FOCUS FRIDAY: TPRM PERSPECTIVES ON MSSQL, REDIS, AND ZIMBRA VULNERABILITIES WITH BLACK KITE’S FOCUSTAGS™

This week’s Focus Friday examines a trio of high-profile vulnerabilities that pose a significant threat across the software supply chain. From Microsoft SQL Server—one of the most widely deployed database systems in enterprise environments—to Redis, a cornerstone of real-time data processing, and Zimbra Collaboration Suite, a popular email platform, each vulnerability offers a unique set of risks for TPRM professionals to consider.

In particular, we address three Microsoft SQL Server vulnerabilities disclosed in July 2025, including an RCE with potential for host-level compromise. We also explore how recently discovered flaws in Redis affect memory handling and availability. Finally, we turn our attention to a critical and actively exploited SSRF vulnerability in Zimbra that leads to full system compromise—tracked under CVE-2019-9621 and associated with APT exploitation.

Black Kite’s FocusTags™ help organizations quickly identify vendors exposed to these vulnerabilities, offering clarity and speed when every hour matters. Read on to explore the technical details, targeted questions to ask vendors, remediation guidance, and how you can operationalize Black Kite’s risk intelligence to protect your digital supply chain.

Filtered view of companies with MSSQL – Jul2025 FocusTag™ on the Black Kite platform.

MICROSOFT SQL SERVER CRITICAL VULNERABILITIES

What is Microsoft SQL Server Vulnerability?

The July 2025 Patch Tuesday addressed three high-severity vulnerabilities in Microsoft SQL Server: CVE-2025-49719, CVE-2025-49718, and CVE-2025-49717.

CVE-2025-49719 is an information disclosure vulnerability caused by improper input validation in SQL Server. An unauthenticated attacker can send specially crafted network requests to extract uninitialized memory content from the system. This vulnerability carries a CVSS score of 7.5 and an EPSS score of 0.23%.

CVE-2025-49718 is another information disclosure vulnerability that allows attackers to read heap memory from a privileged process over the network. It has a CVSS score of 7.5 and a slightly higher EPSS score of 0.30%, and is rated by Microsoft as “More Likely” to be exploited.

CVE-2025-49717 is a remote code execution vulnerability triggered by a heap-based buffer overflow. An attacker with low privileges can exploit this issue to escape the SQL Server context and execute arbitrary code on the host operating system. It is rated with a CVSS score of 8.5 and an EPSS score of 0.06%.All three vulnerabilities have no known public proof-of-concept exploits, are not publicly disclosed, and are not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog as of this writing. They are tracked in the European Union’s Vulnerability Database as EUVD-2025-20625, EUVD-2025-20550, and EUVD-2025-20626, respectively.

Table of affected Microsoft SQL Server versions for CVE-2025-49719, CVE-2025-49718, and CVE-2025-49717. Systems running builds earlier than the ones listed are vulnerable unless patched via the specified KB updates.

Why Should TPRM Professionals Be Concerned About These Microsoft SQL Server Vulnerabilities?

Microsoft SQL Server is a core component in many enterprise environments, often responsible for handling highly sensitive data such as customer records, financial transactions, and internal business logic. The vulnerabilities addressed in CVE-2025-49719, CVE-2025-49718, and CVE-2025-49717 represent a range of risks—from information disclosure to remote code execution—that can severely compromise the confidentiality, integrity, and availability of critical systems.

For TPRM professionals, these vulnerabilities are particularly concerning because:

• Information disclosure flaws (49719 and 49718) may expose memory-resident secrets such as credentials, encryption keys, or application logic, potentially cascading into broader compromise.
• The remote code execution flaw (49717) could allow attackers to gain control of the SQL Server host, execute arbitrary system-level commands, and move laterally within the environment.
• SQL Server is frequently used by third-party service providers, including those delivering SaaS platforms, analytics, and managed services—meaning your vendor’s exposure could become your exposure.

Assessing whether third-party vendors are running vulnerable versions and whether patches or compensating controls have been applied is essential for mitigating downstream risk tied to these flaws.

What Questions Should TPRM Professionals Ask Vendors Regarding Multiple Vulnerabilities?

1. Have you updated all instances of Microsoft SQL Server 2022, 2019, 2017, and 2016 to the builds specified in the advisory to mitigate the risk of CVE-2025-49719, CVE-2025-49718, and CVE-2025-49717?
2. Have you updated your application to use Microsoft OLE DB Driver 18 or 19, and are these drivers updated to the versions that provide protection against these vulnerabilities?
3. Can you confirm if you have implemented a robust patch management process to ensure timely application of all future security updates for SQL Server and related components, as recommended in the advisory?
4. Have you consulted with your third-party application vendors that connect to SQL Server to confirm compatibility with Microsoft OLE DB Driver 18 or 19, and have you followed their recommendations for driver updates?

Remediation Recommendations for Vendors Subject to This Risk

To address the risks associated with CVE-2025-49719, CVE-2025-49718, and CVE-2025-49717 in Microsoft SQL Server, vendors should take the following technical actions:

• Apply Security Updates Immediately: Upgrade Microsoft SQL Server to one of the patched versions released in July 2025. Ensure your deployment is running:
• • SQL Server 2022: CU19+GDR (Build 16.0.4200.1) or RTM+GDR (Build 16.0.1140.6)
  • SQL Server 2019: CU32+GDR (Build 15.0.4435.7) or RTM+GDR (Build 15.0.2135.5)
  • SQL Server 2017: CU31+GDR (Build 14.0.3495.9) or RTM+GDR (Build 14.0.2075.8)
  • SQL Server 2016: SP3 Azure Connect (Build 13.0.7055.9) or SP3 RTM+GDR (Build 13.0.6460.7)
  • For unsupported versions, upgrade to a supported build before applying the patch.
• Update Microsoft OLE DB Drivers: If your applications depend on SQL Server connectivity, upgrade to Microsoft OLE DB Driver 18 or 19, ensuring that the versions include fixes related to these vulnerabilities.
• Restrict Access to SQL Server Interfaces: Where possible, limit remote access to SQL Server services through firewall rules, segmentation, and strong authentication.
• Review Memory Handling in Custom Extensions: If custom stored procedures or CLR extensions are in use, ensure that no unsafe memory operations are implemented which could compound heap-based risks (particularly relevant to CVE-2025-49717).
• Monitor for Unusual Memory Access Patterns: Use database monitoring tools or Extended Events to detect anomalous behavior such as repeated heap inspection or abnormal execution paths that could indicate exploitation attempts.
• Implement Strong Patch Management: Establish a formal patch management process for database servers and related drivers to ensure timely updates moving forward.
• Audit Third-Party Dependencies: If any third-party applications interact with SQL Server, consult with the vendor to verify compatibility with the updated SQL Server and OLE DB drivers.

How Can TPRM Professionals Leverage Black Kite for Vulnerabilities?

Black Kite published the “MSSQL – Jul2025” FocusTag on July 8, 2025, providing insights into CVE-2025-49719, CVE-2025-49718, and CVE-2025-49717. This tag enables TPRM professionals to identify vendors potentially exposed to this vulnerability by analyzing asset information such as IP addresses and subdomains. By focusing on vendors with confirmed exposure, organizations can streamline their risk assessment processes and prioritize remediation efforts effectively.

For non-customers, Black Kite offers a demo to showcase how FocusTags can enhance your third-party risk management strategies

Black Kite’s MSSQL – Jul2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2025-32023 & CVE-2025-48367: REDIS VULNERABILITIES

What Are CVE-2025-32023 and CVE-2025-48367 in Redis?

CVE-2025-32023 is a buffer overflow vulnerability in Redis, affecting versions from 2.8 up to but not including 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An authenticated user can exploit this flaw by sending specially crafted strings during HyperLogLog operations, leading to stack or heap out-of-bounds writes and potentially resulting in remote code execution. This vulnerability has a CVSS score of 7.0 and an EPSS score of 0.03%. A public proof-of-concept (PoC) exploit is available, increasing the risk of exploitation.

CVE-2025-48367 is a denial-of-service (DoS) vulnerability in Redis, where an unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and service disruption. This issue affects the same versions as CVE-2025-32023 and has a CVSS score of 7.5 with an EPSS score of 0.02%. There is no known public PoC exploit for this vulnerability.

As of now, neither vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Why Should TPRM Professionals Be Concerned About These Redis Vulnerabilities?

Redis is widely used as an in-memory data store for caching, real-time analytics, and message brokering. Exploitation of CVE-2025-32023 could allow attackers to execute arbitrary code on affected systems, potentially compromising sensitive data and system integrity. CVE-2025-48367 could be exploited to cause service disruptions, affecting application availability and performance. For organizations relying on third-party vendors that utilize Redis, these vulnerabilities pose significant risks to data confidentiality, integrity, and availability.

What Questions Should TPRM Professionals Ask Vendors Regarding These Redis Vulnerabilities?

1. Have you updated all instances of Redis to versions 8.0.3, 7.4.5, 7.2.10, or 6.2.19 to mitigate the risk of CVE-2025-32023 and CVE-2025-48367?
2. Have you implemented Redis Access Control Lists (ACLs) to prevent unprivileged users from executing Hyperloglog operations (e.g., PFADD, PFCOUNT, PFMERGE) as a temporary mitigation for CVE-2025-32023?
3. Have you enabled comprehensive logging for Redis to track access attempts and command executions, and integrated these logs with your centralized monitoring and SIEM systems to detect suspicious activity?
4. For CVE-2025-48367, have you ensured that Redis is configured with a strong password using the ‘requirepass’ directive in ‘redis.conf’ to prevent unauthenticated connections from causing repeated IP protocol errors?

Remediation Recommendations for Vendors

• Upgrade Redis: Update to Redis versions 8.0.3, 7.4.5, 7.2.10, or 6.2.19 to patch both vulnerabilities.
• Restrict HyperLogLog Commands: Use Redis Access Control Lists (ACLs) to disable PFADD, PFCOUNT, and PFMERGE commands for unprivileged users to mitigate CVE-2025-32023.
• Implement Network Segmentation: Limit network access to Redis instances by binding them to internal IP addresses and using firewalls to prevent unauthorized access.
• Enable Strong Authentication: Set a strong password using the requirepass setting in the redis.conf file to protect against unauthorized access.
• Monitor and Log: Enable detailed logging in Redis and integrate logs with centralized monitoring or SIEM tools to detect suspicious behavior.

How Can TPRM Professionals Leverage Black Kite for These Redis Vulnerabilities?

Black Kite published the “Redis – Jul2025” FocusTag^TM on July 9, 2025, providing insights into CVE-2025-32023 and CVE-2025-48367. This tag enables TPRM professionals to identify vendors potentially exposed to these vulnerabilities by analyzing asset information such as IP addresses and subdomains. By focusing on vendors with confirmed exposure, organizations can streamline their risk assessment processes and prioritize remediation efforts effectively.

For non-customers, Black Kite offers a demo to showcase how FocusTags can enhance your third-party risk management strategies.

Black Kite’s Redis – Jul2025 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2019-9621: ZIMBRA COLLABORATION SUITE SSRF VULNERABILITY

What is the Zimbra ProxyServlet SSRF Vulnerability?

CVE-2019-9621 is a Server-Side Request Forgery (SSRF) vulnerability in the ProxyServlet component of Zimbra Collaboration Suite, impacting versions prior to 8.6 patch 13, 8.7.11 patch 10, and 8.8.10 patch 7 / 8.8.11 patch 3. This vulnerability enables a multi-step exploitation chain that begins with an XML External Entity (XXE) injection to exfiltrate configuration files containing admin credentials. Using those credentials, attackers authenticate to Zimbra’s SOAP service and escalate to administrator privileges through an SSRF request targeting the internal admin interface on port 7071. With the acquired admin token, a web shell can be uploaded via the /clientUploader/upload endpoint, leading to full remote code execution.This vulnerability has a CVSS score of 7.5 and a very high EPSS score of 91.8%, highlighting both its severity and likelihood of exploitation. It has been actively exploited in the wild, most notably by the China-linked APT group Earth Lusca, and was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on July 7, 2025. A detailed public proof-of-concept (PoC) is available and widely used in exploitation scripts.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Zimbra Collaboration Suite is commonly used as an enterprise-grade email and communication platform. From a TPRM standpoint, vendors operating vulnerable versions of Zimbra may expose sensitive communications, allow unauthorized access to admin functions, or serve as an entry point for broader system compromise. The exploitation chain for CVE-2019-9621 leads to remote code execution with administrative privileges, which attackers can use to install persistent backdoors (e.g., web shells) or pivot further inside the vendor’s infrastructure. Moreover, compromised Zimbra servers can be leveraged to send spoofed emails, phish downstream clients, or exfiltrate confidential communication data.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To evaluate vendor risk accurately, consider asking:

• Are you using any version of Zimbra Collaboration Suite listed as vulnerable under CVE-2019-9621?
• Have you implemented firewall rules to restrict access to the internal Zimbra admin interface on port 7071?
• Are XML parsers in your Zimbra deployment configured to disable DTD processing to mitigate XXE vectors?
• How do you audit and restrict file uploads to paths such as /downloads/ and monitor for unusual uploads or web shell artifacts?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using affected Zimbra installations should:

• Upgrade Zimbra to patched versions: 8.6 patch 13+, 8.7.11 patch 10+, 8.8.10 patch 7+ or 8.8.11 patch 3+.
• Restrict access to the admin interface (port 7071) to internal IPs via firewalls or ACLs.
• Disable DTD parsing in XML libraries to mitigate XXE-based credential disclosure.
• Protect SOAP endpoints (/service/soap, /Autodiscover/Autodiscover.xml) through authentication, IP filtering, and rate limiting.
• Deploy a WAF with SSRF and XXE detection signatures, particularly for XML-based requests and file uploads.
• Harden upload paths such as /downloads/ by disabling unnecessary endpoints like clientUploader, and enforcing strict MIME-type validation.
• Enable detailed logging and forward logs to a SIEM to detect SSRF chaining, suspicious token usage, and unauthorized web shell execution attempts.
• Train administrators to recognize indicators of compromise including forged admin tokens, suspicious internal proxy requests, and SOAP abuse.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite released the Zimbra – Jul2025 FocusTag^TM on July 8, 2025, in response to increasing exploitation activity and CISA KEV inclusion. Through this tag, TPRM professionals can identify vendors running vulnerable Zimbra versions by correlating public IP addresses and subdomain data. This enables targeted outreach only to those at risk—saving time while increasing focus on actual exposure.

Black Kite’s platform not only detects software presence, but also pinpoints the external attack surface elements hosting that software, such as specific webmail interfaces or SOAP endpoints. This precision helps security and risk teams bypass the inefficiencies of blanket questionnaires and engage directly with the vendors who matter most in the context of CVE-2019-9621.

Black Kite’s Zimbra – Jul2025 FocusTagTM details critical insights on the event for TPRM professionals.

ENHANCING TPRM WITH BLACK KITE’S FOCUSTAGS™

As threats evolve across critical systems like Microsoft SQL Server, Redis, and Zimbra, the ability to filter, focus, and act on relevant risks becomes essential. Black Kite’s FocusTags™ deliver that clarity—turning complex threat intelligence into practical risk mitigation across your vendor ecosystem.

Here’s how they elevate Third-Party Risk Management (TPRM):

• Immediate Risk Visibility: Reveal which vendors in your ecosystem are exposed to actively exploited or newly disclosed vulnerabilities—without waiting for self-disclosure.
• Priority-Based Action: Focus on vendors whose exposure intersects with business-critical systems, such as mail infrastructure or data platforms, for effective triage.
• Technical-Driven Communication: Empower risk teams to ask precise, informed questions, not generic ones—enabling faster, more accurate responses from vendors.
• Actionable Exposure Context: Go beyond CVE identifiers with Black Kite’s attribution of vulnerable subdomains, IPs, and exposed assets in the wild.

Whether dealing with memory disclosure in SQL Server, exploitable command injection in Redis, or SSRF-to-RCE chains in Zimbra, FocusTags™ help security and risk professionals act with confidence—turning days of vendor vetting into minutes of focused response.