blog

Focus Friday: TPRM Insights on Sitecore, MSSQL, SharePoint, Cisco UCM, SAP NetWeaver, Apache Solr, and Appsmith

Published

Jan 23, 2026

Updated

Jan 23, 2026

Introduction

This week’s Focus Friday examines a diverse array of high-impact vulnerabilities affecting the essential components of the modern vendor ecosystem: content management, database administration, enterprise collaboration, and unified communications. With the emergence of an actively exploited zero-day in Cisco UCM and a critical configuration flaw in Sitecore, Third-Party Risk Management (TPRM) professionals must address an environment where unauthenticated remote access is a primary threat. This edition provides a deep dive into these incidents, alongside significant security updates for MSSQL - Jan2026, SharePoint - Jan2026, SAP NetWeaver - Jan2026, Apache Solr, and Appsmith.

By analyzing these vulnerabilities through a technical and risk-focused lens, we aim to help organizations move beyond manual data collection. From the potential for NTLM hash disclosure in Apache Solr to the risk of account takeover in Appsmith, these disclosures highlight why maintaining visibility into a vendor's technical stack is vital. This blog provides the actionable intelligence needed to prioritize remediation and engage in meaningful security dialogues with the third parties that power your business operations.

Filtered view of companies with Sitecore FocusTag® on the Black Kite platform.

Sitecore RCE (CVE-2025-53690)

What is the Sitecore Machine Key RCE?

CVE-2025-53690 is a critical code injection vulnerability affecting Sitecore products, specifically stemming from insecure ASP.NET machine key configurations. This flaw is rated as Critical with a CVSS score of 9.0 and a high EPSS score of 16.82%, indicating a strong probability of continued exploitation. The vulnerability arises when instances use publicly exposed or default machine keys—often found in legacy Sitecore deployment guides—allowing attackers to perform ViewState deserialization. This enables unauthenticated remote code execution (RCE) via endpoints like /sitecore/blocked.aspx.

While technical details emerged earlier, the vulnerability was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on September 4, 2025. Mandiant has confirmed active exploitation in the wild by threat actors who use the flaw to gain initial access, deploy the WEEPSTEEL reconnaissance tool, and establish persistence via local administrator accounts. Adversaries have also been observed using EARTHWORM for SOCKS tunneling and DWAGENT for remote access, facilitating covert lateral movement and credential dumping from registry hives.

Why should TPRM Professionals care about Sitecore CVE-2025-53690?

Sitecore serves as a central Digital Experience Platform (DXP) and Content Management System (CMS) for many organizations, often sitting at the intersection of public-facing marketing assets and sensitive internal customer data. Because this vulnerability grants unauthenticated RCE, a compromised Sitecore instance effectively becomes a beachhead for attackers to enter a vendor's internal network.

From a third-party risk perspective, the danger extends beyond data theft. Threat actors have demonstrated an ability to use compromised Sitecore servers for "hands-on-keyboard" activity, including Active Directory reconnaissance using tools like SHARPHOUND. If a vendor is running an unpatched or misconfigured Sitecore environment, an attacker could move laterally from the web server to deeper infrastructure, potentially impacting the integrity of the services the vendor provides to your organization or leading to a wider supply chain compromise.

What questions should TPRM professionals ask vendors about CVE-2025-53690?

To verify that a vendor has effectively mitigated this specific configuration risk, TPRM teams should move beyond generic security questions and request evidence of the following:

Have you updated all instances of Sitecore XP 9.0 or earlier and Active Directory 1.4 or earlier to versions that are not affected by the critical remote code execution vulnerability (CVE-2025-53690)?
Have you implemented a regular key rotation policy and encrypted all machine keys in all `web[.]config` files for affected Sitecore installations to mitigate the risk of CVE-2025-53690?
Have you conducted a thorough examination of your Sitecore environments for any signs of suspicious or anomalous behavior, especially looking for indicators of compromise mentioned by Mandiant (e.g., WEEPSTEEL, EARTHWORM, DWAGENT, unusual administrator accounts like `asp$` or `sawadmin`, credential dumping activity)?
Have you ensured that current Sitecore deployments do not rely on older, potentially insecure deployment guides that may advise the use of publicly exposed or weak ASP.NET machine key configurations, which could lead to a ViewState deserialization attack as seen in CVE-2025-53690?

Remediation Recommendations for Vendors subject to this risk

Vendors identified as running vulnerable Sitecore configurations should prioritize the following technical steps to neutralize the threat:

Rotate and Encrypt Machine Keys: Immediately generate new, unique machine keys for all web[.]config files. This is the only way to prevent attackers who already possess legacy keys from successfully performing ViewState deserialization.
Secure web[.]config Access: Ensure that these sensitive configuration files are not publicly accessible and that only authorized application administrators can read them.
Hunt for Indicators of Compromise (IoC): Conduct an environment-wide sweep for tools associated with this exploit, specifically looking for WEEPSTEEL (Information.dll), EARTHWORM, and unauthorized SHARPHOUND executions.
Establish Key Rotation Policies: Implement a recurring schedule for rotating static keys to limit the long-term utility of any credentials or keys that might be inadvertently exposed.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Sitecore FocusTag® on January 21, 2026, providing immediate visibility into which vendors remain exposed to this critical misconfiguration. By operationalizing this tag, TPRM professionals can bypass the need for broad, manual surveys and focus their outreach only on those third parties where Sitecore instances are detected with a high probability of exposure.

The primary differentiator for Black Kite users is the provision of specific asset-level intelligence, including the IP addresses and subdomains where the vulnerable Sitecore footprint was identified. This allows risk managers to provide vendors with actionable data, enabling faster validation of the risk and more precise remediation tracking. As exploitation patterns evolve, Black Kite continues to update these tags to ensure that TPRM teams are working with the most current threat intelligence.

Black Kite's Sitecore FocusTag® details critical insights on the event for TPRM professionals.

MSSQL - Jan2026 (CVE-2026-20803)

What is the Microsoft SQL Server Elevation of Privilege Vulnerability?

CVE-2026-20803 is a high-severity elevation of privilege vulnerability in Microsoft SQL Server, specifically classified as a Missing Authentication for Critical Function. This flaw carries a CVSS score of 7.2 and an EPSS score of 0.09%. The vulnerability was published on January 14, 2026, as part of Microsoft's regular security update cycle. It stems from the server’s failure to perform proper authentication checks on certain critical functions, which could allow a high-privileged attacker to gain unauthorized debugging and system memory dumping rights over a network.

As of late January 2026, there are no confirmed reports of this vulnerability being exploited in the wild, and no public proof-of-concept (PoC) exploits have been released. Consequently, the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Microsoft has provided comprehensive advisories and patches for all supported versions of SQL Server to mitigate this risk.

Why should TPRM Professionals care about CVE-2026-20803?

Microsoft SQL Server is the foundational data layer for many vendors, housing everything from proprietary business logic to sensitive customer records. While this vulnerability requires an attacker to already possess high privileges, its impact is significant because it grants "debugging" capabilities. In a production environment, debugging rights allow an actor to dump system memory, which may contain clear-text credentials, session tokens, or unencrypted data that is otherwise protected by database permissions.

From a TPRM perspective, this vulnerability represents a potential escalation point for an insider threat or a compromised administrative account. If a vendor fails to patch their SQL environment, a relatively limited compromise of an admin user could quickly evolve into a full-scale data breach. Furthermore, many organizations rely on third-party vendors to manage their databases; ensuring these managed service providers have applied the January 2026 updates is critical for maintaining the confidentiality of outsourced data.

What questions should TPRM professionals ask vendors about CVE-2026-20803?

TPRM professionals should engage vendors with targeted questions to confirm their SQL Server security posture following the January 2026 disclosures:

Can you confirm if you have updated all instances of Microsoft SQL Server to the patched versions (17.0.1050.2 for SQL Server 2025 and 16.0.4230.2 or 16.0.1165.1 for SQL Server 2022) to mitigate the risk of CVE-2026-20803?
2. Have you identified your current update path (GDR or CU) and applied the corresponding update package (CU22+GDR or RTM+GDR) to address the Elevation of Privilege vulnerability in Microsoft SQL Server?
3. Can you confirm if you have discontinued the use of unsupported SQL Server versions and upgraded to a supported Service Pack or SQL Server product to apply this and future security updates?
4. Have you reviewed and restricted user privileges on all SQL Server instances to ensure that only authorized administrative personnel have the level of access required to reach critical functions, as a measure to mitigate the risk of CVE-2026-20803?

Remediation Recommendations for Vendors subject to this risk

Vendors should take the following technical steps to ensure their database environments are secure against elevation of privilege attempts:

Apply Security Updates Immediately: Install the official Microsoft patches for the relevant build. For SQL Server 2025, ensure you are on version 17.0.1050.2 or later. For SQL Server 2022, move to 16.0.4230.2 (CU path) or 16.0.1165.1 (GDR path).
Verify Build Numbers: Use Microsoft Knowledge Base Article 321185 to verify that the running build matches the patched version numbers.
Enforce Principle of Least Privilege: Strictly limit the number of users with high-level administrative or debugging permissions. Even with patches applied, reducing the attack surface is a core security best practice.
Decommission Legacy Systems: Immediately plan upgrades for any SQL Server versions that are no longer receiving security updates, as they remain permanently vulnerable to this and future flaws.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the MSSQL - Jan2026 FocusTag® on January 14, 2026, shortly after the vulnerability was disclosed by Microsoft. This tag allows TPRM professionals to immediately identify which vendors in their ecosystem are running Microsoft SQL Server versions that appear to be unpatched or fall within the vulnerable build ranges.

A primary differentiator of the Black Kite platform is the ability to provide specific asset information, such as the IP addresses or subdomains associated with the detected SQL Server instances. This level of granularity empowers TPRM teams to move away from broad outreach and instead provide vendors with evidence-based findings. By operationalizing this tag, organizations can track remediation progress across their entire supply chain, ensuring that critical data repositories are secured against this elevation of privilege risk.

Black Kite's MSSQL - Jan2026 FocusTag® details critical insights on the event for TPRM professionals.

SharePoint - Jan2026 (CVE-2026-20963, CVE-2026-20947, CVE-2026-20951, CVE-2026-20958, CVE-2026-20959)

What are the SharePoint Server Jan 2026 Vulnerabilities?

The SharePoint Jan 2026 FocusTag® encompasses a suite of vulnerabilities discovered in Microsoft Office SharePoint, ranging from medium-severity spoofing to high-severity remote code execution (RCE). These were published on January 13, 2026, as part of Microsoft's Patch Tuesday cycle.

The collection includes:

CVE-2026-20963 [HIGH]: A Deserialization of Untrusted Data vulnerability enabling RCE (CVSS: 8.8, EPSS: 0.62%).
CVE-2026-20947 [HIGH]: A SQL Injection flaw allowing authenticated attackers with low privileges to execute arbitrary code (CVSS: 8.8, EPSS: 0.09%).
CVE-2026-20951 [HIGH]: An Improper Input Validation issue leading to RCE (CVSS: 7.8, EPSS: 0.11%).
CVE-2026-20958 [MEDIUM]: A Server-Side Request Forgery (SSRF) vulnerability facilitating information disclosure (CVSS: 5.4, EPSS: 0.05%).
CVE-2026-20959 [MEDIUM]: A Cross-Site Scripting (XSS) vulnerability allowing spoofing via crafted requests (CVSS: 5.4, EPSS: 0.04%).

While public proof-of-concept (PoC) exploits have been reported, as of late January 2026, these vulnerabilities have notbeen added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Microsoft released official security advisories and patches simultaneously with the disclosure to address these improper input neutralization and data handling flaws.

Why should TPRM Professionals care about these SharePoint vulnerabilities?

SharePoint is often the central nervous system for a vendor's internal collaboration, document management, and intranet services. Because it frequently stores sensitive intellectual property, contract details, and employee data, any vulnerability that allows for code execution or database injection represents a significant risk to the confidentiality and integrity of third-party environments.

From a TPRM perspective, the risk is tiered. The RCE and SQL injection vulnerabilities (CVE-2026-20963, CVE-2026-20947) are particularly dangerous because they allow an authenticated user—even one with low privileges—to potentially take full control of the server or access the underlying database. This could lead to the unauthorized extraction of client data or the installation of persistent backdoors. Meanwhile, the XSS and spoofing flaws allow attackers to trick vendor employees into performing actions they didn't intend, which is a common precursor to sophisticated phishing or business email compromise (BEC) attacks. If your vendor uses SharePoint to share files with your organization, a compromised instance could be used to distribute malware directly to your employees.

What questions should TPRM professionals ask vendors about the SharePoint January 2026 vulnerabilities?

To evaluate a vendor's exposure and response, consider these specific questions:

Have you applied the official security updates provided by Microsoft for all affected SharePoint Server instances to address the improper input neutralization issues that lead to Cross-Site Scripting vulnerabilities such as CVE-2026-20959, CVE-2026-20958, CVE-2026-20951, CVE-2026-20963, and CVE-2026-20947?
2. Can you confirm if you have updated all instances of Microsoft SharePoint Server Subscription Edition to build 16.0.19127.20442 or later to mitigate the risk of these Cross-Site Scripting vulnerabilities?
3. Have you conducted a comprehensive audit to identify all Microsoft SharePoint Server deployments within your environment and verified the version and update status of each instance to ensure all vulnerable systems are patched?
4. Have you configured your Web Application Firewalls (WAFs) with rules designed to detect and block common XSS attack patterns to provide an additional layer of defense against these web-based vulnerabilities?

Remediation Recommendations for Vendors subject to this risk

Vendors should take immediate action to secure their SharePoint environments following these guidelines:

Deploy Official Patches: Priority should be given to applying the January 13, 2026, security updates (such as KB5002825 for Server 2019 and KB5002828 for Server 2016).
Verify Build Numbers: For SharePoint Server Subscription Edition, ensure the system is at build 16.0.19127.20442 or higher.
Harden Input Validation: Review custom SharePoint web parts or integrations for improper input neutralization to prevent future XSS and SQL injection risks.
Enable WAF Protections: Implement or update WAF rules to detect and block common payloads for SSRF, XSS, and SQLi specifically tailored for SharePoint endpoints.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the SharePoint - Jan 2026 FocusTag® on January 22, 2026, providing early visibility into vendor exposure across the supply chain. This tag allows TPRM teams to move away from manual "check-the-box" outreach and instead focus on vendors where SharePoint instances are actively detected.

By providing the specific IP addresses and subdomains of vulnerable SharePoint assets, Black Kite empowers TPRM professionals to have evidence-based conversations with their vendors. This technical detail is a significant differentiator, as it allows vendors to quickly identify and patch the specific server at risk rather than spending time on internal discovery. Organizations can use these insights to operationalize their risk response by prioritizing vendors with high-severity RCE exposure (CVE-2026-20963) over those with lower-severity spoofing risks.

Black Kite's SharePoint - Jan2026 FocusTag® details critical insights on the event for TPRM professionals.

Cisco UCM (CVE-2026-20045)

What is the Cisco UCM Zero-Day RCE Vulnerability?

CVE-2026-20045 is a critical zero-day vulnerability found in the web-based management interface of several Cisco Unified Communications products. This defect is a code injection flaw caused by improper validation of user-supplied input in HTTP requests. It carries a Critical severity level with a CVSS score of 9.8 and an EPSS score of 1.76%. First published on January 21, 2026, the vulnerability was immediately identified as being subject to active exploitation in the wild.

Attackers can exploit this weakness by sending a sequence of crafted HTTP requests without any prior authentication. Successful exploitation allows a threat actor to execute arbitrary commands on the underlying operating system. Initially, an attacker gains user-level access, but they can quickly elevate their privileges to root, leading to a complete compromise of the affected device. Due to the high risk and confirmed exploitation, CISA added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog on January 21, 2026, the same day the official advisory was released.

Why should TPRM Professionals care about the Cisco UCM vulnerability?

Cisco Unified Communications Manager (UCM) and its associated services like Unity Connection and Webex Calling are central to a vendor's communication infrastructure. These systems handle telephony, voicemail, messaging, and conferencing, often bridging internal corporate networks with the public internet. Because these products manage sensitive internal voice and data traffic, a compromise provides an attacker with a powerful foothold for corporate espionage or large-scale data exfiltration.

From a third-party risk perspective, this vulnerability is particularly alarming because it enables unauthenticated remote code execution. If a vendor's communication gateway is breached, an attacker can listen to private calls, access voicemail archives, or use the compromised server as a pivot point to reach deeper into the vendor's internal environment. Furthermore, the ability to escalate to root privileges means that an adversary could potentially disable security monitoring on the host, making the intrusion difficult to detect. For organizations relying on these vendors for critical services, such a breach could result in service downtime or the exposure of sensitive business discussions.

What questions should TPRM professionals ask vendors about CVE-2026-20045?

TPRM teams should reach out to vendors suspected of running vulnerable Cisco communication infrastructure with the following targeted questions:

Have you upgraded all instances of Cisco Unified CM, CM SME, CM IM&P, Unity Connection, and Webex Calling Dedicated Instance to the specified fixed releases or applied the provided patch files to mitigate the risk of CVE-2026-20045?
2. Can you confirm if you have discontinued the use of Cisco Unified CM, CM SME, CM IM&P, Unity Connection, and Webex Calling Dedicated Instance versions prior to 14SU5 or 15SU4 to mitigate the risk of CVE-2026-20045?
3. Have you applied the specific patch files `ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512`, `ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512`, `ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512`, `ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512` to the respective versions of Cisco Unified CM, CM SME, CM IM&P, Unity Connection, and Webex Calling Dedicated Instance to mitigate the risk of CVE-2026-20045?
Have you implemented any additional security measures to prevent improper validation of user-supplied input in HTTP requests, which is the method of exploitation for CVE-2026-20045?

Remediation Recommendations for Vendors subject to this risk

Vendors must take immediate action as there are no available workarounds to mitigate this zero-day. The following steps are recommended:

Apply Security Patches Immediately: Upgrade to the fixed software versions (such as 14SU5) or apply the version-specific patches (ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 for Release 14) provided in the Cisco advisory.
Inventory Communications Infrastructure: Perform a complete audit of all telephony and messaging assets to ensure that even "hidden" or secondary instances of Unity Connection or IM & Presence Service are accounted for.
Migrate Legacy Systems: Organizations still utilizing Release 12.5 must migrate to a newer, fixed release branch, as Cisco has not provided a direct patch for this version.
Restrict Management Access: While not a substitute for patching, ensure that web-based management interfaces are not exposed to the public internet and are restricted to trusted administrative networks only.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Cisco UCM FocusTag® on January 22, 2026, providing rapid response visibility for TPRM professionals just one day after the official disclosure and KEV inclusion. This tag allows risk managers to instantly identify which vendors in their portfolio are utilizing vulnerable Cisco communication products, even when those systems are buried deep within complex network architectures.

A major advantage for Black Kite users is the inclusion of specific asset-level intelligence, such as IP addresses and subdomains where the suspected vulnerable Cisco management interfaces are located. This allows TPRM teams to provide concrete evidence to their vendors, accelerating the remediation process. Instead of asking every vendor a broad set of questions, professionals can use the FocusTag® to prioritize high-risk vendors and track their patching status in real-time as the threat environment continues to shift.

<caption> Black Kite's Cisco UCM FocusTag®TM details critical insights on the event for TPRM professionals.

Black Kite's Cisco UCM FocusTag® details critical insights on the event for TPRM professionals.

SAP NetWeaver - Jan2026 (CVE-2026-0507)

What is the SAP NetWeaver OS Command Injection Vulnerability?

CVE-2026-0507 is a high-severity OS command injection vulnerability found in the SAP Application Server for ABAP and the SAP NetWeaver RFCSDK. Classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), this flaw carries a CVSS score of 8.4 and an EPSS score of 0.76%. It was first disclosed by SAP during their January 2026 Security Patch Day on January 13, 2026. The vulnerability allows an authorized administrative attacker with access to an adjacent network to upload specially crafted content. If the application processes this malicious payload, it enables the execution of unauthorized operating system commands.

As of late January 2026, there are no confirmed reports of this vulnerability being exploited in the wild, nor have any public proof-of-concept (PoC) exploits been released. Consequently, it has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog at this time. CISA typically includes vulnerabilities in the KEV list only when active exploitation is confirmed. However, given the critical nature of SAP systems in corporate environments, organizations are encouraged to prioritize the relevant security notes.

Why should TPRM Professionals care about this SAP NetWeaver vulnerability?

SAP NetWeaver serves as the foundational integration platform for a vast majority of SAP's enterprise applications, including S/4HANA and ERP Central Component. These systems are the digital backbone for global supply chains, financial operations, and human resources data. A vulnerability that allows for OS command injection on these servers is inherently dangerous because it grants an attacker the ability to bypass application-level security and interact directly with the underlying server operating system.

From a third-party risk management perspective, a compromise of a vendor's SAP environment could lead to the total loss of confidentiality, integrity, and availability of business-critical data. While the "Adjacent Network" attack vector and "High" privilege requirement may seem to limit the risk, these are easily bypassed in modern cloud environments or through lateral movement after an initial breach of a different system. If a vendor handles your sensitive financial or proprietary data via SAP, an unpatched instance could allow an attacker to exfiltrate database records, modify financial transactions, or disrupt essential services.

What questions should TPRM professionals ask vendors about the SAP NetWeaver January 2026 vulnerability?

To gauge a vendor's exposure and their speed of response to these critical patches, TPRM professionals should consider the following questions:

Have you updated all instances of SAP Application Server for ABAP and SAP NetWeaver RFCSDK to the versions that are not affected by the OS Command Injection vulnerability (CVE-2026-0507)?
2. Can you confirm if you have implemented the network segmentation measures recommended by SAP to isolate the application servers within secure network zones, limiting access from untrusted adjacent networks?
3. Have you applied the security notes and patches provided by SAP for the specific versions of the Application Server and RFCSDK you are running to mitigate the risk of CVE-2026-0507?
4. Have you implemented strict validation and scanning for any content uploaded to the SAP Application Server to detect and block potentially malicious payloads that could exploit the OS Command Injection vulnerability (CVE-2026-0507)?

Remediation Recommendations for Vendors subject to this risk.

Vendors utilizing affected SAP products should follow these technical remediation steps provided in the official advisories:

Apply Security Updates: Immediately install the patches associated with SAP Security Note 3675151. Ensure that kernel updates are applied across all affected versions, including 7.53, 7.54, 7.77, 7.89, 7.93, and 9.16.
Restrict Administrative Accounts: Review and limit the number of users with administrative privileges on SAP systems. Implement multi-factor authentication (MFA) and strict access logging for these high-value accounts.
Enforce Network Segmentation: Place SAP servers in dedicated, firewalled VLANs that are not directly accessible from the general corporate network or the internet.
Implement Input Validation: Deploy robust scanning for all file uploads and content processed by the SAP RFCSDK to detect command injection patterns before they reach the execution phase.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the SAP NetWeaver - Jan2026 FocusTag® on January 22, 2026, providing rapid visibility into vendor exposure just over a week after the official SAP Patch Day. This allows TPRM teams to move beyond manual surveys and instantly identify which third parties are operating potentially vulnerable SAP infrastructure.

The platform provides a significant advantage by surfacing specific asset information, such as IP addresses and subdomains, that host the affected SAP services. This level of technical detail allows risk managers to engage in much more effective conversations with vendors. Instead of a general inquiry, you can point to the exact asset at risk, facilitating faster validation and targeted remediation tracking.

Black Kite's SAP NetWeaver - Jan2026 FocusTag® details critical insights on the event for TPRM professionals.

Apache Solr (CVE-2026-22444, CVE-2026-22022)

What are the Apache Solr Authorization Bypass and Data Exposure Vulnerabilities?

The Apache Solr FocusTag® identifies two distinct high-severity security flaws, CVE-2026-22444 and CVE-2026-22022, which target the search engine’s core management and authorization frameworks. Both were officially disclosed on January 20, 2026, coinciding with the release of Apache Solr version 9.10.1.

CVE-2026-22444 (CVSS 7.1, EPSS 0.05%): This is an improper input validation flaw in the "create core" API. In standalone deployments, the API fails to adequately check file-system paths against the allowPaths security setting. An attacker can trick the system into reading or creating cores from unauthorized directories. On Windows systems, this vulnerability is particularly severe as it can trigger UNC path access, leading to the theft of NTLM user hashes.
CVE-2026-22022 (CVSS 8.2, EPSS 0.04%): This is an authorization bypass vulnerability affecting the RuleBasedAuthorizationPlugin. Due to insufficiently strict input validation, an unauthenticated attacker can bypass specific predefined permission rules (like config-read or security-read) if the configuration is missing a "catch-all" rule.

As of late January 2026, there are no reports of these vulnerabilities being exploited in the wild, and no public proof-of-concept (PoC) exploits have been confirmed. Consequently, neither vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog.

Why should TPRM Professionals care about Apache Solr vulnerabilities?

Apache Solr is a foundational component for high-performance search and analytics, frequently embedded in e-commerce platforms, document management systems, and internal data portals. Because Solr instances are often used to index sensitive corporate data or customer-facing catalogs, an authorization bypass directly threatens the confidentiality of the entire data store.

From a TPRM perspective, the risk profile is highly dependent on the vendor’s deployment configuration. A vendor utilizing Solr in "standalone" mode with weak authorization controls could inadvertently leak NTLM hashes or internal configuration details, which are prized by attackers for lateral movement. Furthermore, an authorization bypass (CVE-2026-22022) allows a threat actor to gain "admin-lite" visibility into security settings and schemas, potentially exposing hidden data fields or system metadata that should be strictly protected. If your vendor uses Solr to power the search functionality of a portal you access, a compromise could result in unauthorized data harvesting or session hijacking via captured credentials.

What questions should TPRM professionals ask vendors about these Apache Solr vulnerabilities?

To verify a vendor’s mitigation status, risk teams should ask the following targeted questions:

Have you updated all instances of Apache Solr to version 9.10.1 or later to mitigate the risk of CVE-2026-22444 and CVE-2026-22022?
Have you configured the "all" pre-defined permission in the RuleBasedAuthorizationPlugin to prevent unauthorized bypass of specific rules as recommended for CVE-2026-22022?
Have you reviewed and restricted file system access by correctly configuring Solr's `allowPaths` security setting to block sensitive file-system paths, especially on Windows deployments that may allow UNC paths?
For CVE-2026-22444, have you implemented strict authorization for the "create core" API by enabling the RuleBasedAuthorizationPlugin and configuring a strict permission list to prevent untrusted users from creating new Solr cores?

Remediation Recommendations for Vendors subject to this risk.

Vendors should implement the following technical fixes recommended by the Apache Software Foundation:

Immediate Upgrade: Move to Apache Solr 9.10.1 or higher. This is the only way to fully resolve both improper input validation issues across the core APIs.
Harden Authorization Plugin: If an immediate patch is impossible, ensure the RuleBasedAuthorizationPlugin is enabled and that all permission lists include the all rule associated with an administrative role.
Restrict "create core" Exposure: Disable or strictly limit network access to the "create core" API endpoints, ensuring they are only reachable from trusted administrative subnets.
Audit allowPaths Settings: Review the solr.xml configuration to ensure allowPaths correctly encapsulates only necessary directories, especially in environments where the filesystem might contain sensitive legacy configsets.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Apache Solr FocusTag® on January 21, 2026, providing rapid visibility just one day after the initial disclosure. This allows TPRM professionals to immediately pinpoint which vendors in their ecosystem are operating Solr instances within the vulnerable version range (5.3 through 9.10.0).

A key differentiator for Black Kite users is the inclusion of specific asset-level intelligence, such as IP addresses and subdomains where these search engines are detected. This enables TPRM teams to move beyond broad surveys and instead provide vendors with verifiable evidence of exposure. By operationalizing this tag, organizations can track the remediation of these data-exposure risks across their supply chain, ensuring that vendors prioritize the security of their search and indexing infrastructure.

Black Kite's Apache Solr FocusTag®TM details critical insights on the event for TPRM professionals.

Black Kite's Apache Solr FocusTag® details critical insights on the event for TPRM professionals.

Appsmith (CVE-2026-22794)

What are the Appsmith Account Takeover and Authorization Bypass Vulnerabilities?

Appsmith is currently affected by two critical vulnerabilities.

CVE-2026-22794 (CVSS 8.8, EPSS 0.03%): An account takeover vulnerability stemming from a failure to validate the Origin HTTP header during password resets.
CVE-2026-24042 (CVSS 9.4, EPSS 0.14%): A "viewMode confusion" error that allows unauthenticated users to execute unpublished backend queries by manipulating a POST request to /api/v1/actions/execute.

Both flaws were disclosed in January 2026. While there are emerging reports of exploitation in the wild as of January 23, they have not yet been added to the CISA KEV Catalog.

Why should TPRM Professionals care about these Appsmith vulnerabilities?

Appsmith connects sensitive databases and API secrets into internal dashboards. An account takeover or authorization bypass in this context provides a high-privilege gateway to the vendor’s backend. An unauthenticated actor could trigger significant side effects, such as modifying development data or exfiltrating sensitive API keys, without bypassing complex network defenses.

What questions should TPRM professionals ask vendors about the Appsmith vulnerabilities?

Can you confirm if you have upgraded all instances of Appsmith to version 1.93 or later to mitigate the risk of CVE-2026-22794?
Have you implemented measures to validate the `Origin` HTTP header during password reset and email verification request processing to prevent sensitive token leakage?
Are you actively monitoring Appsmith user accounts for any unusual or unauthorized activity, especially after a password reset, which could indicate a successful account takeover attempt?
Have you educated your users about the dangers of phishing, even within seemingly legitimate emails, and encouraged vigilance against suspicious links to prevent potential exploitation of this vulnerability?

Remediation Recommendations for Vendors subject to this risk.

Upgrade Immediately: Move to version 1.95+ to enforce boundaries between published and unpublished actions.
Review Public Application Access: Disable public sharing for applications that do not strictly require unauthenticated access.
Harden Header Validation: Implement WAF rules to validate Origin and Host headers on sensitive endpoints.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite updated the Appsmith FocusTag® on January 23, 2026, immediately following the disclosure of the critical CVSS 9.4 authorization bypass. This allows TPRM professionals to instantly identify vendors operating unpatched, self-hosted Appsmith instances (versions prior to v1.95) that are susceptible to both account takeover and unauthenticated backend execution.

A major differentiator for Black Kite users is the inclusion of specific asset-level intelligence, providing the IP addresses and subdomains of exposed administrative panels. This enables teams to bypass generic, time-consuming questionnaires and instead provide vendors with verifiable technical proof of their exposure. By operationalizing this tag, risk managers can prioritize remediation for vendors using Appsmith for critical data orchestration, ensuring these high-privilege administrative gateways are secured based on real-time, actionable data.

Black Kite's Appsmith FocusTag® details critical insights on the event for TPRM professionals.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

In an environment where critical vulnerabilities are disclosed across diverse technologies like Cisco UCM telephony, SAP NetWeaver ERP systems, and Apache Solr search engines simultaneously, traditional risk assessment methods often fall short. Black Kite’s FocusTags® provide a streamlined, intelligence-driven approach to managing these complexities. By converting massive volumes of threat data into vendor-specific insights, FocusTags® allow organizations to:

Identify True Exposure Instantly: Rapidly pinpoint which vendors are actually utilizing vulnerable versions of Sitecore, SharePoint, or MSSQL, moving away from broad assumptions to verified technical footprints.

Prioritize Based on Exploitability: Focus limited remediation resources on the most dangerous threats—such as the actively exploited Cisco zero-day—while maintaining a clear view of secondary risks like Apache Solr data exposure.

Precision-Led Vendor Outreach: Utilize asset-level intelligence, including specific IP addresses and subdomains, to facilitate evidence-based discussions with third parties, accelerating the validation of remediation claims.

Mitigate Supply Chain Lateral Movement: Understand the risk of pivot attacks by identifying vulnerabilities that grant root access or allow for credential hijacking, such as those found in SAP NetWeaver and Appsmith.

Black Kite’s FocusTags® empower TPRM professionals to act with speed and technical accuracy, ensuring that third-party risk management remains proactive and effective even as the digital threat landscape continues to shift.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

Sitecore : CVE-2025-53690, Code Injection Vulnerability stemming from ASP.NET Machine Key Misconfiguration, Leading to ViewState Deserialization and Actively Exploited Remote Code Execution in Sitecore Products.
MSSQL - Jan2026 : CVE-2026-20803, Elevation of Privilege and Missing Authentication for Critical Function Vulnerability Leading to Unauthorized Debugging and System Memory Dumping in Microsoft SQL Server.
SharePoint - Jan2026 : CVE-2026-20959, CVE-2026-20958, CVE-2026-20951, CVE-2026-20963, CVE-2026-20947, Multiple Vulnerabilities including Deserialization of Untrusted Data, SQL Injection, and SSRF Leading to Remote Code Execution and Spoofing in Microsoft Office SharePoint.
Cisco UCM : CVE-2026-20045, Improper Input Validation and Remote Code Execution Vulnerability Leading to Unauthenticated Root Access and Active Exploitation in Cisco Unified Communications Products and Webex Calling.
SAP NetWeaver - Jan2026 : CVE-2026-0507, OS Command Injection and Remote Code Execution Vulnerability Leading to Full System Compromise in SAP Application Server for ABAP and SAP NetWeaver RFCSDK.
Apache Solr : CVE-2026-22444, CVE-2026-22022, Multiple Vulnerabilities including Authorization Bypass and Improper Input Validation Leading to Sensitive Data Exposure and NTLM Hash Disclosure in Apache Solr.
Appsmith : CVE-2026-22794 & CVE-2026-24042, Account Takeover and Critical Authorization Bypass (viewMode Confusion) Vulnerabilities Leading to Full Account Compromise in Appsmith.
Ni8mare : CVE-2026-21858, Improper Input Validation, Arbitrary File Read, Authentication Bypass, and Unauthenticated Remote Code Execution Vulnerabilities Leading to Full Administrative Takeover in n8n Workflow Automation Platform.
n8n – Jan2026 : CVE-2026-21877, Authenticated Arbitrary File Write Vulnerability Leading to Remote Code Execution and Total Compromise of n8n Instances.
D-Link DSL Routers : CVE-2026-0625, Unauthenticated Command Injection Vulnerability Leading to Actively Exploited Remote Code Execution in End-of-Life D-Link DSL Routers.
aiohttp : CVE-2025-69228, CVE-2025-69227, CVE-2025-69229, CVE-2025-69230, CVE-2025-69224, CVE-2025-69225, CVE-2025-69226, Multiple Denial of Service, Request Smuggling, Information Disclosure, and Path Traversal Vulnerabilities Affecting aiohttp Asynchronous HTTP Framework.
SmarterMail : CVE-2025-52691, Unauthenticated Arbitrary File Upload Vulnerability Leading to Remote Code Execution and Complete Email Server Compromise in SmarterMail.
Coolify : CVE-2025-64419, CVE-2025-64424, CVE-2025-64420, Multiple Command Injection and Credential Exposure Vulnerabilities Allowing Root-Level Code Execution and Persistent Access in the Coolify Platform.
SonicWall SMA1000 : CVE-2025-40602, CVE-2025-23006, Privilege Escalation and Pre-authentication Deserialization of Untrusted Data Vulnerabilities Leading to Unauthenticated Remote Code Execution in SonicWall SMA1000.
FortiGate SSL-VPN – Dec2025 : CVE-2020-12812, Improper Authentication Vulnerability Allowing Two-Factor Authentication (2FA) Bypass via Case-Sensitivity Mismatch in LDAP-Backed FortiGate SSL-VPN Deployments.
n8n : CVE-2025-68613, Arbitrary Code Execution via Improper Isolation of User-Supplied Expressions in n8n Workflow Automation Platform.
Exim Mail – Dec2025 : CVE-2025-26794, CVE-2025-67896, SQL Injection and Heap Buffer Overflow Vulnerabilities Leading to Memory Corruption and Potential Remote Code Execution in Exim Mail Transfer Agent.
Zimbra – Dec2025 : CVE-2025-68645, CVE-2025-67809, Local File Inclusion and Hardcoded Credentials Vulnerabilities Leading to Sensitive Data Exposure and Unauthorized Access in Zimbra Collaboration Suite.
MongoDB – Dec2025 : CVE-2025-14847, Out-of-bounds Read and Information Disclosure Vulnerability via zlib Compression Handling in MongoDB Server.
M-Files Server : CVE-2025-13008, CVE-2025-14267, Session Token Disclosure and Improper Removal of Sensitive Information Vulnerabilities Leading to Identity Impersonation and Information Disclosure in M-Files Server.