blog

FOCUS FRIDAY: TPRM Insights on React2Shell Urgent Exploitation Update and Critical Risks in ScreenConnect, CentreStack & Triofox, Jenkins, FreePBX, and Gogs

Published

Dec 19, 2025

Updated

Dec 19, 2025

Breaking Update (React2Shell Actively Weaponized in Large-Scale Attacks)

The critical vulnerability known as React2Shell (CVE-2025-55182, CVSS 10.0) is being actively exploited and leveraged in large-scale attack campaigns.

Multiple threat actors are abusing this vulnerability to deploy backdoors on Linux servers, including KSwapDoor and ZnDoor, along with various RATs and backdoor malware families.

Attacks typically begin with remote command execution, followed by:

Interactive shell access, file operations, and lateral movement
SOCKS5 proxy setup, port forwarding, and reverse shell deployment
Cloud and AI credential harvesting, including AWS, Azure, GCP, OpenAI API keys, and Kubernetes service accounts
Persistence and defense evasion techniques, such as Cloudflare Tunnel abuse and impersonation of legitimate services

Google has confirmed that at least five China-linked threat groups have weaponized this vulnerability.

Microsoft reported observing post-exploitation activity, including the use of Cobalt Strike, remote management tools, and SSH authorization modifications.

According to Beelzebub’s analysis, the attack campaign known as Operation PCPcat has impacted more than 59,000 servers to date.

Shadowserver is tracking over 111,000 vulnerable IP addresses, while GreyNoise identified 547 active attacker IPs within the last 24 hours (Dec 16, 2025).

In summary, React2Shell is a critical vulnerability used in large-scale, automated, and high-impact attacks, requiring immediate patching and mitigation efforts.

Latest React2Shell Exploitation Intelligence:

Threat Actors: China-nexus groups, North Korea–linked actors, UNC5174, etc.

Malware Families: MINOCAT, HISONIC, COMPOOD, XMRig miners, Jackpot, Lamia, Evilginx, SNOWLIGHT, RondoDox, EtherRAT, etc.

In a confirmed real-world incident observed on December 5, a threat actor exploited the React2Shell vulnerability to gain initial access and deploy the Weaxor ransomware strain in less than one minute.

Introduction

This week’s Focus Friday examines a cluster of high-impact vulnerabilities affecting widely used infrastructure and development platforms, including remote support tools, CI/CD systems, file-sharing services, telephony platforms, and self-hosted Git services. Several of these issues involve active exploitation, authentication bypasses, or remote code execution paths that can materially impact vendor operations and downstream customers. From a Third-Party Risk Management (TPRM) perspective, these incidents highlight the importance of quickly distinguishing which vendors are truly exposed, understanding how exploitation could affect business operations, and prioritizing remediation efforts accordingly. In this edition, we explore how Black Kite’s FocusTags™ help TPRM teams cut through noise and focus on the vendors that matter most.

Filtered view of companies with ScreenConnect - Dec2025 FocusTag™ on the Black Kite platform.

CVE-2025-14265 (ScreenConnect Server Vulnerability)

What Is the ScreenConnect Vulnerability (CVE-2025-14265)?

CVE-2025-14265 is a critical security vulnerability affecting the server component of ConnectWise ScreenConnect, a widely used remote support and remote access solution. The issue arises from insufficient server-side validation and missing integrity checks during extension handling. As a result, an attacker with authorized or administrative-level access can expose sensitive configuration data or install untrusted extensions on the affected server.

This vulnerability combines exposure of sensitive information with download of code without integrity verification, creating conditions for persistent compromise and further abuse of the environment. The vulnerability carries a CVSS score of 9.1 (Critical) and an EPSS score of 0.05%, indicating high potential impact despite currently low observed exploitation probability.

The vulnerability was published in mid-December 2025. At the time of publication, there were no publicly reported exploitation campaigns or proof-of-concept exploits, and it has not been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. No CISA advisory has been issued related to this vulnerability.

Although exploitation requires prior authenticated access, the severity remains high due to the privileged position of ScreenConnect servers within enterprise and service provider environments.

Why Should TPRM Professionals Care About CVE-2025-14265?

ScreenConnect is commonly used by vendors and service providers to deliver remote administration, technical support, and managed services. These systems often operate with elevated privileges and direct access to internal networks, customer systems, and sensitive operational data.

From a third-party risk management perspective, a compromised ScreenConnect server can become a control point for attackers, enabling:

Persistent access through malicious extensions
Exposure of sensitive configuration details
Abuse of trusted remote support channels
Lateral movement into downstream customer environments

Even though the vulnerability requires authorized access, weak access controls, credential reuse, or prior compromise within a vendor environment could significantly increase risk. For organizations relying on third parties that operate their own on-premise ScreenConnect servers, this vulnerability introduces supply chain and operational integrity concernsthat warrant focused assessment.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To assess exposure and risk related to CVE-2025-14265, TPRM professionals should consider asking vendors the following targeted questions:

Can you confirm if you have upgraded all instances of ConnectWise ScreenConnect server components to version 25.8 or later to mitigate the risk of CVE-2025-14265?
Have you implemented robust monitoring for any unusual activity, especially concerning configuration file access, unauthorized extension installations, or unexpected changes to the ScreenConnect server, as recommended in the advisory?
Have you reviewed and hardened access controls, enforcing strong access controls and the principle of least privilege for all ScreenConnect users and administrators, as suggested in the advisory?
Can you confirm if you have updated all guest clients to the same version (25.8) as the server upgrade to ensure compatibility and security?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using ScreenConnect should take the following remediation actions to reduce exposure:

Upgrade On-Premise Servers Immediately: All self-hosted ScreenConnect server components should be upgraded to version 25.8 or newer, which addresses the integrity and validation issues.
Ensure Guest Client Compatibility: Guest clients should be updated alongside the server to ensure secure and consistent operation.
Strengthen Access Controls: Limit administrative access to ScreenConnect using role-based access controls, strong authentication mechanisms, and least-privilege principles.
Monitor Server Activity: Actively monitor for suspicious configuration access, unauthorized extension installations, and anomalous administrative behavior.

Audit Existing Extensions: Review all installed extensions to confirm they are trusted, approved, and aligned with operational requirements.

Black Kite’s ScreenConnect - Dec2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-14611 (CentreStack & Triofox Vulnerability)

What Is the CentreStack & Triofox Vulnerability (CVE-2025-14611)?

CVE-2025-14611 is a critical vulnerability affecting Gladinet CentreStack and Triofox deployments prior to version 16.12.10420.56791. The issue combines use of hard-coded cryptographic keys with arbitrary local file inclusion, ultimately enabling remote code execution (RCE) through a chained exploitation process.

The root cause lies in the AES encryption implementation used by the filesvr.dn HTTP handler. The application relies on static, hard-coded cryptographic keys and initialization vectors generated by the GenerateSecKey function within a core library. Because these values are identical across all vulnerable installations, an unauthenticated attacker can reverse-engineer the keys and forge malicious access tickets.

Exploitation is performed as a two-stage attack chain. First, forged access tickets are used to bypass authorization and read arbitrary files from the server, most notably the application’s configuration file containing ASP.NET machine keys. Second, the stolen machine keys are leveraged to construct a malicious ViewState payload, leading to deserialization-based remote code execution with the privileges of the IIS Application Pool Identity, with potential escalation to full system-level access.

This vulnerability has a CVSS score of 9.8 (Critical) and a notably high EPSS score of 12.27%, reflecting both severe impact and elevated likelihood of exploitation. It was publicly disclosed in mid-December 2025 and has been actively exploited in the wild, with confirmed observations of attackers abusing persistent, non-expiring download URLs and chaining the issue with additional weaknesses for data exfiltration.

CISA added CVE-2025-14611 to the Known Exploited Vulnerabilities (KEV) Catalog on December 15, 2025. No standalone CISA advisory has been issued beyond the KEV listing.

Why Should TPRM Professionals Care About CVE-2025-14611?

CentreStack and Triofox are commonly used to provide secure file sharing, remote access, and enterprise file synchronization, often acting as gateways to sensitive internal documents and authentication material. From a TPRM perspective, this vulnerability represents a high-impact supply chain risk.

Active exploitation combined with unauthenticated access means that a vulnerable third-party deployment can be compromised without user interaction. Successful exploitation enables attackers to:

Exfiltrate sensitive files and cryptographic secrets
Establish persistent access using non-expiring malicious URLs
Execute arbitrary code on servers that may be integrated with broader enterprise environments

For organizations that rely on vendors using CentreStack or Triofox for file services, this creates exposure to data confidentiality breaches, integrity loss, and potential lateral movement into connected systems. The confirmed presence of real-world exploitation significantly elevates urgency for vendor verification and remediation tracking.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To assess vendor risk related to CVE-2025-14611, TPRM professionals should consider asking:

Have you updated all instances of Gladinet CentreStack and Triofox to version 16.12.10420.56791 or later to mitigate the risk of CVE-2025-14611?
Has the machineKey in the web[.]config file been rotated after the update to invalidate any potentially malicious ViewState payloads?
Have you implemented measures to block the reported threat actor IP address '147.124.216[.]205' at the network perimeter (firewall/WAF) to prevent further exploitation attempts?
Have you reviewed your IIS logs and application event logs for signs of compromise, specifically searching for the encrypted string 'vghpI7EToZUDIZDdprSubL3mTZ2' in GET requests to '/storage/filesvr.dn'?

Remediation Recommendations for Vendors Subject to This Risk

Vendors operating CentreStack or Triofox should take the following actions without delay:

Apply Patches Immediately: Upgrade all affected deployments to version 16.12.10420.56791 or newer, which addresses the cryptographic weaknesses and authorization bypass.
Rotate Machine Keys: Change the ASP.NET machineKey in the application configuration to invalidate any malicious ViewState payloads generated prior to remediation.
Hunt for Compromise Indicators: Review IIS and application logs for suspicious access patterns, particularly requests attempting to retrieve sensitive configuration files.
Inspect for Persistence: Examine servers for unauthorized files, scheduled tasks, altered web application components, or other indicators of post-exploitation activity.

Enforce Least Privilege: Review and restrict the IIS Application Pool Identity permissions to minimize the impact of any future exploitation attempts.

Black Kite’s CentreStack & Triofox - Dec2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-67635, CVE-2025-67637, CVE-2025-67636 (Jenkins Core Vulnerabilities)

What Are the Jenkins Vulnerabilities Addressed in This FocusTag?

The Jenkins – Dec2025 FocusTag covers three distinct vulnerabilities affecting Jenkins Core, each impacting availability or confidentiality in different ways.

CVE-2025-67635 is a high-severity Denial of Service (DoS) vulnerability in the HTTP-based Jenkins Command Line Interface (CLI). Due to improper handling of corrupted connection streams, unauthenticated attackers can open malformed HTTP CLI connections that are never properly closed. This causes request-handling threads to remain blocked indefinitely, eventually exhausting server resources and rendering the Jenkins instance unavailable. This vulnerability has a CVSS score of 7.5 and an EPSS score of 0.07%.

CVE-2025-67637 is a medium-severity information disclosure vulnerability involving build authorization tokens. Prior to the fix, these tokens were stored in plaintext within Jenkins configuration files, allowing users with read access to observe sensitive credentials. The vulnerability has a CVSS score of 4.3 and an EPSS score of 0.01%.

CVE-2025-67636 is a medium-severity missing authorization vulnerability related to password redaction. Users with basic “View/Read” permissions were able to see encrypted password values that should have been hidden. The fix enforces stricter permission checks, limiting access to users with appropriate “Configure” rights. This vulnerability has a CVSS score of 4.3 and an EPSS score of 0.03%.

All three vulnerabilities were publicly disclosed on December 10–11, 2025, making them recent at the time of publication. There are no known cases of exploitation in the wild, no publicly available proof-of-concept exploits, and none of the CVEs are listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog. CISA has not issued a dedicated advisory for these issues.

Why Should TPRM Professionals Care About These Jenkins Vulnerabilities?

Jenkins is a critical component in many vendors’ software development and CI/CD pipelines, often handling source code, build artifacts, secrets, and deployment credentials. From a TPRM perspective, weaknesses in Jenkins directly affect software supply chain integrity and service reliability.

The unauthenticated DoS vulnerability (CVE-2025-67635) introduces availability risk, where attackers can disrupt build pipelines and automated deployments, potentially delaying releases or interrupting operational workflows. For service providers and software vendors, this can translate into missed SLAs and downstream customer impact.

The information disclosure and authorization issues (CVE-2025-67637 and CVE-2025-67636) introduce confidentiality risks, where sensitive tokens or encrypted credentials could be exposed to internal users beyond their intended privilege level. In multi-tenant or shared Jenkins environments, this raises concerns around credential reuse, lateral movement, and unauthorized access to production systems.

For organizations relying on third-party vendors that manage their own Jenkins infrastructure, these vulnerabilities highlight the importance of assessing secure configuration practices, access controls, and patch management discipline within the vendor’s development environment.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

To better understand vendor exposure and control maturity, TPRM professionals may ask:

Have you upgraded all instances of Jenkins Core to version 2.541 or LTS 2.528.3 to mitigate the risk of CVE-2025-67635, CVE-2025-67637, and CVE-2025-67636?
Can you confirm if you have implemented the recommended action of encrypting existing build tokens after updating Jenkins Core to prevent information disclosure as highlighted in CVE-2025-67637?
Have you reviewed and enforced the principle of least privilege, especially for "View/Configure" permissions, to minimize the impact of vulnerabilities like CVE-2025-67636?
Can you confirm if you have taken measures to properly close HTTP-based CLI connections when the connection stream becomes corrupted to prevent a potential DoS attack as described in CVE-2025-67635?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using Jenkins should implement the following remediation steps:

Upgrade Jenkins Core Immediately: Update all Jenkins instances to Core version 2.541 or LTS 2.528.3 to remediate the DoS, information disclosure, and authorization flaws.
Review CLI Exposure: Evaluate whether the HTTP-based CLI is required and restrict access at the network or application level if it remains enabled.
Encrypt Legacy Build Tokens: After upgrading, use the Jenkins “Manage Old Data” functionality to encrypt any previously stored plaintext build authorization tokens.
Tighten Permission Models: Enforce least-privilege access by reviewing user roles and ensuring sensitive configuration fields are only visible to appropriately authorized users.

Monitor for Resource Exhaustion: Implement monitoring and alerting for abnormal thread usage or connection patterns that could indicate attempted DoS activity.

Black Kite’s Jenkins - Dec2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-66039, CVE-2025-61675, CVE-2025-61678 (FreePBX Vulnerabilities)

What Are the FreePBX Vulnerabilities Covered in This FocusTag?

The FreePBX – Dec2025 FocusTag addresses three high-impact vulnerabilities that can be chained to achieve remote code execution (RCE) on affected FreePBX systems.

CVE-2025-66039 is a critical authentication bypass vulnerability affecting FreePBX instances configured with the legacy webserver authentication type. By supplying a crafted Authorization HTTP header containing a valid username and any invalid password, the application incorrectly treats the request as authenticated. This flaw enables unauthenticated attackers to access protected administrative endpoints. The vulnerability has a CVSS score of 9.3 and an EPSS score of 0.09%.

CVE-2025-61675 is a high-severity SQL injection vulnerability in the FreePBX Endpoint Management module. Multiple input parameters across several endpoints are vulnerable, allowing attackers to read from and write to the backend database. Because FreePBX stores configuration and scheduled task data in the database, successful exploitation can lead directly to arbitrary command execution. This vulnerability carries a CVSS score of 8.6 and an EPSS score of 0.06%.

CVE-2025-61678 is a high-severity arbitrary file upload vulnerability combined with path traversal and authentication bypass. An attacker with a valid session or leveraging the CVE-2025-66039 bypass can upload files to arbitrary locations on the file system. Since file contents are not validated, this allows the upload and execution of a webshell, resulting in remote code execution under the webserver user context. This vulnerability has a CVSS score of 8.6 and an EPSS score of 0.16%.

All three vulnerabilities were publicly disclosed in mid-December 2025, making them recent at the time of publication. Public proof-of-concept exploits are available, but there is no confirmed evidence of widespread exploitation in the wild at this time. None of these CVEs have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, and no CISA advisory has been published for these issues.

Why Should TPRM Professionals Care About These FreePBX Vulnerabilities?

FreePBX is widely deployed as a telephony and unified communications platform, often handling voice traffic, call routing, voicemail, call recordings, and administrative credentials. From a TPRM perspective, vulnerabilities in FreePBX introduce both operational disruption risk and confidentiality risk.

Successful exploitation can allow attackers to:

Gain full administrative access to PBX systems
Execute arbitrary commands on underlying servers
Manipulate call routing or intercept voice communications
Access stored voicemails and call metadata
Establish persistent footholds within vendor infrastructure

For organizations relying on vendors that operate their own FreePBX instances, these vulnerabilities raise concerns around service availability, data privacy, and abuse of trusted communications channels. Because the attack chain can begin with an unauthenticated bypass when insecure authentication settings are enabled, configuration hygiene becomes a key factor in vendor risk exposure.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

To evaluate vendor exposure and response readiness, TPRM professionals may ask:

Can you confirm if you have updated all instances of FreePBX to versions 16.0.92 and 17.0.23 or higher to mitigate the risk of CVE-2025-66039, CVE-2025-61675, and CVE-2025-61678?
Have you discontinued the use of the 'webserver' authentication type and reverted to the default 'usermanager' type to prevent the unauthenticated exploitation chains associated with CVE-2025-66039 and CVE-2025-61678?
Have you audited the `ampusers` table for any unauthorized user accounts that may have been created by an attacker using the SQL injection vulnerability (CVE-2025-61675), and removed any suspicious entries?
Have you implemented strict firewall rules to limit access to the FreePBX Administration interface (`/admin/`) from the public internet and allow access only from trusted internal networks or specific administrative VPNs?

Remediation Recommendations for Vendors Subject to This Risk

Vendors operating FreePBX should take the following actions to mitigate risk:

Disable Legacy Authentication: Immediately switch from the webserver authentication type to the default and more secure usermanager authentication method.
Apply Patch Updates Immediately: Upgrade FreePBX to version 16.0.92 or later and 17.0.23 or later, which address all three vulnerabilities.
Restrict Administrative Access: Limit access to the FreePBX administrative interface to trusted networks or VPNs and remove public internet exposure where possible.
Audit for Indicators of Compromise: Review databases for unauthorized users or scheduled tasks and scan web directories for unexpected or malicious files.
Review User Accounts and Permissions: Validate that no unauthorized administrative accounts were created as a result of SQL injection abuse.

Black Kite’s FreePBX - Dec2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-8110 (Gogs Path Traversal Vulnerability)

What Is the Gogs Vulnerability (CVE-2025-8110)?

CVE-2025-8110 is a high-severity path traversal vulnerability in Gogs, a self-hosted Git service, that can be exploited to achieve remote code execution (RCE). The flaw is a symlink bypass of a previously addressed path traversal issue, allowing attackers to write files outside the intended Git repository directory.

This vulnerability affects authenticated users who have permission to create repositories—a capability that is commonly enabled by default in many Gogs deployments. By abusing symbolic links during repository operations, an attacker can overwrite arbitrary files on the host system. This can ultimately be leveraged to execute malicious code on the server.

CVE-2025-8110 has a CVSS score of 8.7 (High) and an EPSS score of 0.09%. The issue was publicly disclosed in early December 2025, making it a recent vulnerability at the time of publication. Importantly, it is being treated as a zero-day, as no official patch is available as of mid-December 2025.

Active exploitation has been confirmed in the wild. Security researchers observed malware infections across customer environments and identified hundreds of compromised public-facing Gogs instances. Exploitation activity was ongoing as of December 1, 2025. Although proof-of-concept exploits are publicly available, the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, and no CISA advisory has been issued.

Why Should TPRM Professionals Care About CVE-2025-8110?

Gogs is frequently used by vendors to host source code repositories and internal development workflows, often containing proprietary code, credentials, and deployment logic. From a third-party risk management perspective, this vulnerability represents a direct software supply chain risk.

Successful exploitation allows attackers to:

Modify files outside of repository boundaries
Execute arbitrary code on development infrastructure
Implant malware or backdoors into build environments
Potentially poison source code or CI/CD pipelines

Because exploitation only requires a valid user account with repository creation permissions, environments with open registration or weak access controls are especially exposed. For organizations relying on vendors that self-host Gogs, compromise of a development platform can lead to downstream integrity risks, including the distribution of tainted software or unauthorized access to internal systems.

The lack of an available patch and confirmed real-world exploitation significantly increase the urgency for vendor visibility and compensating controls.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To assess vendor exposure and response posture, TPRM professionals should consider asking:

Given the active exploitation of CVE-2025-8110 in Gogs, can you confirm if you have implemented network segmentation and access control to isolate Gogs instances and limit external exposure?
Are you continuously monitoring Gogs official channels and security advisories for the release of a patch addressing CVE-2025-8110, and do you have a plan in place to apply the patch immediately upon availability?
Have you conducted thorough scans of your Gogs deployments for any signs of compromise or malicious activity, considering that over 700 public-facing instances have been compromised?
Have you disabled the "Open Registration" feature in your Gogs instance to reduce the attack surface and prevent arbitrary users from easily gaining the necessary permissions to exploit the vulnerability?

Remediation Recommendations for Vendors Subject to This Risk

Until an official fix is released, vendors using Gogs should take the following actions:

Restrict Repository Creation: Limit repository creation permissions to a minimal set of trusted users to reduce the likelihood of abuse.
Disable Open Registration: Turn off open user registration to prevent untrusted users from easily gaining authenticated access.
Monitor for File System Abuse: Review system and application logs for unexpected file writes, symbolic link abuse, or anomalous process execution.
Isolate Gogs Infrastructure: Apply network segmentation and strict access controls to limit lateral movement in the event of compromise.

Prepare for Rapid Patching: Monitor official Gogs channels closely and apply a security patch immediately once it becomes available.

Black Kite’s Gogs - Dec2025 FocusTagTM details critical insights on the event for TPRM professionals.

How TPRM Professionals Can Leverage Black Kite FocusTags™ for These Vulnerabilities

Black Kite published multiple Dec2025 FocusTags with High to Very High confidence levels to help organizations rapidly identify vendors exposed to critical and actively exploited vulnerabilities across ScreenConnect, CentreStack & Triofox, Jenkins, FreePBX, and Gogs. These FocusTags enable TPRM teams to move beyond broad assumptions and apply evidence-based risk validation across diverse technology stacks, including remote access tools, CI/CD platforms, file-sharing services, communications infrastructure, and self-hosted development environments.

By leveraging these FocusTags, TPRM professionals can:

Identify vendors operating vulnerable technologies across different platforms, including ScreenConnect servers, CentreStack and Triofox deployments, Jenkins Core instances, FreePBX infrastructure, and Gogs repositories
Validate real-world exposure using asset-level intelligence, such as IP addresses, service indicators, and externally observable infrastructure tied to the affected products
Prioritize vendor outreach based on confirmed exploitation risk, particularly for vulnerabilities under active exploitation or associated with public proof-of-concept activity
Reduce vendor fatigue and unnecessary questionnaires by focusing engagement only on vendors with verified or likely exposure
Track remediation and mitigation progress over time, including patch adoption, configuration changes, and compensating controls for vulnerabilities with delayed or unavailable fixes

Strengthening Third-Party Risk Management with Black Kite’s FocusTags™

As high-severity vulnerabilities and zero-day threats continue to surface across diverse technologies, TPRM teams face growing pressure to respond quickly without overwhelming vendors or internal resources. Black Kite’s FocusTags™ are designed to address this challenge by translating complex vulnerability intelligence into precise, actionable insight.

Rather than treating every high-profile vulnerability as universally applicable, FocusTags™ enable organizations to determine which vendors are actually affected, based on observed technologies and exposed assets. This is particularly valuable for incidents involving platforms like remote administration tools, CI/CD systems, communication infrastructure, and self-hosted development services, where exposure varies significantly depending on configuration and deployment model.

With FocusTags™, TPRM professionals can:

Rapidly identify exposed vendors by correlating vulnerabilities with real-world asset data, including IP addresses and internet-facing services.
Prioritize outreach and remediation efforts by focusing on vendors where exploitation could disrupt operations, expose sensitive data, or introduce supply chain risk.
Drive focused vendor conversations grounded in evidence, enabling more effective validation of patching, configuration changes, and compensating controls.
Maintain situational awareness across evolving threats, including zero-days and actively exploited vulnerabilities, without resorting to broad, repetitive questionnaires.

By providing asset-level visibility and continuously updated intelligence, Black Kite’s FocusTags™ help organizations operationalize third-party risk management with greater precision and confidence—allowing teams to respond faster, reduce vendor fatigue, and make defensible risk decisions in an increasingly complex threat landscape.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

ScreenConnect – Dec2025 : CVE-2025-14265, Exposure of Sensitive Information and Download of Code Without Integrity Check Vulnerability in ConnectWise ScreenConnect.
CentreStack & Triofox – Dec2025 : CVE-2025-14611, Insecure Cryptography and Arbitrary File Read Vulnerability Leading to Remote Code Execution in Gladinet CentreStack and Triofox.
Jenkins – Dec2025 : CVE-2025-67635, CVE-2025-67637, CVE-2025-67636, Denial of Service, Information Disclosure, and Missing Authorization Vulnerabilities in Jenkins Core.
FreePBX – Dec2025 : CVE-2025-66039, CVE-2025-61675, CVE-2025-61678, Authentication Bypass, SQL Injection, and Arbitrary File Upload Vulnerabilities Leading to Remote Code Execution in FreePBX.
Gogs – Dec2025 : CVE-2025-8110, Path Traversal Vulnerability via Symlink Bypass Leading to Remote Code Execution in Gogs.
Fortinet [Suspected] – Dec2025 : CVE-2025-59718, CVE-2025-59719, Administrative Authentication Bypass via SAML Forgery in Fortinet FortiCloud SSO.
Exchange Server – Dec2025 : CVE-2025-64666, CVE-2025-64667, Elevation of Privilege and Email Spoofing Vulnerabilities in Microsoft Exchange Server.
Cacti – Dec2025 : CVE-2025-66399, Remote Code Execution Vulnerability via SNMP Community String Injection in Cacti.
React Server Components (RSC) [Suspected] : CVE-2025-55182, Remote Code Execution Vulnerability in React Server Components.
Mixpanel Clients : Assessing the Potential Impact of Client Data Exposure in Mixpanel.
SonicWall SSL VPN – Nov2025 : CVE-2025-40601, Pre-Authentication Stack-Based Buffer Overflow Vulnerability in SonicWall SonicOS SSLVPN Service Leading to Denial of Service.
Grafana Enterprise – Nov2025 : CVE-2025-41115, Incorrect Privilege Assignment Vulnerability Allowing Privilege Escalation and User Impersonation via SCIM Provisioning in Grafana Enterprise.
Apache SkyWalking : CVE-2025-54057, Stored Cross-Site Scripting (XSS) Vulnerability Allowing Persistent Script Injection in Apache SkyWalking Monitoring Dashboards.
Gainsight Client – Nov2025 : Integration-Token Abuse Incident, Unauthorized Access and Potential Data Exfiltration Through Compromised OAuth Tokens in Gainsight–Salesforce Connected Applications.
FortiWeb [Suspected] : CVE-2025-64446, CVE-2025-58034, Authentication Bypass Vulnerability, Path Traversal Vulnerability, OS Command Injection Vulnerability in Fortinet FortiWeb Web Application Firewall.
SolarWinds Serv-U - Nov2025 : CVE-2025-40547, CVE-2025-40548, CVE-2025-40549, Logic Error Vulnerability, Improper Authorization Vulnerability, Path Traversal Vulnerability, Remote Code Execution Vulnerabilities in SolarWinds Serv-U.
OAuth2 Proxy : CVE-2025-64484, Improper Neutralization Of HTTP Headers For Scripting Syntax Vulnerability, Header Smuggling Vulnerability, Potential Privilege Escalation Vulnerability in OAuth2 Proxy.
pgAdmin - Nov2025 : CVE-2025-12762, CVE-2025-12763, CVE-2025-12764, CVE-2025-12765, Remote Code Execution Vulnerability, Command Injection Vulnerability, LDAP Injection Vulnerability, TLS Certificate Verification Bypass Vulnerability in pgAdmin.
W3 Total Cache - Nov2025 : CVE-2025-9501, Command Injection Vulnerability, Remote Code Execution Vulnerability in W3 Total Cache WordPress Plugin.
Microsoft SharePoint - Nov2025 : CVE-2025-62204, Deserialization of Untrusted Data Vulnerability, Remote Code Execution Vulnerability in Microsoft Office SharePoint.
MSSQL - Nov2025 : CVE-2025-59499, Improper Neutralization of Special Elements in SQL Commands, SQL Injection Vulnerability, Privilege Escalation Vulnerability in Microsoft SQL Server.
Elastic Kibana - Nov2025 : CVE-2025-37734, CVE-2025-59840, Server-Side Request Forgery (SSRF) Vulnerability, DOM-based Cross-site Scripting (XSS) Vulnerability, Improper Input Validation Vulnerability in Elastic Kibana.
Django - Nov2025 : CVE-2025-59681, CVE-2025-59682, SQL Injection Vulnerability, Directory Traversal Vulnerability, Improper Input Sanitization Vulnerability in Django Web Framework.
Open WebUI - Nov2025 : CVE-2025-64495, Stored DOM XSS Vulnerability, Account Takeover Vulnerability, Remote Code Execution Vulnerability in Open WebUI.