.1.1 or later to mitigate the risk of CVE-2025-64095?
Have you implemented a Web Application Firewall (WAF) to detect and block suspicious file upload attempts, especially those involving executable or script files, or attempts to overwrite existing critical web assets in Dnn.Platform?
Have you reviewed and restricted file upload configurations in your HTML editor provider within Dnn.Platform to prevent the upload of dangerous file types?
Are you actively monitoring web server logs and file system integrity for any unauthorized file uploads or modifications in Dnn.Platform directories to detect defacement or XSS payload injection attempts?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

To mitigate the risk of exploitation:

Upgrade immediately: Patch all DNN instances to version 10.1.1 or later.
Restrict file uploads: Enforce server-side validation, restrict upload directories, and limit allowed file types to safe formats such as .jpg, .png, and .pdf.
Deploy WAF protections: Configure WAFs to detect file uploads containing script tags or executable file types.
Monitor for file tampering: Implement file integrity monitoring (FIM) tools and review upload logs for anomalies.
Harden permissions: Disable anonymous uploads entirely and apply strict access controls on upload paths.
Conduct security assessments: Perform regular penetration tests focused on file upload and web content modification vectors.

HOW TPRM PROFESSIONALS CAN LEVERAGE BLACK KITE FOR THIS VULNERABILITY

Black Kite released the DNN Software – Oct 2025 Focus Tag on October 31, 2025, with high confidence. This tag enables TPRM teams to:

Identify vendors running outdated DNN instances susceptible to CVE-2025-64095.
View asset-level intelligence, including domains or subdomains hosting vulnerable DNN web applications.
Prioritize vendor outreach based on verified exposure rather than broad questionnaires.
Track patch adoption and remediation progress across the supply chain.
Integrate Focus Tag alerts into risk dashboards for real-time visibility into vendors exposed to critical CMS vulnerabilities.

Black Kite’s DNN Software - Oct2025 FocusTagTM details critical insights on the event for TPRM professionals

Black Kite’s DNN Software - Oct2025 FocusTag™ details critical insights on the event for TPRM professionals.

CVE-2025-24893 (XWIKI PLATFORM)

WHAT IS THE XWIKI PLATFORM REMOTE CODE EXECUTION VULNERABILITY?

CVE-2025-24893 is a critical remote code execution (RCE) vulnerability in XWiki, affecting multiple versions of the platform. It originates from a template injection flaw in the SolrSearch functionality, which allows unauthenticated attackers to execute arbitrary code through crafted requests. The vulnerability can be exploited remotely without authentication or user interaction, making it particularly dangerous.

Type: Remote Template Injection → Remote Code Execution
Severity: Critical (CVSS 9.8)
EPSS Score: 94.20%
Discovery/Publication Date: Initially disclosed in February 2025 and observed in active exploitation by late October 2025.
Exploitation Status: Confirmed active exploitation in the wild, delivering coinminers via a two-stage chain.
KEV Catalog: Added to CISA’s Known Exploited Vulnerabilities list on October 30, 2025.
Affected Versions:
- From 5.3-milestone-2 to before 15.10.11
- From 16.0.0-rc-1 to before 16.4.1
Patched Versions: Fixed in XWiki 15.10.11, 16.4.1, and 16.5.0RC1.

Technical analysis shows that an attacker can send a malicious request to the SolrSearch endpoint. By injecting Groovy code through the search text parameter, the system executes arbitrary commands under the XWiki process. Active attacks identified by VulnCheck and CrowdSec show adversaries staging a downloader before executing coinminer binaries (e.g., tcrond, x521, x522, x640) after approximately 20 minutes.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT THIS VULNERABILITY?

XWiki is an open-source enterprise wiki system widely used by vendors, partners, and internal teams to host documentation, collaboration portals, and knowledge management systems. From a third-party risk management perspective:

Widespread exposure: Many vendors operate XWiki servers accessible over the internet, often containing sensitive documentation and internal data.
Active exploitation: The vulnerability is confirmed to be exploited in the wild to install coinminers. Attackers with RCE capability could pivot to deploy other malware, establish persistence, or exfiltrate data.
Supply chain risk: A compromised vendor XWiki instance could lead to unauthorized access to shared documentation, credentials, or integration tokens used across business environments.
Operational impact: Exploited servers experience high CPU utilization and performance degradation due to mining payloads, potentially interrupting vendor workflows.

This vulnerability’s combination of ease of exploitation, active attack campaigns, and broad deployment makes it a high-priority concern for all organizations managing vendor ecosystems that rely on XWiki-based documentation portals.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS VULNERABILITY?

Can you confirm if all instances of XWiki in your environment have been updated to versions 15.10.11, 16.4.1, or 16.5.0RC1 to mitigate the risk of CVE-2025-24893?
Have you implemented network monitoring for exploitation indicators, specifically for connections to the attacker infrastructure identified in the exploitation chain (e.g., 193.32.208.24:8080) and for file downloads (e.g., x640, x521, x522, tcrond) or execution attempts in /tmp/11909 or /var/tmp/ on XWiki servers?
Have you scanned your network traffic and endpoint file systems for the known indicators related to the exploitation chain of CVE-2025-24893, such as the observed IP addresses and file hashes mentioned in the description?
Have you ensured that your Endpoint Detection and Response (EDR) solutions are configured to detect and prevent unauthorized execution of downloaded scripts or coinminer activity, particularly in temporary directories, as part of your response to the CVE-2025-24893 vulnerability?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Vendors using XWiki should immediately:

Apply patches: Upgrade to 15.10.11, 16.4.1, or 16.5.0RC1 without delay.
Scan for compromise indicators: Check for coinminer artifacts (tcrond, x521, x522, x640) in /tmp and /var/tmpdirectories and investigate suspicious outbound connections.
Strengthen monitoring: Implement EDR or IDS tools to detect exploitation attempts, focusing on Groovy template injection and abnormal script execution.
Restrict access: Limit public exposure of XWiki instances through network segmentation and access controls.
Enhance patch cadence: Integrate automated alerts from the XWiki advisory feed and vulnerability databases to ensure timely updates.
Perform forensic review: If exploitation is suspected, isolate affected servers and conduct post-incident analysis before redeployment.

HOW TPRM PROFESSIONALS CAN LEVERAGE BLACK KITE FOR THIS VULNERABILITY

Black Kite released the XWiki Platform Focus Tag on October 31, 2025, with very high confidence due to observed exploitation and confirmation in the KEV catalog.

Using this Focus Tag, TPRM professionals can:

Identify vendors operating exposed or outdated XWiki installations through IP and subdomain intelligence.
Determine which vendors are most at risk from active exploitation campaigns.
Integrate Focus Tag alerts into their monitoring workflows to track remediation progress and ongoing exposure.
Prioritize vendor outreach, focusing on those hosting documentation or collaboration systems with public interfaces.

Black Kite’s XWiki Platform FocusTagTM details critical insights on the event for TPRM professionals.

Black Kite’s XWiki Platform FocusTag™ details critical insights on the event for TPRM professionals.

ENHANCING THIRD-PARTY RISK MANAGEMENT WITH BLACK KITE’S FOCUSTAGS™

As cyber threats grow increasingly dynamic, the ability to connect real-world vulnerability intelligence to vendor exposure becomes essential. Black Kite’s Focus Tags™ are designed precisely for this purpose — bridging the gap between vulnerability data and actionable TPRM insights.

They enable organizations to:

Real-Time Vendor Identification: Detect vendors directly exposed to high-impact vulnerabilities like MOVEit, Redis, CWP, DNN, and XWiki, accelerating containment efforts.
Risk-Based Prioritization: Focus resources on the vendors and vulnerabilities that matter most by aligning CVSS, EPSS, and exposure intelligence.
Targeted Vendor Engagement: Equip TPRM professionals with tailored, vulnerability-specific questions to engage vendors efficiently and effectively.
Continuous Risk Monitoring: Maintain visibility into remediation progress through dynamic asset and subdomain tracking, ensuring risk reduction is sustained over time.

Black Kite’s Focus Tags™ transform reactive risk management into a proactive, data-driven strategy. By connecting vendor exposure data to real-time exploit intelligence, they empower organizations to act swiftly — mitigating threats before they escalate into supply chain incidents.

ABOUT FOCUS FRIDAY

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FOCUSTAGS™ IN THE LAST 30 DAYS:

MOVEit - Oct2025 : CVE-2025-10932, Uncontrolled Resource Consumption Vulnerability, Denial of Service Vulnerability in Progress MOVEit Transfer.
Redis - Nov2025 : CVE-2025-62507, Improper Input Validation Vulnerability, Stack-based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability in Redis.
Control Web Panel (CWP) : CVE-2025-48703, Remote Code Execution Vulnerability, OS Command Injection Vulnerability in CentOS Control Web Panel.
DNN Software - Oct2025 : CVE-2025-64095, Improper Access Control Vulnerability, Unrestricted Upload of File Vulnerability, Arbitrary File Write Vulnerability, Remote Code Execution Vulnerability, Cross-site Scripting Vulnerability in DNN Software.
XWiki Platform : CVE-2025-24893, Remote Code Execution Vulnerability in XWiki Platform.
MikroTik RouterOS & SwOS : CVE-2025-61481, Arbitrary Code Execution Vulnerability, Man-in-the-Middle (MITM) Attack Vulnerability in MikroTik RouterOS & SwOS.
Apache Tomcat - Oct2025 : CVE-2025-55752, CVE-2025-55754, CVE-2025-61795, Remote Code Execution, Authorization Bypass, Path Traversal, File Upload, Improper Neutralization of Escape, Meta, or Control Sequences, Improper Resource Shutdown or Release, Improper Input Validation, Authentication Bypass, Denial of Service Vulnerabilities in Apache Tomcat.
Vault - Oct2025 : CVE-2025-12044, CVE-2025-11621, Denial of Service, Allocation of Resources Without Limits or Throttling, Authentication Bypass, Improper Authentication Vulnerabilities in Vault.
LiteSpeed - Oct2025 : CVE-2025-12450, Cross-site Scripting (XSS) Vulnerability in LiteSpeed.
Samba Server : CVE-2025-10230, Remote Code Execution Vulnerability in Samba servers.
Atlassian Jira - Oct2025 : CVE-2025-22167, CVE-2025-58057, CVE-2025-58056, CVE-2025-7962, CVE-2025-48989, Path Traversal, Arbitrary File Write, Remote Code Execution (RCE), Denial of Service (DoS), Request Smuggling, SMTP Injection, Improper Resource Shutdown or Release (MadeYouReset DDoS) vulnerabilities in Atlassian Jira Software and Jira Service Management.
TP-Link Omada Gateways : CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, CVE-2025-7851, OS Command Injection vulnerabilities and Unauthorized Root Access via Debug Functionality in TP-Link Omada Gateways.
MinIO - Oct2025 : CVE-2025-62506, Privilege Escalation Vulnerability in MinIO servers.
Squid Proxy - Oct2025 : CVE-2025-62168, Information Disclosure Vulnerability in Squid Proxy.
Sauter EY-modulo : CVE-2025-41723, CVE-2025-41724, CVE-2025-41722, CVE-2025-41721, CVE-2025-41720, CVE-2025-41719, Improper Validation of Syntactic Correctness of Input Vulnerability, Denial of Service Vulnerability, Use of Hard-coded Credentials Vulnerability, Reliance on File Name or Extension of Externally-Supplied File Vulnerability, Command Injection Vulnerability in Sauter EY-modulo.
F5 BIG-IP APT Risk : CVE-2025-53868, CVE-2025-60016, CVE-2025-48008, CVE-2025-59781, CVE-2025-61951, CVE-2025-46706, CVE-2025-53856, CVE-2025-61974, CVE-2025-58071, CVE-2025-61990, CVE-2025-58096, CVE-2025-59481, CVE-2025-61958, CVE-2025-59269, CVE-2025-58153, CVE-2025-59483, CVE-2025-59268, CVE-2025-54755, CVE-2025-58424, Command Injection, Denial of Service (DoS), Out-of-bounds Read/Write, Use-After-Free, Resource Exhaustion, Memory Leak, Privilege Escalation, Authentication Bypass, Arbitrary File Write / File Upload, Cross-Site Scripting (XSS), Information Disclosure, Path Traversal, Exposure of Sensitive Information vulnerabilities in F5 BIG-IP (TMM, iControl REST, tmsh, Configuration Utility, IPsec, SSL/TLS profiles, DNS cache, iRules, ePVA, etc.), BIG-IP Next (SPK, CNF, Kubernetes).
Exchange Server - Oct2025: CVE-2025-59248, CVE-2025-59249, CVE-2025-53782, Spoofing Vulnerability, Elevation of Privilege Vulnerability, and Arbitrary Code Execution Vulnerability in Microsoft Exchange Server.
Microsoft SharePoint - Oct2025: CVE-2025-59228, CVE-2025-59237, Remote Code Execution vulnerabilities in Microsoft SharePoint.
Gladinet CentreStack & TrioFox [Suspected]: CVE-2025-11371, Storage of File With Sensitive Data Under FTP Root, Files or Directories Accessible to External Parties in Gladinet CentreStack and Triofox.
Flowise: CVE-2025-61913, Path Traversal Vulnerability, Arbitrary File Write Vulnerability, Remote Code Execution Vulnerability in Flowise.
Oracle EBS: CVE-2025-61882, Remote Code Execution Vulnerability, Missing Authentication for Critical Function Vulnerability in Oracle E-Business Suite.
Jenkins - Oct2025: CVE-2017-1000353, Remote Code Execution Vulnerability in Jenkins.
Redis - Oct2025: CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, Remote Code Execution Vulnerability in Redis.
DrayTek Vigor - Oct2025: CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
Zimbra - Oct2025: CVE-2025-27915, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration Suite.
Elastic - Oct2025: CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728, Cross-Site Scripting (XSS) Vulnerability, Unrestricted File Upload Vulnerability, Information Disclosure Vulnerability, Insufficiently Protected Credentials Vulnerability in Elastic & Kibana.
Django - Oct2025: CVE-2025-59681, CVE-2025-59682, SQL Injection Vulnerability, Directory Traversal Vulnerability in Django.
Grafana - Oct2025: CVE-2021-43798, Directory Traversal Vulnerability in Grafana.
SillyTavern: CVE-2025-59159, DNS Rebinding Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability, Exposure of Sensitive Information Vulnerability in SillyTavern.
WP Yoast SEO - Oct2025: CVE-2025-11241, Cross-Site Scripting (XSS) Vulnerability in WP Yoast SEO.