blog

FOCUS FRIDAY: TPRM INSIGHTS ON ORACLE EBS, JENKINS, REDIS, DRAYTEK VIGOR, ZIMBRA, ELASTIC, DJANGO, GRAFANA, SILLYTAVERN, AND WP YOAST SEO

Published

Oct 10, 2025

Updated

Oct 24, 2025

Authors

Ferdi Gül & Hakan Karabacak

Introduction
CVE-2025-61882 — Oracle E-Business Suite
CVE-2017-1000353 — Jenkins
CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819 — Redis
CVE-2025-10547 — DrayTek Vigor Routers
CVE-2025-27915 — Zimbra Collaboration
CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728 — Elastic Stack (Kibana & Elasticsearch)
CVE-2025-59681 and CVE-2025-59682 — Django Web Framework
CVE-2021-43798 — Grafana
CVE-2025-59159 — SillyTavern
CVE-2025-11241 — Yoast SEO Premium
How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities
Enhancing TPRM Programs with Black Kite's FocusTags™
About Focus Friday
FocusTags™ in the Last 30 Days:
References

Want to take a closer look at FocusTags™?

BOOK A DEMO

This week marks the blog with the highest number of FocusTags we’ve covered since the very first Focus Friday post. It’s been an intense week for the Black Kite Research Team, packed with extensive FocusTag analysis.

INTRODUCTION

In this week’s Focus Friday, we examine a comprehensive range of newly identified vulnerabilities affecting both enterprise-grade systems and widely used open-source tools. From Oracle E-Business Suite, Jenkins, and Redis to DrayTek Vigor routers, Zimbra Collaboration Suite, Elastic Kibana, Django, Grafana, and WordPress Yoast SEO, each incident underscores how weaknesses across infrastructure, web frameworks, and plugins can create cascading third-party risks.

This week’s analysis also includes the SillyTavern DNS Rebinding vulnerability, a critical issue that highlights the growing attack surface within locally hosted and AI-integrated applications. Leveraging Black Kite’s FocusTags™, organizations can rapidly identify which vendors are exposed to these vulnerabilities—turning technical threat data into actionable intelligence for Third-Party Risk Management (TPRM) teams.

Together, these FocusTags reveal how even well-established enterprise software and open-source utilities can evolve into significant risk vectors if unpatched, emphasizing the necessity for continuous monitoring and proactive vendor engagement within every modern TPRM strategy.

Filtered view of companies with Oracle EBS FocusTag™ on the Black Kite platform.

CVE-2025-61882 —ORACLE E-BUSINESS SUITE

WHAT IS CVE-2025-61882 (ORACLE EBS)?

CVE-2025-61882 is a critical, pre-authentication remote code execution (RCE) in Oracle E-Business Suite (Oracle EBS) that allows an unauthenticated attacker with network (HTTP) access to execute arbitrary code against the Oracle Concurrent Processing / BI Publisher integration components. The flaw affects Oracle EBS versions 12.2.3 through 12.2.14.

Severity / scores

CVSS: 9.8 (Critical)
EPSS: 56.82%

When published / first disclosed

Oracle released a Security Alert and fixes in early October 2025.

Exploitation in the wild

The vulnerability is being actively exploited in the wild and has been associated with the threat actors LAPSUS, as well as the malware families ‘Clop’ and ‘HUNTERS’.

Public PoC / detection artifacts

Public exploit code and community detection content are available. Oracle also published IOCs (observed IPs, command traces, file hashes) to help detection and containment.

CISA / KEV status

CISA has listed this CVE in its Known Exploited Vulnerabilities (KEV) catalog as of October 6, 2025.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT CVE-2025-61882?

Oracle EBS is an enterprise application that stores and processes highly sensitive business data (financials, payroll, HR, procurement). A pre-auth RCE in EBS can lead to full system takeover, data exfiltration, and service disruption — exactly the goals seen in the observed extortion/data theft campaign. For third-party risk teams, a compromise at a vendor running internet-facing or poorly segmented EBS instances can mean leaked PII, financial records, or intellectual property that directly impacts your organization through shared services, integrations, or outsourced functions.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS ISSUE?

Start vendor conversations with a short intro sentence, then ask targeted questions:

Which Oracle EBS versions (exact patch levels) are you running in production and exposed externally (list by full version, e.g., 12.2.10)?
Have you applied Oracle’s Security Alert updates addressing CVE-2025-61882 and the October 2023 CPU prerequisite? Provide dates and KB/reference IDs for the patching evidence.
Did you observe any of Oracle’s published IOCs (IP addresses, command strings, hashes) in your logs? If so, provide scope and containment steps taken.
What compensating controls (WAF rules, network segmentation, access controls, monitoring) were in place before patching, and what detection/hunt playbooks have you executed since the advisory? Provide telemetry evidence (log ranges, IDS alerts, or detection signatures).

REMEDIATION RECOMMENDATIONS FOR VENDORS

Intro sentence: Prioritize confirmed vulnerable instances first, then expand to near-misses and dependent environments.

Confirm version and exposure. Verify whether any EBS instances are running versions 12.2.3–12.2.14 and whether they are reachable from untrusted networks.
Apply Oracle’s Security Alert immediately. Install the vendor-supplied patches for CVE-2025-61882 — note the October 2023 CPU prerequisite must be in place before applying the security alert updates. If a vendor instance is out of support, schedule an upgrade or isolate the system until remediation.
Hunt and contain using IOCs. Use the IPs, file hashes and observed command patterns Oracle listed to hunt across logs and endpoints. If evidence of compromise exists, isolate affected systems, collect forensic artifacts, and follow an incident response playbook that preserves evidence.
Tighten external exposure. Block or restrict HTTP access to EBS components from the public internet (VPN/zero-trust access, IP allowlists) and apply WAF rules to catch exploitable request patterns.
Enhance detection: Deploy signatures based on the published PoC artifacts and community detections and add searches for suspicious reverse-shell payload patterns in logs.
Validate backups & credentials rotation. Ensure recent, immutable backups exist and rotate credentials/keys that may have been exposed. Treat systems as potentially compromised until a full forensic review clears them.

Black Kite’s Oracle EBS FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2017-1000353 — JENKINS

WHAT IS CVE-2017-1000353 (JENKINS RCE VULNERABILITY)?

CVE-2017-1000353 is a critical unauthenticated remote code execution flaw in Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier. It arises from Jenkins CLI’s improper deserialization of Java SignedObject instances. Attackers can exploit this to execute arbitrary code on vulnerable Jenkins controllers without authentication.

Severity: Critical
CVSS: 9.8
EPSS: 94.51%
Discovery/Publication: April 26, 2017
Exploitation: Actively exploited, with public PoCs and inclusion in CISA’s KEV Catalog on October 2, 2025.

The vulnerability bypasses the CLI’s blacklist-based protections by using a new ObjectInputStream. Jenkins later deprecated this remoting-based CLI protocol and introduced a safer HTTP-based CLI.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT CVE-2017-1000353?

Jenkins is widely used in software development pipelines for continuous integration and deployment. A remote code execution flaw in such an environment gives attackers control over build servers, pipelines, and potentially downstream artifacts. This can lead to source code tampering, malware injection, and compromise of credentials stored in Jenkins. For TPRM teams, vendors leveraging Jenkins in their DevOps chain represent a direct software supply chain risk, potentially impacting the integrity of the delivered code.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS ISSUE?

Which Jenkins versions are currently deployed in your CI/CD environment, and are any below 2.46.2 LTS or 2.57?
Have you disabled the remoting-based CLI and transitioned to the HTTP or SSH-based CLI as recommended?
Have you reviewed Jenkins logs for suspicious serialized object traffic or exploitation attempts related to this CVE?
What measures are in place to secure your Jenkins servers (e.g., network isolation, restricted agent connectivity, or API token rotation)?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Upgrade immediately to Jenkins 2.57 (main line) or 2.46.2 LTS.
Disable remoting-based CLI if still enabled and enforce HTTP or SSH-based CLI usage.
Harden Jenkins servers by limiting exposure to internal networks, applying strict authentication, and removing unused plugins.
Monitor for compromise indicators, including unexpected processes or unauthorized configuration changes.
Rotate credentials and tokens stored in Jenkins if compromise is suspected.

Black Kite’s Jenkins – Oct2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819 — REDIS

WHAT ARE THE REDIS REMOTE CODE EXECUTION VULNERABILITIES?

Four vulnerabilities have been identified in Redis, primarily affecting instances with Lua scripting enabled.

CVE-2025-49844 (CVSS: 9.9, EPSS: 0.10%) is a critical use-after-free flaw in Redis’s embedded Lua interpreter. Authenticated users can craft malicious Lua scripts that manipulate the garbage collector, resulting in remote code execution (RCE).
CVE-2025-46817 (CVSS: 9.8, EPSS: 0.03%) involves an integer overflow in Lua arithmetic operations, also exploitable via crafted Lua scripts.
CVE-2025-46818 (CVSS: 6.0, EPSS: 0.01%) allows privilege escalation, enabling one authenticated user to execute Lua functions under another user’s context.
CVE-2025-46819 (CVSS: 6.3, EPSS: 0.01%) causes out-of-bounds reads in the Lua engine, enabling potential data leakage or denial of service.

These flaws were disclosed publicly by Redis on October 3, 2025, and affect Redis versions prior to 8.2.2, 8.0.4, 7.4.6, 7.2.11, and 6.2.20. Redis has no evidence of active exploitation, and no public proof-of-concept (PoC) exists. None of these CVEs are listed in CISA’s KEV Catalog as of October 2025.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT THESE REDIS VULNERABILITIES?

Redis is a critical component in enterprise caching, messaging, and session storage systems. Compromise through these vulnerabilities—especially in multi-tenant or internet-exposed Redis servers—could allow data theft, system compromise, or lateral movement across interconnected environments.
For TPRM teams, these vulnerabilities represent a shared infrastructure risk, as Redis often underpins SaaS platforms and APIs. If a vendor’s Redis instance is misconfigured or unpatched, it could expose sensitive customer data, tokens, and authentication sessions, directly impacting downstream services.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THESE ISSUES?

Which Redis versions are currently in production, and do any precede 8.2.2, 8.0.4, 7.4.6, 7.2.11, or 6.2.20?
Is Lua scripting enabled in your Redis instances, and if so, what access controls or restrictions (ACLs) are enforced on EVAL, EVALSHA, and FUNCTION commands?
Have you reviewed Redis logs for anomalous Lua activity or attempted exploitation (e.g., unauthorized Lua script execution or server crashes related to Lua)?
What network segmentation or authentication controls (protected mode, TLS, firewall restrictions) are applied to Redis servers to prevent unauthorized access?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Upgrade immediately to fixed Redis versions — 8.2.2, 8.0.4, 7.4.6, 7.2.11, or 6.2.20 — which resolve these vulnerabilities.
Restrict Lua command execution using Redis ACLs. Limit EVAL, EVALSHA, and FUNCTION command access to trusted administrators only.
Disable Lua scripting entirely if it is not business-critical to eliminate this attack surface.
Enforce protected mode and restrict network access to Redis instances. Only allow trusted internal systems to connect, preferably over TLS.
Monitor for exploitation indicators, such as unauthorized Lua script creation, anomalous traffic patterns, or Redis crashes involving Lua garbage collection.

Black Kite’s Redis – Oct2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-10547 — DRAYTEK VIGOR ROUTERS

WHAT IS THE DRAYTEK VIGOR REMOTE CODE EXECUTION VULNERABILITY?

CVE-2025-10547 is a high-severity remote code execution (RCE) vulnerability affecting the DrayOS firmware in multiple DrayTek Vigor router models.
The flaw, rated CVSS 8.8 with an EPSS of 0.02%, arises from an uninitialized variable in the router’s Web User Interface (WebUI). By sending specially crafted HTTP or HTTPS requests, an unauthenticated attacker can trigger an arbitrary memory free() operation, leading to memory corruption. Under specific conditions, this can allow arbitrary code execution within the device’s firmware.

The vulnerability affects a broad set of Vigor models used in small and medium-sized business networks. It was disclosed on October 7, 2025, and while no exploitation has been observed in the wild, the risk increases significantly for routers exposing their management interfaces over the internet. The vulnerability is not listed in CISA’s KEV Catalog and has no public proof-of-concept at this time.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT CVE-2025-10547?

Routers are critical entry points for business networks, and compromise at this layer can lead to network infiltration, data interception, or lateral movement across connected systems.
Vendors using DrayTek Vigor routers—especially in branch offices, retail stores, or remote access environments—could unknowingly expose internal systems to external attackers. From a TPRM standpoint, an exploited router at a third-party vendor can allow adversaries to bypass traditional firewalls, pivot into sensitive environments, and launch supply chain intrusions.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS ISSUE?

Which DrayTek Vigor router models and firmware versions are currently deployed within your infrastructure?
Have you applied the firmware updates addressing CVE-2025-10547 or implemented temporary mitigations?
Is the WebUI management interface accessible from the internet? If so, what access restrictions or VPN-based controls are enforced?
How are network monitoring and alerting configured to detect potential exploitation attempts targeting router interfaces?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Apply official firmware updates released by DrayTek for all affected models. Patching removes the uninitialized variable flaw that enables arbitrary free and potential RCE.
Restrict WebUI access — disable WAN-side management or limit it to secure VPN channels and internal IP ranges.
Segment critical systems from router management networks to reduce lateral movement potential in case of compromise.
Monitor logs and network traffic for signs of exploitation, such as unexpected WebUI requests or system instability.
Review device hardening policies, ensuring default credentials are changed, remote management ports are closed, and SNMP exposure is limited.

Black Kite’s DrayTek Vigor – Oct2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-27915 — ZIMBRA COLLABORATION

WHAT IS THE ZIMBRA XSS VULNERABILITY?

CVE-2025-27915 is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client of Zimbra Collaboration Suite (ZCS). It allows attackers to execute arbitrary JavaScript through malicious ICS calendar files due to inadequate sanitization of embedded HTML content. The flaw, rated CVSS 5.4 (Medium) with an EPSS of 30.23%, was actively exploited as a zero-day in early 2025.

When a user opens a malicious ICS email, JavaScript executes via an ontoggle event inside a <details> tag. Attackers used this to steal data and set malicious email forwarding rules, redirecting sensitive communications to external servers.
The exploit campaign, first reported by StrikeReady Labs in September 2025, targeted the Brazilian military through emails spoofing the Libyan Navy’s Office of Protocol. The operation deployed a JavaScript-based data stealer that exfiltrated credentials, contacts, and shared folders to the ffrk[.]net domain and created persistent filters (e.g., “Correo”) to forward emails to [email protected].

The attack was attributed to a sophisticated threat actor, potentially state-sponsored, with overlaps to UNC1151 (Ghostwriter) and APT28 based on similar tactics observed in prior campaigns.
The vulnerability was patched on January 27, 2025, and added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on October 7, 2025.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT CVE-2025-27915?

Zimbra is widely used for enterprise and government email communication. Exploitation of this stored XSS flaw can enable attackers to intercept, exfiltrate, or manipulate sensitive messages without user awareness.
From a TPRM perspective, vendors or third parties operating vulnerable Zimbra instances pose a significant email supply chain risk. Attackers could exploit this weakness to impersonate trusted partners, deliver malicious payloads, or silently siphon confidential data from compromised mail servers.
In this case, targeted attacks against government entities show how Zimbra compromises can cascade through inter-organizational communications, amplifying third-party exposure.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS ISSUE?

Are any Zimbra Collaboration instances (especially Classic Web Client) still running versions prior to 9.0.0 Patch 44, 10.0.13, or 10.1.5?
Have you applied the January 2025 security patches and verified that updated HTML sanitization mechanisms are active?
Have you reviewed email filter rules for suspicious entries (e.g., “Correo” or forwarding to external domains like proton.me)?
What monitoring mechanisms are in place to detect unusual outbound traffic, especially to domains such as ffrk[.]net or similar attacker infrastructure?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Patch immediately to Zimbra Collaboration 9.0.0 Patch 44, 10.0.13, or 10.1.5 (or newer). These updates address the XSS flaw and harden HTML sanitization in ICS files.
Block and monitor attacker infrastructure, including known command-and-control URLs and IPs (ffrk[.]net, 193.29.58[.]37).
Scan for malicious attachments using the provided hash (ea752b1651ad16bc6bf058c34d6ae795d0b4068c2f48fdd7858f3d4f7c516f37) and quarantine any matches.
Audit and remove malicious filter rules, particularly those forwarding to external domains such as [email protected].
Enhance email gateway policies to detect and block malicious ICS attachments with embedded scripts.
Educate end-users about opening calendar invites from unfamiliar sources and spotting spoofed senders.

Black Kite’s Zimbra – Oct2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728 — ELASTIC STACK (KIBANA & ELASTICSEARCH)

WHAT ARE THE ELASTIC STACK VULNERABILITIES?

Elastic has patched multiple vulnerabilities in Kibana and Elasticsearch, several of which are classified as high severity:

CVE-2025-25009 (CVSS 8.7, EPSS 0.03%) — a stored Cross-Site Scripting (XSS) flaw in Kibana’s case file upload feature. Attackers with upload privileges can inject JavaScript into stored pages, enabling session hijacking or privilege escalation within Kibana dashboards.
CVE-2025-25017 (CVSS 8.2) — an input sanitization flaw in Kibana’s Vega visualization engine, enabling XSS through malicious Vega configurations.
CVE-2025-25018 (CVSS 8.7) — another stored XSS vulnerability in Kibana’s Fleet and Integrations interface, allowing injected scripts to execute in administrative sessions.
CVE-2025-37727 (CVSS 5.3) — an information disclosure issue in Elasticsearch’s audit logging. Under specific conditions, sensitive request bodies are logged, exposing confidential data.
CVE-2025-37728 (CVSS 5.4) — a credentials leakage vulnerability in the Kibana CrowdStrike connector, where users in one space can access cached credentials from another.

Elastic disclosed these vulnerabilities on October 6, 2025, and released security updates in versions 8.18.8, 8.19.5, 9.0.8, and 9.1.5. No active exploitation or public PoCs have been reported, and none are listed in CISA’s KEV catalog as of October 2025.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT THESE ELASTIC VULNERABILITIES?

Elastic Stack components—Kibana for visualization and Elasticsearch for indexing—are widely used across enterprise analytics environments.
Exploitation of these flaws could allow threat actors to:

Steal user sessions, tokens, or credentials.
Inject persistent JavaScript within dashboards accessed by multiple administrators.
Leak sensitive customer or system data via logs.

Vendors using Elastic in externally exposed environments (e.g., customer dashboards or analytics portals) pose heightened risk to their partners. For TPRM teams, these issues represent a potential data confidentiality and integrity risk, especially when connected to production or monitoring environments accessible from the internet.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THESE ISSUES?

What versions of Kibana and Elasticsearch are currently deployed, and have you upgraded to 8.18.8, 8.19.5, 9.0.8, or 9.1.5 (or later)?
Have you disabled Vega visualizations or verified input sanitization settings where Vega is enabled?
Are audit logs configured to redact or exclude sensitive request bodies to prevent data leakage?
Have you reviewed Kibana role-based access and disabled unused connectors, such as the CrowdStrike connector, to prevent credential exposure?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Upgrade immediately to patched versions:
- Kibana: 8.18.8, 8.19.5, 9.0.8, 9.1.5
- Elasticsearch: 8.18.8, 8.19.5, 9.0.8, 9.1.5
  These releases remediate all known vulnerabilities, including the CrowdStrike connector credential issue.
Apply mitigations for older Kibana instances:
- For versions 7.12–8.19.0, enable discover:searchFieldsFromSource: true to mitigate stored XSS via case uploads.
- Disable Vega visualization (vis_type_vega.enabled: false) if not essential.
Restrict user privileges — limit file upload and management permissions only to trusted administrators.
Monitor Elasticsearch audit logs for exposure of request bodies or unusual access to reindex API events.
Implement network segmentation for Elastic clusters and enforce authentication via TLS.

Black Kite’s Elastic – Oct2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-59681 and CVE-2025-59682 — DJANGO WEB FRAMEWORK

WHAT ARE THE DJANGO VULNERABILITIES?

Two vulnerabilities were disclosed and patched in Django on October 1, 2025, affecting versions 4.2, 5.1, and 5.2, as well as the main and 6.0 (alpha) branches.

CVE-2025-59681 (CVSS 7.1, EPSS 0.01%) — a high-severity SQL injection vulnerability in QuerySet.annotate(), alias(), aggregate(), and extra() methods used with MySQL and MariaDB. Exploiting crafted kwargs could allow attackers to manipulate queries or extract unauthorized data.
CVE-2025-59682 (CVSS 3.1, EPSS 0.08%) — a low-severity directory traversal flaw in django.utils.archive.extract(), used by startapp and startproject commands. Malicious archives could trigger partial traversal into unintended directories.

Both issues were responsibly disclosed and patched in Django 5.2.7, 5.1.13, and 4.2.25. No exploitation in the wild has been observed, and neither is included in CISA’s KEV catalog.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT THESE DJANGO VULNERABILITIES?

Django is widely adopted across SaaS, fintech, and government web applications.
An SQL injection flaw in Django’s ORM layer could enable data exposure or manipulation in backend databases, particularly in multi-tenant environments using MySQL or MariaDB.
From a TPRM perspective, unpatched systems may allow attackers to exfiltrate sensitive client data, modify transaction records, or compromise data integrity.

The directory traversal issue, while lower in impact, could be abused in development or CI/CD pipelines, introducing unauthorized files or templates during project generation — potentially planting malicious code into production environments.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THESE VULNERABILITIES?

Which Django versions are currently deployed in production and development environments?
Have you upgraded to Django 5.2.7, 5.1.13, or 4.2.25 (or newer) to address CVE-2025-59681 and CVE-2025-59682?
Are any applications using MySQL or MariaDB with unvalidated QuerySet methods that could be exploited for SQL injection?
Are template archives sourced only from trusted internal repositories, and are external archives validated before use?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Upgrade Django immediately to the patched versions (5.2.7, 5.1.13, or 4.2.25).
Review ORM usage — audit all uses of annotate(), alias(), aggregate(), and extra() for untrusted dictionary inputs, especially in MySQL/MariaDB contexts.
Restrict template archive sources — use only trusted archives when running startapp or startprojectcommands.
Implement database query sanitization and input validation within custom managers or model methods.
Enable database-level logging to detect suspicious query behavior or unexpected modifications.

Black Kite’s Django – Oct2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2021-43798 — GRAFANA

WHAT IS THE GRAFANA PATH TRAVERSAL VULNERABILITY?

CVE-2021-43798 is a high-severity directory traversal vulnerability (CVSS 7.5, EPSS 94.37%) in Grafana versions 8.0.0-beta1 to 8.3.0. It allows unauthenticated attackers to read arbitrary files on the server by manipulating plugin resource URLs.
Exploitation involves crafted paths such as:

/public/plugins/<plugin_id>/../../../../../../../../etc/passwd

The issue was disclosed on December 7, 2021, and exploited in the wild within hours of release, as several public PoCs and scanning campaigns appeared on GitHub and exploit databases.
Grafana patched the flaw in 8.3.1, 8.2.7, 8.1.8, and 8.0.7, and confirmed Grafana Cloud was unaffected.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT CVE-2021-43798?

Grafana is widely used in infrastructure monitoring and observability systems.
This vulnerability could allow adversaries to read sensitive files such as configuration credentials, API tokens, and private keys stored on affected servers.
In third-party environments, this exposure may lead to data breaches or lateral movement into production networks where vendors host telemetry dashboards, risking supply chain compromise.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS ISSUE?

Are you running any Grafana instances between 8.0.0-beta1 and 8.3.0?
Have you updated all deployments to 8.3.1, 8.2.7, 8.1.8, or 8.0.7?
Are your Grafana dashboards accessible from the internet, or restricted to internal networks/VPNs?
Have you reviewed access logs for directory traversal patterns such as ../ requests targeting /public/plugins/paths?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Upgrade immediately to patched Grafana versions.
Restrict Grafana exposure — protect management interfaces using firewalls or reverse proxies.
Audit access logs for suspicious plugin path requests.
Rotate credentials and API keys stored on affected servers.
Harden configuration files by enforcing least privilege and disabling unused plugins.

Black Kite’s Grafana – Oct2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-59159 — SILLYTAVERN

SillyTavern is a locally hosted web-based interface designed to connect users with AI models such as OpenAI, KoboldAI, or local LLMs for interactive conversations and roleplay-style chat experiences. It serves as a customizable front-end client that runs on a user’s machine, managing AI sessions, extensions, and API connections.

WHAT IS THE SILLYTAVERN DNS REBINDING VULNERABILITY?

CVE-2025-59159 (CVSS 9.6, EPSS 0.02%) is a critical DNS rebinding vulnerability affecting SillyTavern versions ≤1.13.3.
The flaw allows attackers to bypass CORS restrictions and remotely control local SillyTavern instances by tricking browsers into resolving malicious domains to 127.0.0.1.
Exploitation can lead to remote code execution, data theft, or HTML injection for phishing.
Disclosed on October 5, 2025, the issue has an available public PoC. It is not listed in CISA’s KEV catalog.
Version 1.13.4 introduces a hostWhitelist.enabled configuration to mitigate this risk.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT CVE-2025-59159?

SillyTavern interacts with AI services and can store sensitive chat histories, credentials, and tokens.
Exploitation of this flaw could expose proprietary or confidential business data if vendors use local AI assistants or APIs in production.
From a TPRM standpoint, it poses supply chain exposure if compromised systems connect to enterprise environments or external AI APIs containing regulated information.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK ABOUT THIS ISSUE?

Are you running SillyTavern version 1.13.3 or earlier?
Have you upgraded to v1.13.4 or later and enabled hostWhitelist.enabled in config.yaml?
Do you restrict access to SillyTavern instances from external or untrusted networks?
Have you reviewed browser logs or network traffic for signs of DNS rebinding attempts?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Upgrade immediately to v1.13.4 or newer.
Enable host validation via SILLYTAVERN_HOSTWHITELIST_ENABLED=true.
Isolate local AI instances from general network access.
Educate users on phishing and DNS rebinding tactics.
Implement SSL and reverse proxy restrictions for locally hosted web interfaces.

Black Kite’s SillyTavern FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-11241 — YOAST SEO PREMIUM

WHAT IS THE YOAST SEO PREMIUM XSS VULNERABILITY?

CVE-2025-11241 is a stored cross-site scripting (XSS) vulnerability in the Yoast SEO Premium plugin for WordPress with a CVSS score of 6.4 and an EPSS of 0.03%.
Disclosed on October 3, 2025, this flaw affects versions 25.7, 25.8, and 25.9 and arises from a flawed regular expression used for attribute sanitization.
Attackers with Contributor-level privileges or higher can exploit this issue to inject malicious JavaScript within post content, which executes when viewed by administrators or visitors.
This enables actions such as cookie theft, privilege escalation, or the injection of persistent phishing payloads.
Public Proof-of-Concept exploits have been published, though the vulnerability has not been added to CISA’s KEV catalog or linked to active exploitation.

WHY SHOULD TPRM PROFESSIONALS CARE ABOUT CVE-2025-11241?

Yoast SEO is one of the most widely deployed WordPress plugins used for optimizing site visibility and metadata.
An unpatched vulnerability in this plugin could lead to compromise of websites managed by vendors, allowing attackers to manipulate search data, inject malicious code, or harvest sensitive user sessions.
For TPRM professionals, this is a concern because third-party vendors often use WordPress-based portals for client communications, support, or documentation hosting — making them attractive targets for supply chain attacks that propagate through legitimate-looking pages.

WHAT QUESTIONS SHOULD TPRM PROFESSIONALS ASK VENDORS ABOUT THIS ISSUE?

Are you running Yoast SEO Premium version 25.9 or earlier, and if so, when do you plan to update to version 26.0 or later?
Is the AI feature in Yoast SEO currently enabled, and how are user roles restricted to prevent untrusted Contributors from posting content?
Have you implemented Content Security Policy (CSP) headers to mitigate potential script injection attempts?
Do you conduct regular plugin vulnerability scans on your WordPress deployments to identify outdated or exposed components?

REMEDIATION RECOMMENDATIONS FOR VENDORS SUBJECT TO THIS RISK

Update immediately to Yoast SEO Premium version 26.0 or later, which patches the vulnerable sanitization mechanism.
Restrict user roles to enforce the principle of least privilege — limit Contributor-level access where not necessary.
Implement a CSP to restrict script execution from untrusted sources.
Continuously monitor for unauthorized content or script insertions in WordPress posts and pages.
Audit plugin dependencies regularly to ensure all WordPress components are kept current with the latest security releases.

Black Kite’s WP Yoast SEO – Oct2025 FocusTagTM details critical insights on the event for TPRM professionals.

HOW TPRM PROFESSIONALS CAN LEVERAGE BLACK KITE FOR THESE VULNERABILITIES

Black Kite’s FocusTags™ empower Third-Party Risk Management (TPRM) teams to identify vendors exposed to specific vulnerabilities across a wide range of technologies—from enterprise software to open-source tools and web plugins. Each tag provides correlated asset intelligence, affected version data, and actionable insights to prioritize remediation and strengthen vendor oversight. Below is how TPRM professionals can utilize Black Kite for each vulnerability addressed this week:

Oracle EBS — The Oracle EBS FocusTag helps identify vendors using outdated or unpatched ERP and middleware systems. Through correlated IP and subdomain data, Black Kite enables TPRM teams to confirm which partners still run vulnerable Oracle components and whether they’ve applied Oracle’s quarterly critical patch updates.
Jenkins – Oct2025 — This tag identifies vendors operating exposed Jenkins CI/CD servers vulnerable to deserialization flaws. Black Kite links these systems to known internet-facing endpoints, allowing TPRM professionals to evaluate supply chain exposure within software development environments and verify vendor patch adoption.
Redis – Oct2025 — With Redis, Black Kite detects vendors running misconfigured or outdated database instances exposed to privilege escalation or authentication bypass risks. The FocusTag supports prioritizing outreach to confirm if vendors have secured their Redis environments, especially where sensitive caching or session data is stored.
DrayTek Vigor – Oct2025 — The DrayTek Vigor tag highlights vendors relying on network infrastructure affected by known remote code execution vulnerabilities. Black Kite provides details on firmware versions and device exposure, allowing TPRM teams to assess network segmentation practices and replacement strategies among third-party vendors.
Zimbra – Oct2025 — For Zimbra’s exploited stored XSS zero-day, the FocusTag identifies vendors with exposed Zimbra Collaboration environments. By mapping subdomains and mail server configurations, Black Kite helps TPRM professionals validate whether vendors have implemented the latest patches and mitigations.
Elastic – Oct2025 — The Elastic tag correlates exposed Kibana and Elasticsearch instances with specific CVE identifiers. It helps risk teams recognize which vendors’ analytics or monitoring systems may be compromised, enabling faster prioritization of follow-up and verification of patch timelines.
Django – Oct2025 — The Django tag connects vulnerable framework versions to vendors’ web applications and backend technologies. TPRM professionals can leverage this data to confirm whether affected versions have been updated and assess risks of SQL injection or directory traversal within vendor-managed web systems.
Grafana – Oct2025 — Grafana’s FocusTag provides visibility into vulnerable dashboard environments impacted by directory traversal flaws. Black Kite maps affected assets, helping organizations determine if their vendors’ monitoring interfaces remain unpatched and exposed to exploitation attempts.
SillyTavern — For SillyTavern, Black Kite identifies vendors using AI-integrated or locally hosted interfaces vulnerable to DNS rebinding attacks. The tag enables early detection of vendors potentially exposing local development environments, supporting proactive risk discussions around AI and web security.
WP Yoast SEO – Oct2025 — The Yoast SEO tag tracks vendors operating WordPress sites using affected plugin versions. By linking plugin fingerprinting and domain data, Black Kite helps TPRM professionals confirm whether vendors have upgraded to secure versions and assess exposure in marketing or content management ecosystems.

ENHANCING TPRM PROGRAMS WITH BLACK KITE’S FOCUSTAGS™

In today’s fast-moving vulnerability landscape, Black Kite’s FocusTags™ are indispensable tools for TPRM professionals tasked with monitoring thousands of vendors and their technology stacks. By contextualizing recent vulnerabilities—like those impacting Oracle E-Business Suite, Jenkins, Redis, DrayTek Vigor, Zimbra Collaboration Suite, Elastic Kibana, Django, Grafana, SillyTavern, and WordPress Yoast SEO—these tags deliver targeted, data-driven insights that help organizations act quickly and decisively.

Key benefits of leveraging FocusTags™ include:

Immediate Vendor Identification: FocusTags™ instantly reveal which vendors are potentially exposed to specific vulnerabilities, eliminating guesswork and streamlining incident response.
Strategic Risk Prioritization: By combining vulnerability severity, exploit probability, and vendor criticality, FocusTags™ enable organizations to allocate remediation efforts where they matter most.
Focused Vendor Communication: Instead of sending broad questionnaires to all third parties, TPRM teams can engage vendors directly about confirmed or suspected exposures tied to known assets.
Comprehensive Threat Correlation: Beyond individual vulnerabilities, FocusTags™ aggregate indicators across systems, providing a unified risk picture that spans software dependencies, exposed IPs, and related subdomains.

Ultimately, Black Kite’s FocusTags™ transform raw vulnerability data into actionable third-party intelligence, empowering security and risk teams to operate efficiently, reduce assessment fatigue, and maintain proactive visibility across their entire vendor ecosystem.

ABOUT FOCUS FRIDAY

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FOCUSTAGS™ IN THE LAST 30 DAYS

Oracle EBS: CVE-2025-61882, Remote Code Execution Vulnerability, Missing Authentication for Critical Function Vulnerability in Oracle E-Business Suite.
Jenkins – Oct2025: CVE-2017-1000353, Remote Code Execution Vulnerability in Jenkins.
Redis – Oct2025: CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, Remote Code Execution Vulnerability in Redis.
DrayTek Vigor – Oct2025: CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
Zimbra – Oct2025: CVE-2025-27915, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration Suite.
Elastic – Oct2025: CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728, Cross-Site Scripting (XSS) Vulnerability, Unrestricted File Upload Vulnerability, Information Disclosure Vulnerability, Insufficiently Protected Credentials Vulnerability in Elastic & Kibana.
Django – Oct2025: CVE-2025-59681, CVE-2025-59682, SQL Injection Vulnerability, Directory Traversal Vulnerability in Django.
Grafana – Oct2025: CVE-2021-43798, Directory Traversal Vulnerability in Grafana.
SillyTavern: CVE-2025-59159, DNS Rebinding Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability, Exposure of Sensitive Information Vulnerability in SillyTavern.
WP Yoast SEO – Oct2025: CVE-2025-11241, Cross-Site Scripting (XSS) Vulnerability in WP Yoast SEO.
Cisco ASA – Sep2025: CVE-2025-20333, CVE-2025-20362, Buffer Overflow Vulnerability, Missing Authorization in Cisco ASA and Cisco FTD.
Cisco ASA & FTD & IOS – Sep2025: Buffer Overflow Vulnerability, Remote Code Execution Vulnerability in Cisco ASA, Cisco IOS, and Cisco FTD.
VMware vCenter – Sep2025: CVE-2025-41250, SMTP Header Injection Vulnerability, Username Enumeration Vulnerability, Weak Password Recovery Mechanism Vulnerability in VMware vCenter.
WD My Cloud: CVE-2025-30247, Command Injection Vulnerability in multiple Western Digital My Cloud network-attached storage (NAS) devices.
Formbricks: CVE-2025-59934, Remote Code Execution Vulnerability in Formbricks.
GoAnywhere – Sep2025: CVE-2025-10035, Deserialization Remote Code Execution Vulnerability in Fortra GoAnywhere MFT.
SolarWinds Web Help Desk – Sep2025: CVE-2025-26399, Remote Code Execution Vulnerability in SolarWinds Web Help Desk.
Cisco SNMP – Sep2025: CVE-2025-20352, Stack Overflow Vulnerability leading to DoS and Remote Code Execution in Cisco IOS and IOS XE Software.
DNN Software: CVE-2025-59545, Stored Cross-Site Scripting (XSS) Vulnerability in DNN Prompt Module.
Jetty – MadeYouReset: CVE-2025-5115, MadeYouReset DoS Vulnerability in Eclipse’s Jetty.
Jenkins – Sep2025: CVE-2025-59474, CVE-2025-59475, CVE-2025-59476, Information Disclosure Vulnerability, Log Message Injection Vulnerability in Jenkins.
CUPS – Sep2025: CVE-2025-58364, CVE-2025-58060, Deserialization Vulnerability, Denial of Service Vulnerability, Authentication Bypass Vulnerability in CUPS.
SharePoint – Sep2025: CVE-2025-54897, CVE-2025-53760, CVE-2025-53760, Deserialization Vulnerability, Code Execution Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability in Microsoft SharePoint.
MSSQL – Sep2025: CVE-2025-47997, CVE-2025-55227, Race Condition Vulnerability, Command Injection Vulnerability in Microsoft SQL Server.
SAP NetWeaver – Sep2025: CVE-2025-42944, CVE-2025-42922, CVE-2025-42958, Insecure Deserialization Vulnerability, Insecure File Operations Vulnerability, Missing Authentication Check Vulnerability in SAP NetWeaver.
Django : CVE-2025-57833, SQL Injection Vulnerability in Django.
FreePBX : CVE-2025-57819, Remote Code Execution Vulnerability in Sangoma’s FreePBX.