blog

Focus Friday: TPRM Strategies for Iran-Linked Surveillance Threats, Critical Open-Source Flaws, and Enterprise Data Leaks

Published

Mar 13, 2026

Introduction

Welcome to another edition of Focus Friday. This week has proven to be an exceptionally intense period for cybersecurity and Third-Party Risk Management (TPRM) professionals. We are currently observing a significant escalation in geopolitical cyber warfare, specifically driven by Iran-linked threat actors. These state-sponsored groups and their hacktivist counterparts are actively weaponizing critical vulnerabilities in edge devices and enterprise management infrastructure to conduct espionage, data exfiltration, and physical battle damage assessments.

Because of this heightened regional conflict, we are prioritizing intelligence on IoT surveillance exploitation, including a new FocusTag® for Hikvision IP Cameras and the reactivation of our Dahua IP Camera tag. Furthermore, threat actors are continuously probing for weaknesses in older patches, prompting us to reactivate our SolarWinds Web Help Desktag due to a critical patch bypass. Alongside these targeted campaigns, this week also brought a massive wave of high-priority disclosures—spanning Microsoft Patch Tuesday (MSSQL and SharePoint), open-source framework flaws (Cloudflare Pingora, Gogs, Apache ZooKeeper), and enterprise system vulnerabilities (SAP NetWeaver, Vaultwarden). In this blog, we will break down each of these high-profile incidents and provide the technical questions and remediation steps you need to secure your vendor ecosystem.

Black Kite's Hikvision IP Cameras FocusTag® details critical insights on the event for TPRM professionals.

By utilizing Black Kite’s FocusTags®, organizations can move beyond manual, broad-spectrum vendor surveys and instead apply a data-driven approach to identify and mitigate these specific risks within their vendor ecosystem.

Also on Our Radar: The ShinyHunters Salesforce Campaign

While patching vulnerabilities is a primary focus this week, we must also highlight a massive data theft and extortion campaign currently making headlines. The cybercrime group ShinyHunters is actively exploiting misconfigured Salesforce Experience Cloud portals at scale. This is not a zero-day exploit, but rather an automated attack on overly permissive "guest user" profiles, allowing attackers to extract sensitive CRM data (contacts, leads, internal business info) without authentication. With the group threatening to leak data from hundreds of organizations starting March 14, 2026, TPRM teams must urgently assess their vendors' cloud configurations.

For a deep dive into how this attack works, the tactics of the "Scattered-Lapsus$-Hunters" supergroup, and how Black Kite is actively identifying at-risk organizations using our Salesforce Client FocusTag™, read our full analysis here: ShinyHunters and the Salesforce Experience Cloud Campaign: How Misconfigured Portals Create Supply Chain Risk.

Iran’s Cyber Playbook: Regional Escalation and Weaponized Edge Vulnerabilities

What is the Current Iranian-Linked Cyber Activity?

Since late February 2026, a significant surge in activity from Iranian state-directed actors—such as MuddyWater (MOIS), CyberAv3ngers (IRGC), and Void Manticore (Handala)—has redefined the threat landscape. This campaign uniquely blends legitimate data exfiltration with psychological operations and, most critically, situational awareness for kinetic strikes.

The current environment is characterized by the active weaponization of high-priority vulnerabilities across edge devices and enterprise management infrastructure:

CVE-2026-1281 (Ivanti EPMM): A zero-day used by MuddyWater for unauthenticated root-level RCE in mobile management environments.
CVE-2024-4577 (PHP CGI on Windows): Exploited by Void Manticore via "Best-Fit" encoding to bypass escape mechanisms.
CVE-2025-32433 (Erlang-based SSH): Allows root command execution via crafted packets, bypassing SSH authentication entirely.
CVE-2025-52691 (SmarterMail): A path traversal flaw used to drop webshells or malicious cron jobs.
CVE-2025-9316 (N-able N-Central): An unauthenticated session bypass often chained with XXE attacks.
CVE-2026-21514 (Microsoft Word): A security bypass in OLE mitigations, currently prioritized for patching due to active exploitation.

The Strategic Role of IoT: Hikvision and Dahua FocusTags®

A central pillar of the Iranian doctrine is the compromise of surveillance infrastructure for Battle Damage Assessment (BDA). By gaining "eyes on the ground," threat actors facilitate real-time targeting corrections for missile operations.

Dahua IP Camera (Reactivated FocusTag®)

We first addressed Dahua IP Camera risks in our 2024 Focus Friday post. However, we have reactivated this tag due to critical new intelligence. CVE-2021-33044 and CVE-2021-33045 are being leveraged to bypass logins using forged "NetKeyboard" and "Loopback" client types. A chilling example of this interplay was seen in the early 2026 escalations, where Iranian actors reportedly compromised cameras at critical infrastructure sites—including the Weizmann Institute of Science—just moments before strikes to verify impact.

CVE-2021-36260 & CVE-2017-7921: Hikvision IP Cameras

What is the Critical Vulnerability in Hikvision IP Cameras? The Hikvision IP camera ecosystem is currently facing intense scrutiny due to two critical vulnerabilities: CVE-2021-36260 and CVE-2017-7921.

CVE-2021-36260: A command injection vulnerability in the web server component. With a CVSS score of 9.8 (Critical) and an exceptionally high EPSS score of 94.44, it allows unauthenticated root-level RCE. It was added to CISA’s KEV Catalog on January 10, 2022.
+1
CVE-2017-7921: A logic error in request parsing that leads to administrative access without credentials (CVSS: 10.0, EPSS: 94.27). This legacy vulnerability saw a massive spike in mid-January 2026 and was added to CISA’s KEV on March 5, 2026.

Why should TPRM Professionals care about Hikvision vulnerabilities? TPRM professionals must prioritize these because IP cameras are often the "forgotten" endpoints. In the current geopolitical climate, a compromised camera provides:

Pivot Points: Attackers use the camera as a "jump box" into the vendor's production network.
Data Exfiltration: Access to user databases and sensitive configuration files.
Physical Surveillance: Live visual access to a vendor's facilities, exposing proprietary processes.
Persistence: Hidden root accounts that remain invisible to standard device logs.

What questions should TPRM professionals ask vendors about these threats?

Have you updated the firmware of your Hikvision products to version V5.5.800 build 210628 or later to mitigate the risk of the command injection flaw (CVE-2021-36260)?
Have you applied the latest firmware patches provided by Hikvision to resolve the parsing logic flaws associated with CVE-2017-7921?
Can you confirm if you have disabled unused services such as ONVIF or SSH on your Hikvision devices to limit potential exploitation of CVE-2021-36260 and CVE-2017-7921?
Have you implemented strict VLAN tagging and network segmentation to isolate surveillance traffic from the main corporate or production network, limiting the potential impact of a compromise due to CVE-2021-36260 and CVE-2017-7921?

Remediation Recommendations for Vendors Subject to this Risk

Immediate Firmware Upgrades: Update Hikvision (V5.5.800+) and Dahua devices immediately.
Remove Public Exposure: Transition all IoT/surveillance devices behind a firewall or VPN. Public-facing port 37777 should be closed immediately.
VLAN Segmentation: Place surveillance traffic on a dedicated, isolated VLAN with strict ACLs to prevent lateral movement.
OLE Mitigation: Apply Microsoft's February 2026 patches to secure Word features against CVE-2026-21514.
Audit for Compromise: Check the /etc/passwd file and system accounts for unauthorized entries, especially those created during the high-activity windows of early 2026.

Black Kite's Hikvision IP Cameras FocusTag® details critical insights on the event for TPRM professionals.

The Return of SolarWinds Web Help Desk: A Persistent Patch Bypass (CVE-2025-26399)

We previously addressed the risks surrounding SolarWinds Web Help Desk (WHD) in our September 2025 Focus Friday post. However, the situation has escalated as CVE-2025-26399—a critical unauthenticated deserialization vulnerability (CVSS: 9.8)—was officially added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on March 9, 2026. This vulnerability is particularly dangerous because it serves as a direct patch bypass for previous RCE flaws (CVE-2024-28988 and CVE-2024-28986). The fact that these persistent flaws continue to resurface and are now listed in the KEV catalog is a strong signal for TPRM professionals; it suggests that threat actors are actively finding ways around initial fixes. Vendors must apply the 12.8.7 HF1 hotfix immediately, as relying on older patches is no longer a viable defense against this recurring RCE threat.

MSSQL - Mar2026 (CVE-2026-21262, CVE-2026-26115 & CVE-2026-26116)

What are the Elevation of Privilege Vulnerabilities in Microsoft SQL Server?

Microsoft SQL Server is currently impacted by three high-severity elevation of privilege (EoP) vulnerabilities: CVE-2026-21262, CVE-2026-26115, and CVE-2026-26116. Released during the March 2026 Patch Tuesday, these vulnerabilities primarily involve improper access control and input validation flaws within the SQL Server engine.

All three vulnerabilities carry a CVSS score of 8.8 (High). According to the Black Kite FocusTag®, the EPSS scores are 0.08% for CVE-2026-21262, 0.09% for CVE-2026-26115, and 0.07% for CVE-2026-26116. While these vulnerabilities are not currently listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog and have no confirmed active exploitation in the wild, CVE-2026-21262 was publicly disclosed as a zero-day prior to the patch release. This public disclosure significantly increases the likelihood of weaponization by threat actors seeking to escalate their footprint within compromised environments.

Why should TPRM Professionals care about the MSSQL March 2026 vulnerabilities?

SQL Server is the repository for an organization's most sensitive assets, including financial records, personally identifiable information (PII), and intellectual property. For TPRM professionals, these vulnerabilities represent a critical "second-stage" risk. While an attacker needs initial authenticated access to exploit them, a successful exploit grants sysadmin privileges.

If a vendor's SQL Server is compromised via these flaws, the impact is catastrophic:

Total Data Control: An attacker with sysadmin rights can bypass all database-level security to read, modify, or delete any record.
Infrastructure Ransomware: Threat actors often use database administrative access to encrypt backups or the database itself, leading to significant operational downtime for the vendor.
Lateral Movement: sysadmin accounts can often be leveraged to execute commands on the underlying host operating system (via features like xp_cmdshell), allowing the attacker to move from the database into the vendor's wider corporate network.

What questions should TPRM professionals ask vendors about these MSSQL vulnerabilities?

TPRM teams should verify that vendors are managing their database security with the necessary urgency.

Have you applied the March 2026 security updates provided by Microsoft for the specific versions of SQL Server you are running to mitigate the risk of CVE-2026-21262, CVE-2026-26115, and CVE-2026-26116?
Can you confirm if you have discontinued the use of the affected SQL Server versions from 2025: 17.0.4006.2 - 17.0.4015.4 (CU2), 17.0.1000.7 - 17.0.1050.2 (RTM), 2022: 16.0.4003.1 - 16.0.4236.2 (CU23), 16.0.1000.6 - 16.0.1165.1 (RTM), 2019: 15.0.4003.23 - 15.0.4455.2 (CU32), 15.0.2000.5 - 15.0.2155.2 (RTM), 2017: 14.0.3006.16 - 14.0.3515.1 (CU31), 14.0.1000.169 - 14.0.2095.1 (RTM), 2016: 13.0.7000.253 - 13.0.7070.1 (Azure Connect Feature Pack), 13.0.6300.2 - 13.0.6475.1 (SP3) to mitigate the risk of these CVEs?
Have you implemented measures to ensure that only authorized personnel have explicit login access to the SQL Server instances, as these EoP vulnerabilities require authenticated access?
Have you taken steps to prevent SQL Injection attacks, specifically in relation to CVE-2026-26116, by implementing measures such as parameterized queries or prepared statements?

Remediation Recommendations for Vendors subject to this risk

Vendors should prioritize the following technical steps to secure their SQL Server environments:

Immediate Update Deployment: Install the March 2026 security updates provided by Microsoft. Ensure you select the correct update path (GDR vs. CU) based on your current build.
Precise Version Identification: Use the build numbers provided in the advisory (e.g., 17.0.4020.2 for SQL Server 2025) to verify successful patching.
Restrict Network Access: Ensure SQL Server instances are not directly accessible from the internet and are restricted to specific, authorized internal segments.
Audit Permissions: Review all accounts with login permissions to the SQL Server and remove any unnecessary explicit permissions that could be leveraged for elevation.
Lifecycle Management: Decommission or upgrade any SQL Server instances that have reached End of Life (EOL), as they remain permanently vulnerable to these and future flaws.

Black Kite's MSSQL - Mar2026 FocusTag® details critical insights on the event for TPRM professionals.

SharePoint - Mar2026 (CVE-2026-26105, CVE-2026-26114, CVE-2026-26106)

What are the RCE and Spoofing Vulnerabilities in Microsoft SharePoint Server?

Microsoft SharePoint Server is currently affected by three high-severity security flaws: CVE-2026-26105, CVE-2026-26114, and CVE-2026-26106. Disclosed during the March 2026 Patch Tuesday, these vulnerabilities range from spoofing via Cross-Site Scripting (XSS) to full Remote Code Execution (RCE).

CVE-2026-26105 is a spoofing vulnerability with a CVSS score of 8.1 (High) and an EPSS score of 0.05%. It occurs when the server fails to properly neutralize input during web page generation, allowing an unauthenticated attacker to execute scripts in a victim's browser context.

The RCE vulnerabilities, CVE-2026-26114 and CVE-2026-26106, both carry a CVSS score of 8.8 (High). According to the Black Kite FocusTag®, their EPSS scores are 0.50% and 0.09%, respectively. CVE-2026-26114 involves the insecure deserialization of untrusted data, while CVE-2026-26106 stems from improper input validation. While these vulnerabilities are not currently listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog and have no public Proof-of-Concept (PoC) as of March 12, 2026, their network-based attack vector makes them attractive targets for internal lateral movement.

Why should TPRM Professionals care about the SharePoint March 2026 vulnerabilities?

SharePoint often serves as the central nervous system for corporate collaboration, housing sensitive documents, project plans, and internal communications. For TPRM professionals, these vulnerabilities pose a multi-layered risk to the vendor ecosystem.

If a vendor's SharePoint server is compromised, the consequences include:

Credential Harvesting: The spoofing vulnerability (CVE-2026-26105) can be used to steal session tokens or trick employees into providing their corporate credentials.
Internal Data Theft: Attackers with "Site Member" permissions—often granted to a wide range of employees and contractors—can trigger the RCE flaws to gain full control of the server, exposing proprietary data and client information.
Malware Distribution: A compromised SharePoint server can be used to host and distribute malicious files that appear to be legitimate internal documents, potentially infecting the vendor's entire workforce and spreading to your organization through shared files.

What questions should TPRM professionals ask vendors about these SharePoint vulnerabilities?

TPRM teams should seek specific confirmation regarding the patching and access controls of these collaboration environments.

Have you updated all instances of Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and SharePoint Enterprise Server 2016 to the versions that are not affected by CVE-2026-26105, CVE-2026-26114, and CVE-2026-26106?
Can you confirm that you have installed the recommended Microsoft Knowledge Base (KB) updates (5002843, 5002845, 5002850) across all SharePoint environments to remediate the RCE and XSS flaws?
Have you audited SharePoint Site Member permissions to ensure that only necessary personnel have access to create or modify content, as a mitigation measure against the RCE vulnerabilities CVE-2026-26114 and CVE-2026-26106 that can be triggered by low-privileged authenticated users?
Have you implemented measures to educate users on phishing, specifically in relation to the spoofing vulnerability CVE-2026-26105, which requires user interaction such as clicking a malicious link?

Remediation Recommendations for Vendors subject to this risk

Vendors must take immediate action to secure their SharePoint infrastructure against these authenticated and unauthenticated threats:

Deploy Official Patches: Immediately install the relevant KB updates from Microsoft's March 2026 release. This is the only definitive fix for the deserialization and input validation flaws.
Verify Installation Success: Check the central administration build version to ensure the patch was successfully applied and that the server is no longer vulnerable to the identified CVEs.
Apply Principle of Least Privilege: Strictly limit which users have the ability to upload or modify content in SharePoint, as these roles are the primary prerequisites for exploiting the RCE vulnerabilities.
User Awareness Training: Conduct targeted phishing simulations and training to help employees recognize suspicious links that could trigger the spoofing vulnerability.

Black Kite's SharePoint - Mar2026 FocusTag® details critical insights on the event for TPRM professionals.

Cloudflare Pingora (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836)

What are the Request Smuggling and Cache Poisoning Vulnerabilities in Cloudflare Pingora?

Cloudflare has recently addressed three critical vulnerabilities in its open-source Rust framework, Pingora: CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836. Disclosed in early March 2026, these flaws impact standalone deployments of the Pingora proxy, particularly those exposed directly to external traffic.

CVE-2026-2833 is a critical HTTP Request Smuggling vulnerability (CVSS: 9.1, EPSS: 0.06%) caused by "Premature Upgrade Forwarding." Pingora would switch to passthrough mode upon receiving an Upgrade header before the backend confirmed the switch with a 101 Switching Protocols response. This allows attackers to tunnel malicious requests directly to the backend.

CVE-2026-2835 is a high-severity Request Smuggling flaw (CVSS: 9.1, EPSS: 0.06%) stemming from non-compliant parsing of HTTP/1.0 request bodies and multiple Transfer-Encoding values. This inconsistency allows for connection desynchronization, enabling hidden requests to bypass security layers.

CVE-2026-2836 is a critical Cache Poisoning and Cross-Origin Data Leak vulnerability (CVSS: 9.1, EPSS: 0.06%). The default cache key implementation relied solely on the URI path, ignoring the Host header. In multi-tenant environments, this leads to significant data leakage where one user receives a cached response intended for another host.

These vulnerabilities were published on March 4, 2026, and as of March 12, 2026, they are not yet listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog. While there is no current evidence of exploitation in the wild, the public availability of technical details and their critical nature make them high-priority targets.

Why should TPRM Professionals care about the Cloudflare Pingora vulnerabilities?

Pingora is increasingly adopted by vendors to build high-performance, custom proxies and CDNs. For TPRM professionals, these vulnerabilities are significant because they target the "ingress" point—the very gatekeepers meant to protect a vendor’s infrastructure.

If a vendor utilizes a vulnerable standalone Pingora deployment, the risks include:

WAF and ACL Bypass: Request smuggling allows attackers to slip malicious payloads past Web Application Firewalls and access-control lists, reaching internal backend services that were never meant to be public-facing.
Session Hijacking: By desynchronizing the connection framing, an attacker can capture or inject into subsequent user sessions, potentially compromising the accounts of the vendor’s employees or even their clients.
Massive Data Leakage: The cache poisoning flaw can lead to "Cross-Tenant" leaks. If your vendor hosts multiple clients on the same infrastructure, your sensitive data could be served to another client simply because they requested a similar URL path.

What questions should TPRM professionals ask vendors about these Pingora vulnerabilities?

TPRM teams must verify if their vendors are using this specific open-source framework in a standalone capacity.

Have you updated all instances of Pingora to version 0.8.0 or later to mitigate the risk of CVE-2026-2835, CVE-2026-2833, and CVE-2026-2836?
Have you implemented strict request filtering to reject any non-HTTP/1.1 requests, requests with invalid Content-Length, or any Upgrade headers to prevent HTTP Request Smuggling and Premature Upgrade Forwarding?
Have you manually configured cache keys to include the Host/Authority, the TLS scheme, and the HTTP method to prevent cross-tenant data leakage as recommended in the advisory?
Can you confirm that your backend servers are configured to reject ambiguous HTTP requests (e.g., those with multiple Transfer-Encoding headers) to prevent \"desync\" even if the proxy is compromised?

Remediation Recommendations for Vendors subject to this risk

Vendors identified as using vulnerable versions of Pingora should take the following technical steps:

Immediate Framework Upgrade: Update to Pingora v0.8.0. This version removes the insecure default cache key and enforces strict RFC 9112 compliance for message parsing.
Manual Cache Key Configuration: If upgrading is delayed, manually reconfigure cache keys to include the Host/Authority and TLS scheme to ensure cross-origin isolation.
Traffic Filtering: Configure request filters to return an error on any request containing an Upgrade header or invalid Content-Length/Transfer-Encoding headers.
Backend Hardening: Ensure backend servers are configured to strictly validate HTTP framing and reject any desynchronized requests passed from the proxy layer.

Black Kite's Cloudflare Pingora FocusTag® details critical insights on the event for TPRM professionals.

Gogs - Mar2026 (CVE-2025-64111, CVE-2025-64175, CVE-2026-24135)

What are the Critical Vulnerabilities in Gogs?

Gogs, a widely used self-hosted Git service, is currently affected by three severe security flaws: CVE-2025-64111, CVE-2025-64175, and CVE-2026-24135. These vulnerabilities were officially disclosed in early February 2026.

The most dangerous of the group, CVE-2025-64111, is a Critical Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8 and an EPSS score of 0.16%. It stems from an insufficient patch for a previous flaw, allowing unauthenticated attackers to tamper with a repository’s .git/config file via the API’s UpdateRepoFile function, ultimately leading to full system compromise.

CVE-2025-64175 is a High-severity 2FA bypass (CVSS: 8.8, EPSS: 0.02%) that allows an attacker with a victim's credentials to use any unused recovery code to take over the account. CVE-2026-24135 is a High-severity Path Traversal flaw (CVSS: 8.1, EPSS: 0.06%) found in the wiki update feature, allowing authenticated users to delete arbitrary files on the host server.

While these specific CVEs were published recently, a related Gogs zero-day (CVE-2025-8110) was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on January 12, 2026, following automated attack campaigns involving over 700 compromised instances. The current vulnerabilities in the March 2026 tag are assessed as high-priority targets due to this history of active, automated exploitation.

Why should TPRM Professionals care about the Gogs March 2026 vulnerabilities?

Gogs is often the core repository for a vendor's source code, proprietary algorithms, and CI/CD pipelines. For TPRM professionals, a compromise in a vendor’s Git service is a direct threat to the software supply chain.

If a vendor's Gogs instance is breached:

Source Code Theft: Attackers can exfiltrate private repositories containing intellectual property or hardcoded secrets (API keys, credentials).
Supply Chain Poisoning: By exploiting RCE (CVE-2025-64111), an attacker can inject malicious code directly into the vendor’s production branches, which then flows to your organization as an "official" update.
Denial of Service: The path traversal flaw (CVE-2026-24135) allows for the deletion of critical configuration or documentation files, potentially causing prolonged operational downtime for the vendor.
Account Takeover: The 2FA bypass renders multi-factor authentication ineffective, making it easier for attackers to gain the "authenticated" status required for further internal exploitation.

What questions should TPRM professionals ask vendors about these Gogs vulnerabilities?

TPRM teams should verify that vendors are securing their development environments with the same rigor as production systems.

Have you updated all instances of Gogs to version 0.14.2 or later to mitigate the risk of CVE-2026-25921?
Have you audited the LFS storage directory for any signs of tampering, particularly for repeated LFS upload attempts targeting existing OIDs or unusual LFS object creation from low-privileged accounts?
Can you confirm if you have implemented server-side verification of uploaded LFS file content against the claimed SHA-256 hash as recommended in the immediate software upgrade?
Have you implemented object level security by temporarily disabling LFS support in the Gogs configuration to block tampered uploads if an immediate update was not feasible?

Remediation Recommendations for Vendors subject to this risk

Vendors must act quickly to secure their development infrastructure:

Upgrade Immediately: The primary fix is to move to Gogs 0.13.4 or newer. This addresses the insufficient path validation and the 2FA scoping logic.
Disable Open Registration: To minimize the attack surface, disable the default open-registration setting to prevent attackers from gaining the authenticated state needed for certain exploits.
Review .git Configuration: Regularly audit repositories for unauthorized changes to sensitive files within the .gitdirectory.
Network Hardening: Do not expose Git services directly to the internet. Implement a VPN and require strong, unique credentials for all developer accounts.

Black Kite's Gogs - Mar2026 FocusTag® details critical insights on the event for TPRM professionals.

SAP NetWeaver for ABAP (CVE-2026-24316, CVE-2026-24309, CVE-2026-27688, CVE-2026-27684)

What are the Vulnerabilities in SAP NetWeaver Application Server for ABAP?

SAP NetWeaver Application Server for ABAP is currently impacted by multiple security vulnerabilities, including Server-Side Request Forgery (SSRF), Missing Authorization Checks, and SQL Injection. These flaws were disclosed as part of SAP’s March 2026 Security Patch Day.

Three of the vulnerabilities (CVE-2026-24316, CVE-2026-24309, and CVE-2026-27688) are characterized by their location within ABAP Reports originally designed for testing purposes. These reports allow an attacker to send HTTP requests to arbitrary internal or external endpoints.

CVE-2026-24316 has a CVSS score of 6.4 (Medium) and an EPSS score of 0.03%.
CVE-2026-24309 carries a CVSS score of 6.4 (Medium) and an EPSS score of 0.04%.
CVE-2026-27688 has a CVSS score of 5.0 (Medium) and an EPSS score of 0.03%.

Additionally, CVE-2026-27684 is a SQL Injection vulnerability in the SAP NetWeaver Feedback Notification component (CVSS: 6.4, EPSS: 0.03%), which allows authenticated attackers to execute malicious SQL statements. As of March 12, 2026, none of these vulnerabilities are listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog, and there are no reports of public Proof-of-Concept (PoC) exploits or active attack campaigns in the wild.

Why should TPRM Professionals care about the SAP NetWeaver March 2026 vulnerabilities?

SAP NetWeaver is the foundational platform for a vendor's most critical business applications, including ERP, Finance, and HR systems. For TPRM professionals, these "Medium" severity vulnerabilities represent significant internal risks that can be leveraged to bypass traditional security perimeters.

When assessing vendor risk, consider the following impacts of these vulnerabilities:

Internal Reconnaissance: SSRF vulnerabilities (CVE-2026-24316, CVE-2026-24309, CVE-2026-27688) allow an attacker to use the SAP server as a proxy to scan the vendor's internal network, interacting with sensitive internal services that are not internet-facing.
Unauthorized Data Access: Missing authorization checks mean that even low-privileged users can access system information or reports they should not be able to see, leading to internal data leakage.
Database Compromise: The SQL Injection vulnerability (CVE-2026-27684) could allow an authenticated attacker to read or modify business-critical data within the SAP database, potentially disrupting the vendor's financial or operational integrity.

What questions should TPRM professionals ask vendors about these SAP NetWeaver vulnerabilities?

TPRM teams should ask targeted questions to ensure vendors are securing their SAP environments effectively.

Have you updated all instances of SAP NetWeaver Application Server for ABAP to the latest SAP_BASIS versions that are not affected by CVE-2026-24316, CVE-2026-24309, CVE-2026-27688, and CVE-2026-27684?
Have you implemented the recommended actions such as reviewing and restricting ABAP Report usage, applying official security updates, monitoring for suspicious activity, and implementing network segmentation and filtering to mitigate the risk of these vulnerabilities?
Can you confirm if you have applied the security patches mentioned in SAP security note 3689080 to address the vulnerabilities in SAP NetWeaver Application Server for ABAP?
Are you actively monitoring network traffic and application logs for unusual HTTP requests targeting internal or unexpected external endpoints as a measure to detect potential exploitation of these SSRF vulnerabilities?

Remediation Recommendations for Vendors subject to this risk

Vendors should take the following technical actions to secure their SAP landscapes:

Apply SAP Security Notes: Immediately implement the corrections provided in SAP Security Note 3689080. This is the primary remediation for the SQL Injection and SSRF flaws discovered by researchers.
Clean Up Testing Artifacts: Deactivate or remove ABAP Reports intended for testing from production environments. If they must remain, ensure they are protected by strict authorization objects.
Strengthen Authorization Checks: Review the SAP system to ensure missing authorization checks (specifically for CVE-2026-24309 and CVE-2026-27688) are resolved by enforcing proper role-based access control (RBAC).
Egress Filtering: Configure firewalls to restrict the SAP Application Server's ability to initiate outbound HTTP/HTTPS requests, limiting the "reach" of an SSRF exploit.

Black Kite's SAP NetWeaver for ABAP FocusTag® details critical insights on the event for TPRM professionals.

Vaultwarden (CVE-2026-27803, CVE-2026-27802, CVE-2026-27898)

What are the High-Severity Flaws in Vaultwarden?

Vaultwarden, an unofficial Bitwarden-compatible server preferred by many organizations for self-hosting sensitive secrets, is currently impacted by three significant vulnerabilities: CVE-2026-27803, CVE-2026-27802, and CVE-2026-27898. These flaws were publicly disclosed on March 4, 2026, following their discovery by security researchers.

CVE-2026-27803 is an improper authorization vulnerability (CVSS: 8.3, EPSS: 0.05%) where a user with "Manager" status can perform administrative tasks on a collection even if their management rights are explicitly disabled (manage=false). CVE-2026-27802 is a similar privilege escalation flaw (CVSS: 8.3, EPSS: 0.05%) that allows a Manager to use a bulk-access API to grant themselves permissions over collections they were never assigned to. Lastly, CVE-2026-27898 is a medium-severity Insecure Direct Object Reference (IDOR) flaw (CVSS: 5.4, EPSS: 0.03%) in the REST API. It allows any authenticated user to download encrypted data from another user’s vault entries by sending a "Partial Update" request to a specific endpoint.

As of March 12, 2026, these specific CVEs are not listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog. While there are currently no reports of these being exploited in widespread attack campaigns, the public release of technical details and the sensitive nature of the software make these vulnerabilities immediate targets for internal exploitation or compromised account abuse.

Why should TPRM Professionals care about the Vaultwarden vulnerabilities?

Password managers are the "crown jewels" of a vendor's security infrastructure. For TPRM professionals, these vulnerabilities represent a catastrophic risk to the confidentiality of all shared secrets and credentials.

If a vendor's Vaultwarden instance is compromised:

Exposure of Client Credentials: Any authenticated user could potentially download encrypted secrets belonging to your organization if they are stored in the vendor’s vault.
Internal Privilege Escalation: An employee with limited "Manager" rights could promote themselves to gain full control over all organizational collections, potentially accessing root passwords, API keys, and certificates.
Secret Theft and Ransom: Once an attacker gains access to the vault, they can exfiltrate the entire database of encrypted secrets. Even if they cannot immediately decrypt them, they can use this access as leverage for extortion or persistent access.

What questions should TPRM professionals ask vendors about these Vaultwarden vulnerabilities?

TPRM teams should verify that vendors are maintaining strict control over their credential management platforms.

Can you confirm if you have updated all instances of Vaultwarden to version 1.35.4 or later to mitigate the risk of CVE-2026-27803, CVE-2026-27802, and CVE-2026-27898?
Have you audited the access levels of users with 'Manager' roles to ensure they haven't made unauthorized changes or granted themselves permissions to restricted collections, as suggested in the advisory for CVE-2026-27802 and CVE-2026-27803?
Have you implemented monitoring measures to detect unusual activity related to the bulk-access API or unauthorized administrative actions by non-owner accounts, as recommended in the advisory for CVE-2026-27802 and CVE-2026-27803?
In light of CVE-2026-27898, have you checked for any unauthorized access to sensitive cipherDetails and tokenized URLs for unauthorized attachment downloads via the 'Partial Update' endpoint (PUT /api/ciphers/{id}/partial)?

Remediation Recommendations for Vendors subject to this risk

Vendors must prioritize the integrity of their secret stores by taking these steps:

Immediate Version Upgrade: Update the Vaultwarden server to v1.35.4 immediately. This release includes the necessary authorization logic to prevent IDOR and privilege escalation attacks.
Audit Organizational Permissions: Conduct a deep dive into collection permissions. Look for any collections that have newly added managers or modified permission flags that do not align with established security policies.
Proactive Secret Rotation: If log analysis suggests that unauthorized "Partial Update" or "Bulk Access" requests were made, consider all secrets within those collections compromised and rotate them immediately.
Log Retention and Monitoring: Ensure that API audit logging is enabled and retained. Specifically monitor for unauthorized administrative actions by accounts that should have restricted access.

Black Kite's Vaultwarden FocusTag® details critical insights on the event for TPRM professionals.

Apache ZooKeeper (CVE-2026-24281, CVE-2026-24308)

What are the Authentication Bypass and Secret Leakage Vulnerabilities in Apache ZooKeeper?

Apache ZooKeeper, a critical service for coordinating distributed applications, is currently affected by two high-severity vulnerabilities: CVE-2026-24281 and CVE-2026-24308. These flaws were disclosed in early March 2026 and impact the core security handshake and logging mechanisms of the framework.

CVE-2026-24281 involves an improper authentication vulnerability in the ZKTrustManager component (CVSS: 7.4, EPSS: 0.02%). The flaw exists in how the system validates X.509 certificates; if the primary IP Subject Alternative Name (SAN) check fails, the system erroneously falls back to using Reverse-DNS (PTR) records. This allows an attacker who can manipulate DNS records to spoof a trusted host's identity.

CVE-2026-24308 is a sensitive information disclosure flaw (CVSS: 7.5, EPSS: 0.2%) within the ZKConfig class. The application inadvertently writes private keys and plain-text credentials into log files at the default INFO level.

As of March 12, 2026, these vulnerabilities are not listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog.There are no confirmed reports of exploitation in the wild, but the nature of the data leak makes the information highly valuable for attackers once they gain initial access to a vendor's logging environment.

Why should TPRM Professionals care about the Apache ZooKeeper vulnerabilities?

ZooKeeper acts as the "source of truth" for configuration and synchronization in large-scale distributed systems. For TPRM professionals, these vulnerabilities represent a threat to the stability and confidentiality of a vendor's entire cloud or data center infrastructure.

If a vendor's ZooKeeper ensemble is compromised:

Orchestration Hijacking: By spoofing a trusted node via CVE-2026-24281, an attacker could inject malicious configurations into the cluster, potentially redirecting traffic or altering how the vendor's application behaves.
Widespread Credential Exposure: Since secrets are logged at the INFO level, they are likely indexed in centralized logging platforms like Splunk or ELK. Any breach of the vendor's log management system could grant an attacker the "keys to the kingdom," including private keys for internal service communication.
Data Integrity Risk: ZooKeeper often manages metadata for databases and file systems. A compromised coordination service could lead to data corruption or unauthorized access to the underlying data stores that house your organization's information.

What questions should TPRM professionals ask vendors about these ZooKeeper vulnerabilities?

TPRM teams should verify that vendors are securing the backbone of their distributed services.

Have you updated all instances of Apache ZooKeeper to version 3.9.5 or 3.8.6 to mitigate the risk of CVE-2026-24281 and CVE-2026-24308?
Have you enforced SAN-only validation and disabled reverse-DNS lookups in your TLS settings to prevent DNS-based host spoofing as recommended in the advisory for CVE-2026-24281?
Can you confirm if you have sanitized and rotated any sensitive keys or passwords present in ZooKeeper client configurations due to the potential plain-text credential leakage in system logs as per CVE-2026-24308?
Have you audited your log repositories to check for plain-text credentials and ensured that access to these logs is restricted to authorized personnel only, as a response to the data exposure issue within the ZKConfig class (CVE-2026-24308)?

Remediation Recommendations for Vendors subject to this risk

Vendors should implement the following technical safeguards immediately:

Execute Software Upgrades: Update to ZooKeeper 3.8.6 or 3.9.5. These releases specifically fix the certificate validation logic and suppress the logging of sensitive configuration fields.
Configure DNS Mitigations: In the patched versions, explicitly disable reverse DNS lookups for hostname verification to close the spoofing attack vector.
Enforce Strict TLS Validation: Reconfigure ZooKeeper to rely exclusively on Subject Alternative Names (SAN) for identity verification, ignoring mutable DNS records.
Log Sanitization: Secure all logging infrastructure and audit historical entries for private keys or tokens.Implement automated masking for future log ingestion to prevent similar leaks.

Black Kite's Apache ZooKeeper FocusTag® details critical insights on the event for TPRM professionals.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite provides an automated and highly efficient way to manage the risks discussed in this blog. Rather than manually tracking over a dozen CVEs across thousands of vendors, TPRM professionals can utilize Black Kite's FocusTags® to gain immediate visibility.

Strategic Operationalization

When a high-profile incident occurs—such as the Iranian-linked attacks or the March 2026 Patch Tuesday—Black Kite publishes specific FocusTags® (e.g., Hikvision IP Cameras, Gogs - Mar2026, MSSQL - Mar2026) with a "Very High" confidence level.

TPRM teams can operationalize these tags by:

Instant Identification: Filtering their entire vendor ecosystem to find only those organizations with exposed assets associated with these vulnerabilities.
Precision Remediation: Accessing specific asset information, including IP addresses and subdomains, that pose the risk. This allows TPRM professionals to provide vendors with actionable data rather than generic warnings.
Overcoming Questionnaire Fatigue: By knowing exactly which vendors are at risk, you can skip the broad "Are you affected?" emails and move directly to requesting proof of patching from the relevant parties.

Continuous Monitoring

For "Reactivated" tags like Dahua IP Camera or SolarWinds Web Help Desk, Black Kite ensures that even older, resurfacing threats are not overlooked. The platform continuously monitors for the re-emergence of these flaws, keeping your supply chain security posture current as threat actor playbooks evolve.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

The sheer volume and complexity of this week’s disclosures—ranging from nation-state exploitation of IP cameras to deeply embedded open-source proxy flaws—demonstrate that legacy, questionnaire-based TPRM is no longer sufficient. Relying on annual assessments leaves organizations blind to rapidly escalating geopolitical threats and sudden zero-day disclosures. Black Kite’s FocusTags® provide a modern, intelligence-driven approach to managing these dynamic risks.

By leveraging FocusTags® for threats like the Iran-linked IoT campaigns or the recurring SolarWinds vulnerabilities, TPRM teams gain several distinct advantages:

Pinpoint Asset Visibility: Instead of asking hundreds of vendors if they use a vulnerable product, FocusTags® instantly reveal the specific IP addresses and subdomains exposing tools like Hikvision, Dahua, or vulnerable Pingora proxies within your supply chain.
Combatting Patch Fatigue: With "reactivated" tags (such as SolarWinds WHD), Black Kite continuously monitors for patch bypasses. This ensures that vendors who applied an initial fix are held accountable for applying the latest, definitive hotfixes.
Context-Driven Vendor Engagement: FocusTags® eliminate generic security inquiries. They arm TPRM teams with the exact CVE details, severity scores, and affected assets needed to demand rapid, evidence-based remediation from high-risk vendors.
Strategic Resource Allocation: By filtering your ecosystem to show only the vendors actively exposing critical vulnerabilities (like the MSSQL or SharePoint RCEs), your security analysts can focus their time on securing the most critical supply chain nodes first.

In an environment where threat actors seamlessly blend physical espionage with digital exploitation, Black Kite’s FocusTags® transform overwhelming threat data into precise, actionable intelligence, ensuring your vendor ecosystem remains resilient.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

Hikvision IP Cameras : CVE-2021-36260, CVE-2017-7921, Critical Remote Code Execution (RCE) and Authentication Bypass Vulnerabilities in Hikvision Systems.
MSSQL - Mar2026 : CVE-2026-21262, CVE-2026-26115, CVE-2026-26116, Multiple Elevation of Privilege Vulnerabilities in Microsoft SQL Server.
SharePoint - Mar2026 : CVE-2026-26105, CVE-2026-26114, CVE-2026-26106, Remote Code Execution (RCE) and Spoofing Vulnerabilities in Microsoft SharePoint Server.
Cloudflare Pingora : CVE-2026-2835, CVE-2026-2833, CVE-2026-2836, Critical Request Smuggling and Cache Flaws in Cloudflare Pingora.
Gogs - Mar2026 : CVE-2025-64111, CVE-2025-64175, CVE-2026-24135, Critical Remote Code Execution, 2FA Bypass, and Path Traversal Vulnerabilities in Gogs.
SAP NetWeaver for ABAP [Suspected] : CVE-2026-24316, CVE-2026-24309, CVE-2026-27688, CVE-2026-27684, Server-Side Request Forgery (SSRF), Missing Authorization Checks, and SQL Injection Vulnerabilities in SAP NetWeaver.
Vaultwarden : CVE-2026-27803, CVE-2026-27802, CVE-2026-27898, High-Severity Privilege Escalation, Improper Authorization, and Broken Access Control Vulnerabilities in Vaultwarden.
Apache ZooKeeper : CVE-2026-24281, CVE-2026-24308, Authentication Bypass and Sensitive Information Disclosure Vulnerabilities in Apache ZooKeeper.
Mail2Shell : CVE-2026-28289, Critical Unauthenticated Remote Code Execution and Time-of-Check to Time-of-Use (TOCTOU) Vulnerabilities in FreeScout.
pac4j : CVE-2026-29000, Critical Authentication Bypass and JWT Token Forging Vulnerability in pac4j-jwt.
MongoDB - Mar2026 : CVE-2026-25611, High-Severity Denial of Service (DoS) Vulnerability in MongoDB.
Django - Mar2026 : CVE-2026-25673, CVE-2026-25674, High-Severity Denial of Service (DoS) and Race Condition Vulnerabilities in Django Web Framework.
Langflow : CVE-2026-27966, Critical Remote Code Execution (RCE) Vulnerability in Langflow AI Data Workflows.
RustFS : CVE-2026-27822, Medium-Severity Cross-Site Scripting (XSS) Vulnerability in RustFS S3 Storage Management Console.
Apache Superset - Mar2026 : CVE-2026-23984, CVE-2026-23982, CVE-2026-23980, High-Severity Data Access Control Bypass and SQL Injection Vulnerabilities in Apache Superset.
SolarWinds Serv-U - Feb2026 : CVE-2025-40541, CVE-2025-40540, CVE-2025-40539, CVE-2025-40538, Critical Remote Code Execution (RCE) flaws that could allow unauthenticated attackers to gain root-level access.
Jenkins - Feb2026 : CVE-2026-27099, CVE-2026-27100, High-severity stored XSS in node descriptions and information disclosure via Run Parameters.
Cisco Catalyst SD-WAN : CVE-2026-20127, CVE-2022-20775 — Critical 10.0 CVSS authentication bypass exploited in the wild, chained with privilege escalation for full root access.
n8n - Feb2026 (Latest) : CVE-2026-27497, CVE-2026-27577, CVE-2026-27495 — Triple critical RCE vulnerabilities in sandbox and node execution allowing host server takeover.
BeyondTrust RA & PRA : CVE-2026-1731, Remote Code Execution (RCE) vulnerability in BeyondTrust RA & PRA.
Zimbra - Feb2026 : CVE-2020-7796, Critical Server-Side Request Forgery (SSRF) vulnerability in the Zimbra’s WebEx Zimlet.
PostgreSQL - Feb2026 : CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, Arbitrary Code Execution and Buffer Overflows Vulnerabilities in PostgreSQL.
Exchange Server - Feb2026 : CVE-2026-21527, Spoofing vulnerability in Microsoft Exchange Server involving UI misrepresentation.
SAP NetWeaver - Feb2026 : CVE-2026-0509, Critical Missing Authorization vulnerability in SAP NetWeaver AS ABAP allowing unauthorized RFC execution.