Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we examine three high‑profile vulnerabilities through a Third‑Party Risk Management (TPRM) lens. Today, we’ll dive into the critical remote code execution flaw in Ivanti Connect Secure (CVE‑2025‑22457), the unauthenticated password‑change vulnerability in FortiSwitch (CVE‑2024‑48887), and the signature‑validation bypass in MinIO Server (CVE‑2025‑31489). For each, we’ll outline the technical details, TPRM implications, vendor questions, and remediation best practices—equipping you to engage your third‑party ecosystem with precision and confidence.

Filtered view of companies with Ivanti Connect Secure – Apr2025 FocusTag™ on the Black Kite platform.

CVE-2025-22457 – Ivanti Connect Secure

What is the CVE-2025-22457 vulnerability in Ivanti Connect Secure?

A stack-based buffer overflow in Ivanti Connect Secure versions prior to 22.7R2.6 allows a remote, unauthenticated attacker to execute arbitrary code on the appliance, potentially leading to full system compromise. Rated Critical, it carries a CVSS 3.1 base score of 9.8 and, per Black Kite’s FocusTag, an EPSS probability of 24.07%. First published on April 3, 2025, this flaw was added to CISA’s Known Exploited Vulnerabilities Catalog on April 4, 2025. POC exploit code is not available for now. Since mid‑March 2025, the Chinese state‑sponsored group UNC5221 has exploited CVE‑2025‑22457 in the wild, deploying custom malware families Trailblaze (an in‑memory dropper) and Brushfire (a passive backdoor) while abusing Ivanti’s Integrity Checker Tool to evade detection.

Why should TPRM professionals care about CVE-2025-22457?

Ivanti Connect Secure appliances provide critical VPN access for employees and third parties. A successful exploit can grant attackers persistent, high‑privilege entry to a vendor’s network edge, enabling data exfiltration, lateral movement, and the implantation of backdoors. For organizations relying on vendors’ VPN infrastructure, an unpatched Ivanti appliance represents a direct attack path into sensitive environments, amplifying supply chain risk.

What questions should TPRM professionals ask vendors about this vulnerability?

To gauge exposure and preparedness, consider asking:

  1. Have you updated all instances of Ivanti Connect Secure to version 22.7R2.6, Ivanti Policy Secure to version 22.7R1.4, and Ivanti ZTA Gateways to version 22.8R2.2 to mitigate the risk of CVE-2025-22457?
  2. Can you confirm if you have discontinued the use of Pulse Connect Secure 9.1x, which reached End-of-Support and does not receive patches, and migrated to a supported platform like Ivanti Connect Secure?
  3. Are you actively monitoring VPN logs for anomalies, unusual crash behavior, or configuration changes that could indicate exploitation of the CVE-2025-22457 vulnerability?
  4. Are you using Ivanti’s Integrity Checker Tool (ICT) to detect signs of compromise related to the CVE-2025-22457 vulnerability, and if indicators are present, are you performing a factory reset and redeploying the appliance using version 22.7R2.6?

Remediation Recommendations for Vendors subject to this risk

  • Patch immediately: Upgrade Ivanti Connect Secure to 22.7R2.6 (released February 11, 2025) and apply Policy Secure (22.7R1.4, April 21, 2025) and ZTA Gateways (22.8R2.2, April 19, 2025) patches.
  • Discontinue unsupported versions: Migrate off Pulse Connect Secure 9.1x (end‑of‑support December 31, 2024).
  • Use ICT scans: Run Ivanti’s Integrity Checker Tool to hunt for post‑exploitation artifacts; if compromise is confirmed, perform a factory reset and redeploy from a known‑clean image.
  • Harden deployments: Restrict management interfaces to trusted networks, enforce multi‑factor authentication, and segment VPN infrastructure.
  • Monitor logs: Continuously review VPN and system logs for anomalies, crashes, or unauthorized configuration changes.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the CVE‑2025‑22457 FocusTag on April 4, 2025. Customers can automatically identify which vendors use affected Ivanti versions via asset discovery and continuous scanning. By integrating FocusTags™ into TPRM workflows, teams can filter out low‑risk vendors, concentrate outreach on those truly exposed, and retrieve detailed intelligence—such as IP addresses, subdomains, and configuration metadata—for rapid risk assessment. Non‑customers can request a demo to see how FocusTags™ streamline vulnerability‑driven vendor prioritization.

Black Kite’s Ivanti Connect Secure – Apr2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-48887 – Fortinet FortiSwitch

What is the FortiSwitch Unverified Password Change Vulnerability?

This flaw arises from an unverified password change vulnerability (CWE‑620) in the FortiSwitch GUI’s set_password endpoint. A remote, unauthenticated attacker can send crafted HTTP/HTTPS requests to modify administrative credentials. It carries a CVSS 3.1 base score of 9.8 (Critical) and an EPSS probability of 0.09% (per Black Kite FocusTag text). There is no public PoC exploitation, and to date no evidence of active exploitation has been observed. As of April 10, 2025, CVE‑2024‑48887 is not listed in CISA’s Known Exploited Vulnerabilities catalog, nor has CISA issued an advisory for it.

Why should TPRM professionals care about this vulnerability?

FortiSwitch appliances enforce network segmentation, VLANs, and policy enforcement at the edge. Unauthorized password changes grant attackers full control over switch configurations—enabling policy bypass, traffic interception, and lateral movement into critical environments. For organizations depending on third‑party network infrastructure, an unpatched FortiSwitch represents a direct supply chain threat that can lead to data exposure, operational disruption, and reputational damage.

What questions should TPRM professionals ask vendors about this vulnerability?

To assess vendor readiness and exposure, consider:

  1. Have you upgraded all instances of FortiSwitch to the recommended versions (7.6.1, 7.4.5, 7.2.9, 7.0.11, 6.4.15) or later to mitigate the risk of CVE-2024-48887?
  2. Have you implemented the recommended workarounds such as disabling HTTP/HTTPS access from administrative interfaces and configuring trusted hosts to limit access to the device’s admin interface using the FortiSwitch CLI?
  3. Can you confirm if you have enhanced your network monitoring to continuously monitor network traffic and FortiSwitch system logs for any anomalous activities that could indicate attempted exploitation of this vulnerability?
  4. Have you updated your incident response plans to include measures for rapid patch deployment and emergency password reset procedures, should any compromise be detected due to this vulnerability?

Remediation Recommendations for Vendors subject to this risk

Vendors should take the following actions immediately:

  • Apply patches: Upgrade all FortiSwitch devices to the fixed versions:
    • 7.6.x → 7.6.1 or later
    • 7.4.x → 7.4.5 or later
    • 7.2.x → 7.2.9 or later
    • 7.0.x → 7.0.11 or later
    • 6.4.x → 6.4.15 or later.
  • Disable direct admin access: If you cannot patch immediately, remove HTTP/HTTPS from the management interface and restrict admin access to trusted networks. For example:
  • Enhance monitoring: Continuously review logs for authentication failures, unexpected configuration changes, or unusual admin sessions.
  • Update incident response: Incorporate rapid patching, emergency password resets, and configuration integrity checks into your response plans.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the FortiSwitch [Suspected] FocusTag on April 8, 2025. By integrating FocusTags™, TPRM teams can automatically pinpoint vendors running vulnerable FortiSwitch versions, retrieve detailed asset information (IP addresses, subdomains, version metadata), and concentrate outreach on those truly at risk. This focused approach reduces workload, minimizes vendor questionnaire fatigue, and accelerates remediation. Interested organizations can request a demo to see how FocusTags™ streamline vulnerability‑driven vendor prioritization.

Black Kite’s FortiSwitch [Suspected] FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-31489 – MinIO Server

What is the Incomplete Signature Validation Vulnerability in MinIO?

This flaw in MinIO’s Go module permits clients with prior WRITE permissions to bypass cryptographic signature checks on unsigned‑trailer uploads (CWE‑347), by sending requests with x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER. It carries a High severity rating, with a CVSS 3.x score of 8.7 and an EPSS probability of 0.02%. First disclosed via NVD and the GitHub Advisory Database on April 3, 2025, it was subsequently covered by SecurityOnline on April 7, 2025. There is no public PoC exploitation, and to date no active exploitation has been reported. As of April 2025, CVE‑2025‑31489 is not listed in CISA’s Known Exploited Vulnerabilities catalog, nor has CISA issued an advisory for it.

Why should TPRM professionals care about this vulnerability?

MinIO is widely deployed as an S3‑compatible object storage solution by vendors to host and serve critical data. A successful bypass of signature validation allows unauthorized uploads of arbitrary objects—potentially enabling data poisoning, malware distribution, or covert exfiltration channels. Any vendor relying on MinIO for customer-facing or internal storage faces elevated supply chain risk: malicious content could be served to downstream systems or used to conceal illicit activity within trusted buckets.

What questions should TPRM professionals ask vendors about this vulnerability?

To evaluate vendor exposure and controls, consider asking:

  1. Have you updated all instances of MinIO’s Go module to the patched release (RELEASE.2025‑04‑03T14‑56‑28Z) or later to mitigate the risk of CVE‑2025‑31489?
  2. Have you implemented the recommended workaround of rejecting any requests with header x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at your load balancer or API gateway?
  3. Are you actively monitoring for suspicious uploads and unexpected object additions on your MinIO server to detect potential exploitation of the incomplete signature validation vulnerability?
  4. Have you audited and minimized which principals have WRITE access to critical buckets and rotated any access keys that may have been exposed or misused due to the vulnerability?

Remediation Recommendations for Vendors subject to this risk

Vendors should implement the following measures without delay:

  • Upgrade MinIO: Apply the patched release (RELEASE.2025‑04‑03T14‑56‑28Z) or later to fully remediate CVE‑2025‑31489.
  • Block unsigned‑trailer uploads: At your load balancer or API gateway, reject any requests with x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER.
  • Harden WRITE access: Restrict WRITE permissions to only those principals that require it and enforce the principle of least privilege.
  • Enable anomaly logging: Configure MinIO server and your monitoring stack to alert on unexpected object uploads or signature‑validation failures.
  • Rotate credentials: After patching, rotate any access keys that may have been exposed or misused.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite’s FocusTags™ offer a fast and simple way to track high‑profile cyber events and pinpoint which vendors are affected. By integrating the MinIO Server FocusTag, TPRM teams can automatically discover vendors running vulnerable MinIO versions, retrieve detailed asset metadata (bucket endpoints, version info), and focus outreach on truly at‑risk third parties—streamlining risk assessments and accelerating remediation. Non‑customers can request a demo to see how FocusTags™ drive efficient vendor risk prioritization.

Black Kite’s MinIO Server FocusTagTM details critical insights on the event for TPRM professionals.

Enhancing TPRM With Black Kite FocusTags™

Black Kite FocusTags™ transform complex vulnerability data into targeted TPRM action by:

  • Accelerated Vendor Discovery: Automatically pinpoint which third parties run affected Ivanti, FortiSwitch, or MinIO versions—eliminating guesswork and reducing outreach scope.
  • Risk‑Driven Prioritization: Align vendor criticality and vulnerability severity to focus resources on the highest‑impact exposures first.
  • Tailored Vendor Dialogues: Leverage asset‑level intelligence (IP addresses, subdomains, bucket endpoints) to ask precise questions and validate remediation steps.
  • Holistic Threat Visibility: Combine multiple FocusTags™ in a unified dashboard, giving TPRM teams a consolidated view of emerging risks across VPN appliances, network switches, and object storage platforms.

By integrating FocusTags™ into your TPRM workflows, you’ll streamline assessments, minimize vendor fatigue, and accelerate mitigation. Request a demo today to see how Black Kite’s FocusTags™ can sharpen your third‑party risk program.

Stay Informed With Related Vulnerability Resources

One unpatched vulnerability in a vendor can have a cascading impact. But traditional vulnerability management doesn’t work for external risks. That’s why we’re ushering in a new era of Third-Party Cyber Risk Management (TPCRM) where third-party risk professionals can understand these external risks and effectively work with their vendors to mitigate them.

Both of these resources are available to everyone, not just Black Kite customers, as part of our mission to improve the health and safety of the entire planet’s cyber ecosystem.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
  • FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
  • MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
  • Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
  • Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
  • Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
  • Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
  • SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
  • MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).
  • DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.
  • VMware ESXi – Mar2025 : CVE-2025-22224, CVE-2025-22225, CVE-2025-22226, Heap Overflow Vulnerability, TOCTOU Race Condition Vulnerability, Arbitrary Write Vulnerability, Information Disclosure Vulnerability in VMware ESXi.
  • Apache Tomcat – Mar2025 : CVE-2025-24813, Remote Code Execution Vulnerability, Information Disclosure and Corruption Vulnerability in Apache Tomcat.
  • Axios HTTP Client : CVE-2025-27152, Server-Side Request Forgery (SSRF) Vulnerability, Credential Leakage in Axios HTTP Server.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22457

https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US

https://cyberscoop.com/china-espionage-group-ivanti-vulnerability-exploits

https://nvd.nist.gov/vuln/detail/CVE-2024-48887

https://fortiguard.fortinet.com/psirt/FG-IR-24-435

https://thehackernews.com/2025/04/fortinet-urges-fortiswitch-upgrades-to.html

https://securityonline.info/minio-urgently-patches-high-severity-incomplete-signature-validation-vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-31489

https://github.com/advisories/GHSA-wg47-6jq2-q2hh