August 1, 2025August 21, 2025

Focus Friday: TPRM Insights on SonicWall, Sophos, and Salesforce Tableau Vulnerabilities

Welcome to this week’s Focus Friday, where we take a closer look at several high-impact cybersecurity vulnerabilities through the lens of Third-Party Risk Management (TPRM). This edition highlights three sets of flaws that demand immediate attention from organizations dependent on common infrastructure and analytics platforms.

We begin with a critical denial-of-service vulnerability in SonicWall’s SSL VPN that could knock perimeter defenses offline without user interaction. Next, we examine multiple vulnerabilities in Sophos Firewall, including a pre-auth command injection issue that could allow attackers to execute code without credentials. Finally, we turn to Salesforce Tableau Server, where several flaws—ranging from SSRF to path traversal and authorization bypass—raise concerns about unauthorized access to sensitive systems and data.

Each of these vulnerabilities reflects a growing challenge in vendor risk management: knowing which third parties are affected, how they are exposed, and what needs to be done about it. Black Kite’s FocusTags make it possible to cut through the noise and zero in on real exposure—so TPRM professionals can take swift, targeted action.

*Filtered view of companies with* SonicWall SSL VPN – Jul2025 FocusTag™ on the Black Kite platform.

CVE-2025-40600: SonicWall Gen7 Devices Exposed to Remote DoS via SSL VPN

What is the vulnerability found in SonicWall SSL VPN?

CVE-2025-40600 is a Use of Externally-Controlled Format String vulnerability that affects the SSL VPN component of SonicWall’s Gen7 firewall devices running SonicOS. It allows a remote unauthenticated attacker to trigger a denial of service (DoS) attack by injecting malicious format strings through the SSL VPN interface, causing the service to crash.

The vulnerability has a CVSS v3 score of 9.8 and an EPSS score of 0.06%. It was publicly disclosed on July 29, 2025, with SonicWall’s advisory released on July 30, 2025. There is currently no public proof-of-concept (PoC) exploit available. The vulnerability is not known to be exploited in the wild, and it has not been added to CISA’s KEV catalog. No advisory has been issued by CISA.

Only Gen7 hardware and virtual devices are affected, including various TZ, NSa, NSsp, and NSv series firewalls running SonicOS 7.2.0-7015 and older. Devices with the SSL VPN service disabled are not vulnerable. While the exploitation complexity is considered high, the lack of authentication and remote execution capability make it a serious threat.

Why should TPRM professionals care about this vulnerability?

SonicWall firewall devices are often the first line of defense in an organization’s network perimeter. A denial of service on such a device can disrupt remote access and firewall services, directly impacting business operations. If a vendor’s network depends on vulnerable SonicWall firewalls, they may become unreachable during critical support windows or suffer availability issues during key operations. This disruption poses a third-party risk to customers relying on those vendors for continuous service availability.

What questions should TPRM professionals ask vendors?

The following questions will help assess vendor exposure to CVE-2025-40600:

Have you upgraded all affected SonicWall Gen7 firewall devices, both hardware and virtual, to SonicOS 7.3.0-7012 or higher to mitigate the risk of CVE-2025-40600?
If you were unable to immediately upgrade, did you disable the SSL-VPN interface on affected firewalls to mitigate the risk of a denial of service attack caused by CVE-2025-40600?
Can you confirm that all Gen7 SonicWall firewall devices in your network, including TZ series, NSa series, NSsp series hardware firewalls, and NSv virtual firewalls running on ESX, KVM, HYPER-V, AWS, and Azure, are running SonicOS 7.2.0-7015 or older?
Have you implemented any network monitoring solutions to detect unusual network traffic or behavior originating from or targeting your SonicWall firewalls, specifically related to potential exploitation of the Use of Externally-Controlled Format String vulnerability (CVE-2025-40600)?

Remediation recommendations for affected vendors

Vendors affected by CVE-2025-40600 should take the following actions to mitigate the threat and maintain operational resilience:

Review network architecture: Evaluate the role of SonicWall firewalls in your perimeter design. Ensure that service disruptions to these devices do not result in broader network outages.
Monitor for unusual activity: While this is a denial-of-service vulnerability, continuous monitoring for abnormal traffic to or from your SonicWall devices can help detect potential exploitation or reconnaissance.
Upgrade to fixed SonicOS versions immediately: Patch all affected Gen7 SonicWall firewalls—both hardware and virtual—to SonicOS 7.3.0-7012 or newer, which resolves this vulnerability.
Implement the workaround if patching is delayed: If an upgrade cannot be performed immediately, disable the SSL-VPN interface. This action removes the vulnerable component from exposure and should only be reversed after patching.
Identify and inventory affected devices: Catalog all Gen7 devices in your environment—including TZ, NSa, NSsp series hardware, and NSv virtual appliances deployed on ESX, KVM, HYPER-V, AWS, and Azure—and verify whether they are running SonicOS 7.2.0-7015 or earlier.

How can TPRM professionals leverage Black Kite for this vulnerability?

Black Kite released the SonicWall SSL VPN – Jul2025 FocusTag on July 31, 2025, with a high confidence level. The FocusTag helps customers identify which vendors are truly exposed by confirming the use of Gen7 SonicWall devices running vulnerable firmware. In addition to identifying affected vendors, Black Kite provides IP address and subdomain intelligence associated with the exposed SSL VPN services—giving TPRM teams precise visibility. Because this is the initial version of the tag, it is not an update to a previous release.

*Black Kite’s* SonicWall SSL VPN – Jul2025 FocusTag^TM details critical insights on the event for TPRM professionals.

CVE-2025-7382, CVE-2024-13974, and CVE-2024-13973: Sophos Firewall

What vulnerabilities affect Sophos Firewall?

Sophos Firewall has been impacted by three separate vulnerabilities, each with different attack surfaces and conditions:

CVE-2025-7382 is a command injection vulnerability in the WebAdmin interface. It allows an attacker located on the same network segment to execute arbitrary code on High Availability (HA) auxiliary firewall devices. To exploit this vulnerability, the attacker does not need authentication, but the target must have OTP authentication enabled for the administrator account. The issue has a CVSS score of 8.8 and an EPSS score of 0.28%. No public exploit code is currently available, and the vulnerability is not included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
CVE-2024-13974 is a business logic flaw in the Up2Date component. If an attacker can control DNS resolution for the firewall—such as through a Man-in-the-Middle (MITM) or DNS spoofing position—they can execute code remotely. This vulnerability has a CVSS score of 8.1 and an EPSS score of 0.14%. It was responsibly disclosed by the UK’s National Cyber Security Centre. There is no public proof of concept, and it has not been added to CISA’s KEV list.
CVE-2024-13973 is a post-authentication SQL injection vulnerability in the WebAdmin interface. An attacker must be an authenticated administrator to exploit it. If used, it could enable privilege escalation or further compromise of the firewall system. This issue carries a CVSS score of 6.8 and an EPSS score of 0.01%. Like the others, it is not actively exploited in the wild and is not in CISA’s KEV catalog.

All three vulnerabilities were disclosed in July 2025. They affect Sophos Firewall versions prior to v21.5 GA for CVE-2025-7382 and versions prior to v21.0 GA for the other two.

Why should TPRM professionals care?

Sophos Firewall appliances are often used at the perimeter of enterprise networks, including in high availability and multi-site configurations. Vulnerabilities affecting the WebAdmin interface or update mechanisms pose a direct risk to system integrity, service availability, and potentially the confidentiality of traffic routed through those firewalls.

For TPRM professionals, these vulnerabilities introduce the potential for third-party vendors to unknowingly operate critical security infrastructure that can be hijacked. In the case of CVE-2025-7382, pre-auth code execution on HA auxiliary devices could allow an attacker to gain a foothold in a vendor’s internal network without valid credentials. The business logic flaw in CVE-2024-13974 further expands the attack surface by relying on DNS control, which may be feasible in complex enterprise environments. Finally, while CVE-2024-13973 requires authentication, the ability to escalate privileges or tamper with firewall behavior remains a concern if an insider threat or credential compromise occurs.

From a risk management perspective, these vulnerabilities reflect multiple vectors by which a vendor’s network could become compromised or unreliable, leading to potential downtime, lateral movement, or data exposure that impacts their customers.

What questions should TPRM professionals ask vendors about these vulnerabilities?

To assess third-party exposure, consider the following questions:

Have you updated all instances of Sophos Firewall to versions later than v21.5 GA (21.5.0) and v21.0 GA (21.0.0) to mitigate the risk of CVE-2025-7382, CVE-2024-13974, and CVE-2024-13973?
Can you confirm if you have audited the use of OTP authentication on HA auxiliary units to assess your historical risk related to CVE-2025-7382?
Have you reviewed your WebAdmin logs for any suspicious post-authentication activity that could relate to CVE-2024-13973 and firewall DNS and Up2Date component logs for anomalous behavior that could indicate attempts to exploit the business logic flaw in CVE-2024-13974?
Can you confirm if the ‘Allow automatic installation of hotfixes’ feature is enabled on all your Sophos Firewall devices and that the relevant hotfixes have been installed as per Sophos’s instructions?

Remediation recommendations for vendors subject to this risk

Vendors using Sophos Firewall devices should apply the following steps to reduce risk:

Upgrade immediately to supported versions. Devices running versions prior to v21.5 GA for CVE-2025-7382, or v21.0 GA for CVE-2024-13974 and CVE-2024-13973, should be patched. The relevant fixes are included in v21.0 MR2 and newer.
Enable and verify automatic hotfixes. Ensure that the option to automatically apply hotfixes is active on all Sophos Firewall devices. This feature is enabled by default, but administrators should check update history to confirm installation.
Audit configuration settings and historical exposure. Review whether OTP authentication was ever active on HA auxiliary firewalls. Also assess how DNS resolution for Up2Date was handled in your environment.
Log and alert reviews. Inspect WebAdmin logs for any signs of unusual behavior that may relate to post-auth SQL injection or admin manipulation. Check DNS and Up2Date logs for unexpected outbound queries or errors that could suggest tampering.

How can TPRM professionals leverage Black Kite for this vulnerability?

Black Kite released the Sophos Firewall FocusTag on July 28, 2025, with a high confidence rating. This tag highlights vendors whose attack surface includes Sophos Firewall appliances impacted by the vulnerabilities listed above.

Through asset-level intelligence, Black Kite identifies vendors operating affected versions of Sophos Firewall and pinpoints exposed IP addresses and subdomains where the vulnerable services are active. This allows TPRM professionals to focus assessments and outreach only on vendors who are verifiably at risk—saving time, reducing vendor fatigue, and improving response time during coordinated remediation efforts.

This is the first release of the Sophos Firewall FocusTag, and it currently reflects the vulnerabilities known as of the July 2025 disclosure. Black Kite will continue to update this tag if further exploit activity or configuration-based risk factors are identified.

*Black Kite’s* Sophos Firewall FocusTag^TM details critical insights on the event for TPRM professionals.

Salesforce Tableau Server Exposed to RCE, SSRF, and SQL Injection Risks

What are the vulnerabilities affecting Tableau Server?

Salesforce Tableau Server is impacted by a set of eight vulnerabilities, most of which are high severity and affect critical components of the platform.

CVE-2025-52446, CVE-2025-52447, and CVE-2025-52448 are authorization bypass vulnerabilities. These reside in the tab-doc API modules, particularly in the set-initial-sql and validate-initial-sql features. If exploited, an attacker can send arbitrary SQL queries to production database clusters, potentially leading to unauthorized data access, modification, or privilege escalation. Each carries a CVSS score ranging from 8.0 to 8.1 and EPSS scores between 0.02% and 0.03%.

CVE-2025-52449 is an unrestricted file upload vulnerability. This flaw affects the Extensible Protocol Service and allows attackers to upload disguised executable files. If successful, the server can be forced to execute these payloads, leading to remote code execution. The CVSS score for this vulnerability is 8.5, and its EPSS is 0.02%.

CVE-2025-52452 is a path traversal vulnerability. It exists in the duplicate-data-source module within the tabdoc API. Attackers can exploit this to access arbitrary files on the host system, such as configuration files or stored credentials. This vulnerability also holds a CVSS score of 8.5 and an EPSS of 0.05%.

CVE-2025-52453, CVE-2025-52454, and CVE-2025-52455 are server-side request forgery (SSRF) vulnerabilities. These affect the Flow Data Source, Amazon S3 Connector, and EPS Server modules. Exploiting these SSRF issues may allow attackers to make unauthorized requests to internal or external services, potentially bypassing network segmentation or firewall rules. CVSS scores for these vulnerabilities range from 5.3 to 8.2, with EPSS scores between 0.03% and 0.04%.

All vulnerabilities were disclosed in late July 2025. None are known to be actively exploited in the wild, and as of now, none have been included in CISA’s Known Exploited Vulnerabilities catalog.

The affected versions include all Tableau Server builds prior to 2025.1.3, 2024.2.12, and 2023.3.19, depending on deployment.

Why should TPRM professionals care about these vulnerabilities?

Tableau Server is widely used in organizations for business intelligence and data visualization. These vulnerabilities affect critical aspects of the server such as authentication controls, API behavior, file handling, and network communication.

From a third-party risk perspective, if a vendor operates vulnerable Tableau Server instances, there is a serious possibility of unauthorized access to production data, exposure of sensitive files, or compromise through remote code execution. SSRF vulnerabilities expand the threat surface by allowing attackers to reach internal systems and services that should not be exposed. These issues can lead to operational disruptions or data breaches that affect customers relying on the vendor’s services.

Because Tableau often integrates directly with enterprise data infrastructure, any compromise could also affect connected systems beyond the vendor environment.

What questions should TPRM professionals ask vendors?

To assess vendor exposure to these vulnerabilities, consider the following questions:

Have you updated all instances of Tableau Server to versions 2025.1.3, 2024.2.12, or 2023.3.19 or later to mitigate the risk of the identified vulnerabilities including CVE-2025-52446, CVE-2025-52447, CVE-2025-52448, CVE-2025-52449, CVE-2025-52452, CVE-2025-52453, CVE-2025-52454, and CVE-2025-52455?
Can you confirm if you have implemented measures to monitor and detect any unusual file uploads, unexpected database queries, or attempts to access restricted directories, specifically in relation to the vulnerabilities CVE-2025-52449 (file upload vulnerability) and CVE-2025-52452 (path traversal vulnerability)?
Have you ensured that the Amazon S3 connector and Tableau Prep Conductor are enabled on your Tableau Server to prevent the exploitation of SSRF vulnerabilities CVE-2025-52453 and CVE-2025-52454?
Can you confirm if you have updated the Trino driver to the latest version to mitigate potential risks associated with data access vulnerabilities, specifically in relation to the authorization bypass vulnerabilities CVE-2025-52446, CVE-2025-52447, and CVE-2025-52448?

Remediation recommendations for vendors subject to this risk

Vendors using affected versions of Tableau Server should take the following actions immediately:

Update Tableau Server to a supported version. Ensure that all instances are upgraded to 2025.1.3 or newer, 2024.2.12 or newer, or 2023.3.19 or newer, depending on the current deployment branch.
Audit API configuration to determine if vulnerable features such as set-initial-sql or validate-initial-sql were previously exposed or misused.
Review system and network logs for any signs of exploitation attempts. Focus on SQL activity, unauthorized uploads, and internal request traffic associated with SSRF.
Disable unused components or services such as EPS Server or Amazon S3 Connector if not required, especially until patches are confirmed applied.
Update data connectors, including the Trino driver, to their latest versions to ensure compatibility and eliminate related security issues.

How can TPRM professionals leverage Black Kite for this vulnerability?

Black Kite released the Salesforce Tableau FocusTag on July 29, 2025, with a high confidence rating. This tag allows security and risk teams to identify vendors who are running vulnerable versions of Tableau Server or are exposing impacted modules to external access.

What sets Black Kite apart is its ability to surface not just vendor names but also asset-specific intelligence, including IP addresses and subdomains where Tableau Server is hosted. This enables TPRM professionals to narrow their scope to only those vendors who present actual risk due to observed exposure, reducing unnecessary assessments and accelerating targeted response.

This is the first issuance of the Tableau FocusTag and includes all eight known vulnerabilities. If further attack activity emerges or exploitation methods are published, the tag will be updated accordingly.

*Black Kite’s* Salesforce Tableau FocusTag^TM details critical insights on the event for TPRM professionals.

ENABLING SMARTER TPRM WITH BLACK KITE’S FOCUSTAGS™

When critical vulnerabilities appear in products like SonicWall SSL VPN, Sophos Firewall, or Tableau Server, they introduce not only technical risk but also third-party risk. Many organizations rely on these technologies through their vendors, and determining exposure quickly is essential.

Black Kite’s FocusTags provide clarity during these high-pressure situations. Rather than casting a wide net, they allow teams to immediately identify which vendors are affected, down to the exposed asset or subdomain. This transforms incident response from a general inquiry to a focused, informed conversation.

Each tag includes technical context, product version details, and confirmation of live exposure. With that insight, risk teams can avoid sending unnecessary questionnaires to unaffected vendors and instead concentrate their efforts where it matters most.

By delivering precise, vendor-specific intelligence, FocusTags help organizations respond to incidents faster, reduce vendor fatigue, and strengthen overall resilience across the supply chain.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

SonicWall SSL VPN – Jul2025 : CVE-2025-40600, Denial of Service Vulnerability in SonicWall SSL VPN.
Sophos Firewall : CVE-2025-7382, CVE-2024-13973, and CVE-2024-13974, OS Command Injection Vulnerability, SQL Injection Vulnerability, Remote Code Execution Vulnerability in Sophos Firewall.
Salesforce Tableau : CVE-2025-52446, CVE-2025-52447, CVE-2025-52448, CVE-2025-52449, CVE-2025-52452, CVE-2025-52453, CVE-2025-52454, and CVE-2025-52455, Authorization Bypass Vulnerability, Unrestricted File Upload Vulnerability, Path Traversal Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability in Salesforce Tableau.
SharePoint ToolShell : CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, Code Injection Vulnerability, Improper Authentication Vulnerability, Remote Code Execution Vulnerability, Path Traversal Vulnerability in Microsoft SharePoint.
Grafana – Jul2025 : CVE-2025-6023, CVE-2025-6197, Cross-site Scripting (XSS) Vulnerability and Open Redirect Vulnerability in Grafana.
MSSQL – Jul2025 : CVE-2025-49719, CVE-2025-49718, CVE-2025-49717, Information Disclosure Vulnerability, Remote Code Execution Vulnerability in Microsoft SQL Server.
Redis – Jul2025 : CVE-2025-32023, CVE-2025-48367, Buffer Overflow Vulnerability, Denial of Service Vulnerability in Redis.
Zimbra – Jul2025 : CVE-2019-9621, Server-Side Request Forgery (SSRF) Vulnerability in Zimbra.
Citrix Bleed 2 : CVE-2025-6543, CVE-2025-5777, CVE-2025-5349, Buffer Overflow Vulnerability, Out-of-Bounds Memory Read Vulnerability, RCE Vulnerability, and Improper Access Control Vulnerability in NetScaler ADC and NetScaler Gateway.
Wing FTP Server : CVE-2025-47812, Remote Code Execution Vulnerability in Wing FTP Server.
MongoDB – Jun2025 : CVE-2025-6709, CVE-2025-6710, DoS Vulnerabilities in MongoDB.
Mattermost : CVE-2025-4981, Arbitrary File Write Vulnerability in Mattermost.
Grafana – Jun2025 : CVE-2025-4123, Cross-Site Scripting (XSS) Vulnerability, Open Redirect Vulnerability, SSRF Vulnerability in Grafana.
Cisco ClamAV : CVE-2025-20260, CVE-2025-20234, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Read Vulnerability in Cisco ClamAV.
Elastic Kibana : CVE-2024-43706, Improper Authorization Vulnerability in Elastic Kibana.