FOCUS FRIDAY: TPRM Insights on Critical Vulnerabilities in SharePoint, ProFTPD, Cacti, and Gogs
Introduction
This week's Focus Friday covers four FocusTags® spanning enterprise collaboration platforms, file transfer infrastructure, network monitoring frameworks, and self-hosted source control systems: a CISA KEV-listed SharePoint deserialization RCE with an emergency July 4 remediation deadline, an ACL bypass vulnerability in ProFTPD affecting ~69,000 exposed deployments with no fixed release yet available, four critical-severity vulnerabilities in the Cacti network monitoring platform including pre-authentication SQL injection and local file inclusion, and a triple critical RCE cluster in Gogs reaching a maximum CVSS 10.0 that any self-registering external user can trigger against the entire hosted repository fleet. The week is defined by extreme urgency: SharePoint's CISA KEV listing arrived July 1 with federal agencies mandated to remediate by July 4, and public PoC code is actively available for both SharePoint and Gogs.
SharePoint - CVE-2026-45659 is this week's highest-priority disclosure for enterprise-facing TPRM programs. Confirmed active exploitation, a CISA KEV listing with a 72-hour remediation deadline for federal agencies, and a public PoC targeting Microsoft.SharePoint.Library's LosFormatter.Deserialize call chain make this vulnerability immediately actionable against every vendor running on-premises SharePoint Server 2016, 2019, or Subscription Edition. The exploitation barrier is meaningfully low: Site Member or Contribute access — a privilege level held by any standard employee with SharePoint access — is sufficient to trigger the deserialization chain and achieve remote code execution. Gogs represents the week's most technically severe cluster: three CVEs reaching CVSS 10.0, 9.9, and 9.0 in a self-hosted Git service where open self-registration is enabled by default, meaning any external actor can create an account and immediately exploit path traversal to RCE, argument injection via pull request rebases, or symlink-based persistent backdoor writes across the entire instance.
For third-party risk management professionals, this week's portfolio highlights the compounding risk of collaboration and developer infrastructure: SharePoint hosts sensitive enterprise data while Gogs and Cacti underpin source control and network monitoring — all three are high-value targets that vendors rarely surface in technology disclosures yet carry substantial data and infrastructure access implications. ProFTPD's ACL bypass with no vendor patch yet available adds an additional urgency dimension: the only current protection is a configuration-level workaround that must be actively deployed across ~68,821 internet-exposed instances. Black Kite's FocusTags® translate all four signals into ecosystem-specific vendor intelligence, enabling TPRM teams to drive targeted remediation engagement against the precise vendor population carrying this week's highest-urgency exposures.

Filtered view of vendors with SharePoint - Jul2026 FocusTag® on the Black Kite platform.
SharePoint - Jul2026 (CVE-2026-45659)
What is this vulnerability?
CVE-2026-45659 (CVSS 8.8, EPSS 2.78%) is a high-severity Remote Code Execution vulnerability affecting Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The flaw is rooted in deserialization of untrusted data (CWE-502) within the Microsoft.SharePoint.Library component: the vulnerable code path uses LosFormatter.Deserialize on attacker-controlled data passed through the Update() method of list items when custom field types with ViewState-like serialization are processed, without proper type filtering or ObjectStateFormatter restrictions in place. Successful exploitation allows network-accessible code execution on the SharePoint server in the context of the application pool's service account.
The vulnerability requires low privileges — specifically Site Member or Contribute rights — and no user interaction. This access threshold is held by any standard SharePoint user with access to a site, making exploitation accessible to any insider, contractor, or external partner with a valid SharePoint account. More critically, valid credentials at this level can be obtained through phishing, credential stuffing, third-party compromise, or stale account reuse — meaning the effective barrier to exploitation is lower than the authentication requirement alone suggests. A working public PoC exploit is available on GitHub (mistbarbarianspot/CVE-2026-45659-SharePoint-RCE), and Microsoft's original assessment of 'Exploitation Less Likely' has been superseded by confirmed active exploitation in the wild. CVE-2026-45659 was added to CISA's Known Exploited Vulnerabilities catalog on July 1, 2026, with a mandated remediation deadline of July 4, 2026 for federal agencies. Affected builds: SharePoint Enterprise Server 2016 prior to 16.0.5552.1002 (patch: KB5002868); SharePoint Server 2019 prior to 16.0.10417.20128 (patch: KB5002870); SharePoint Server Subscription Edition prior to 16.0.19725.20280 (patch: KB5002863).
Why should TPRM professionals care?
SharePoint is one of the most pervasively deployed enterprise collaboration platforms in the world, serving as the central repository for sensitive business documents, internal portals, workflow automation, compliance documentation, HR records, and authentication-integrated enterprise resources across organizations of every size and sector. A compromised SharePoint server in the context of this vulnerability yields more than code execution on a single host: it provides direct access to every document library, list, and integrated workflow on the platform — frequently including contracts, financial records, personnel data, M&A materials, and proprietary business intelligence. The combination of confirmed active exploitation, public PoC availability, a CISA KEV listing with a 72-hour federal remediation deadline, and a low-privilege exploitation threshold makes CVE-2026-45659 one of the most urgently actionable disclosures in recent Focus Friday history. For TPRM professionals, every vendor running on-premises SharePoint Server 2016, 2019, or Subscription Edition should be contacted for immediate patch confirmation — with verification against specific build numbers rather than general 'patched' assertions, as the affected version thresholds are precise and multi-server SharePoint farms require patch validation across all farm components.
What questions should TPRM professionals ask vendors?
- Have the applicable SharePoint security updates been applied immediately — KB5002868 for SharePoint Enterprise Server 2016, KB5002870 for SharePoint Server 2019, or KB5002863 for SharePoint Server Subscription Edition? What specific build number is confirmed installed, verified against the patched thresholds (16.0.5552.1002, 16.0.10417.20128, or 16.0.19725.20280 respectively)?
- In multi-server SharePoint farms, have all web front-end servers, application servers, and related farm components been uniformly updated? What farm-wide patch validation process confirms consistent deployment across all nodes?
- Have SharePoint logs, IIS logs, Windows Event logs, and authentication logs been reviewed retroactively for indicators of exploitation — specifically unexpected REST/CSOM calls to list item update endpoints, unusual process execution following list-item operations, or authentication from unfamiliar source IPs — given confirmed active exploitation prior to patching?
- Given the low-privilege (Site Member/Contribute) exploitation requirement: have SharePoint user permissions been audited for stale accounts, external user access, service accounts with unnecessary rights, and any account sharing? Has MFA been enforced for all SharePoint users, particularly those with externally accessible accounts?
- Is the affected SharePoint deployment internet-accessible, or accessible to external partners or contractors? For any internet-facing SharePoint instance, what access control layers — VPN, identity-aware proxy, conditional access — restrict access while patching is underway?
Remediation recommendations
- Apply the applicable SharePoint security update immediately — KB5002868 (SharePoint Enterprise Server 2016), KB5002870 (SharePoint Server 2019), or KB5002863 (SharePoint Server Subscription Edition) — given confirmed active exploitation and the CISA KEV remediation deadline of July 4, 2026.
- Validate the exact build number post-patching against the patched thresholds: 16.0.5552.1002 (SP 2016), 16.0.10417.20128 (SP 2019), or 16.0.19725.20280 (SP SE). In multi-server farms, confirm all farm nodes are uniformly updated — partial patching leaves the environment exposed.
- Conduct retroactive log review across SharePoint, IIS, and Windows Event logs for suspicious activity prior to patching — particularly unexpected list-item update operations, unusual process executions following CSOM calls, or authentication from unrecognized sources. If exploitation indicators are found, treat as a full incident requiring credentials rotation and forensic investigation.
- Review SharePoint permissions immediately: revoke unnecessary Site Member/Contribute access, disable stale and external accounts, audit service account privileges, and enforce least privilege. Given the low-privilege exploitation threshold, the permission layer is a critical compensating control.
- Restrict direct internet access to SharePoint where operationally feasible; enforce MFA for all SharePoint users; and place internet-facing instances behind conditional access or identity-aware proxy controls that add authentication friction above the SharePoint application layer.

Black Kite's SharePoint - Jul2026 FocusTag® details critical insights on the event for TPRM professionals.
ProFTPD (CVE-2026-35025)
What is this vulnerability?
CVE-2026-35025 (CVSS 8.1 / CVSSv4 8.6, EPSS 0.35%) is a high-severity ACL bypass vulnerability in ProFTPD, one of the most widely deployed open-source FTP servers globally, used extensively by hosting providers to deliver file access to customers without granting shell account access. The flaw resides in the RNFR (Rename From) command handler: when an authenticated user prefixes a target path with /proc/self/root, ProFTPD's dir_canonical_path() function fails to properly resolve the symlink components in the path. The resulting unresolved path no longer matches any configured <Directory> ACL block during the dir_check() access control evaluation — which performs a text-only path comparison — causing the server to skip the ACL check entirely. The attacker can then rename files from, and access files in, directories that the ACL configuration was explicitly designed to restrict.
The vulnerability is post-authentication: exploitation requires valid FTP login credentials. However, ProFTPD does not chroot users by default — DefaultRoot must be explicitly configured — and the RNFR/RNTO rename commands are enabled by default. Both conditions increase practical exploitability across unpatched deployments where administrators have not applied explicit chroot or command restrictions. No public PoC exploit is available at time of publication. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Approximately 68,821 ProFTPD instances are detectable on Shodan across 82 distinct vulnerable version strings. Critically, no fixed ProFTPD release is currently available: administrators must apply configuration-level workarounds — specifically enabling DefaultRoot chroot and disabling RNFR/RNTO where not required — until an upstream patch is released. The vulnerability was reported by researcher 'djnn' via a public GitHub issue on June 24, 2026. Affects: ProFTPD 1.3.9b and prior; 1.3.10rc2 and prior release candidates.
Why should TPRM professionals care?
ProFTPD's primary deployment context — shared hosting environments where hosting providers use it to give customers isolated file access — is precisely where this vulnerability carries the highest consequence. In a shared hosting environment where multiple tenants share a single FTP server, an ACL bypass that allows one tenant to traverse into other tenants' restricted directories via the /proc/self/root path trick represents a complete failure of filesystem isolation. An attacker with any valid FTP account on an affected server — which includes any hosting customer, any compromised account, or any attacker who purchases or obtains hosting access — can use RNFR to access files in directories the ACL specifically prohibits, potentially including other tenants' web root files, configuration files, database credentials, and private keys. The absence of a vendor patch compounds the risk: TPRM engagement cannot ask for patch confirmation but must instead verify configuration-level mitigations that hosting operators may not have deployed consistently. With ~68,821 detectable ProFTPD instances and no fixed release, the exposure window is indefinite pending upstream patching.
What questions should TPRM professionals ask vendors?
- Has the DefaultRoot directive been configured in proftpd.conf to chroot FTP user sessions (e.g., DefaultRoot ~)? DefaultRoot changes where /proc/self/root resolves within the chroot environment, closing the CVE-2026-35025 exploitation path. This is the primary recommended workaround in the absence of a fixed release.
- Have RNFR/RNTO rename commands been disabled for FTP user contexts where file renaming is not operationally required? Disabling RNFR removes the command vector through which CVE-2026-35025 is triggered (via <Limit RNFR RNTO> DenyAll </Limit>).
- Have existing <Directory> ACL configurations been audited to confirm restricted directories are properly scoped and not reliant solely on path-matching logic that can be bypassed via unresolved symlink prefixes?
- Is FTP service access restricted to trusted networks or VPN-gated connections? Given that exploitation requires valid FTP credentials, restricting FTP accessibility to trusted source IP ranges reduces the population of accounts that can reach the vulnerable endpoint.
- Is the vendor actively monitoring the ProFTPD upstream GitHub repository and http://proftpd.org security advisories for a patched release? What is the deployment plan to apply the official fix as soon as it becomes available?
Remediation recommendations
- Apply the DefaultRoot workaround immediately in proftpd.conf by adding 'DefaultRoot ~' (or a specific directory path) to chroot each FTP user session. This changes the /proc/self/root resolution context within the chroot and closes the ACL bypass exploitation path without requiring a software upgrade.
- Disable RNFR and RNTO commands where not operationally required by adding '<Limit RNFR RNTO> DenyAll </Limit>' to the proftpd.conf global or per-user/per-directory context. Removing access to the RNFR command eliminates the specific trigger for CVE-2026-35025.
- Audit all <Directory> block ACL configurations to confirm that restricted directories are properly defined and that path-matching logic is not the sole access control mechanism for sensitive directories.
- Restrict FTP service accessibility to trusted internal network ranges or VPN-gated connections, reducing the population of accounts that can authenticate and reach the vulnerable RNFR command handler.
- Monitor the ProFTPD GitHub repository (github.com/proftpd/proftpd) and proftpd.org security advisories for the official patched release; prioritize deployment of the fix immediately upon availability given the absence of a current upstream patch.

Black Kite's ProFTPD FocusTag® details critical insights on the event for TPRM professionals.
Cacti - Jun2026 (CVE-2026-39893, CVE-2026-39948, CVE-2026-39955, CVE-2026-39938)
What is this vulnerability?
Four critical-severity vulnerabilities — CVE-2026-39893, CVE-2026-39948, CVE-2026-39955, and CVE-2026-39938 — were identified in Cacti, the widely deployed open-source network performance and fault management framework used across IT operations teams for infrastructure monitoring, graphing, and alerting. All four carry CVSS 9.8 scores and EPSS values ranging from 0.32% to 0.46%. Public PoC exploits are available for this vulnerability cluster.
CVE-2026-39893 (CVSS 9.8, EPSS 0.36%) is the primary pre-authentication SQL injection flaw: the rfilter request variable is concatenated directly into a RLIKE SQL clause without sanitization in the graph viewing endpoint. Because this endpoint supports guest access via Cacti's configured guest user, the vulnerability is reachable without authentication on any Cacti installation where guest viewing is enabled — a common default. Successful exploitation allows unauthenticated remote attackers to perform arbitrary database read or write operations. CVE-2026-39948 (CVSS 9.8, EPSS 0.46%) is a further SQL injection flaw in Cacti's data query handling path. CVE-2026-39955 (CVSS 9.8, EPSS 0.32%) combines pre-authentication SQL injection with a regex validation bypass, widening the injection surface beyond the primary rfilter parameter. CVE-2026-39938 (CVSS 9.8, EPSS 0.44%) is an unauthenticated Local File Inclusion vulnerability: an attacker can manipulate a file path parameter to include and execute arbitrary local files from the server filesystem — a path from arbitrary file read to Remote Code Execution when writable directories are accessible. None of the four vulnerabilities are listed in CISA's Known Exploited Vulnerabilities catalog. All four are listed in the EU Vulnerability Database: EUVD-2026-39131, EUVD-2026-39138, EUVD-2026-39137, EUVD-2026-39136. Affects: Cacti 1.2.30 and prior. Fixed in Cacti 1.2.31.
Why should TPRM professionals care?
Cacti is deployed across IT operations environments as the network monitoring and alerting platform — giving it visibility into the complete network topology, device inventory, interface utilization, and infrastructure performance data of the organizations that run it. A pre-authentication SQL injection that allows arbitrary database read access against the Cacti database exposes not only Cacti's own configuration data but, in many deployments, SNMP community strings, device credentials, network device inventory, and monitoring alert configurations that collectively represent a detailed map of the vendor's internal network infrastructure. CVE-2026-39938's Local File Inclusion path compounds this: once an attacker can read arbitrary files from the Cacti host server, the scope extends to SSH private keys, application configuration files, and any credential material stored on the monitoring server's filesystem. The unauthenticated access path via guest viewing is the critical risk multiplier: Cacti instances with guest access enabled — a common default that administrators often leave unchanged — are fully exposed to CVE-2026-39893 and CVE-2026-39955 with zero credential requirement. For TPRM professionals, vendors operating Cacti for infrastructure monitoring should be confirmed as running version 1.2.31 with guest access audited and restricted.
What questions should TPRM professionals ask vendors?
- Has Cacti been upgraded to version 1.2.31 across all deployments? What is the confirmed installed version and upgrade timeline for any instances still running 1.2.30 or earlier?
- Has guest access been disabled in the Cacti configuration as an immediate mitigation for CVE-2026-39893 and CVE-2026-39955? Guest viewing is the unauthenticated access vector for the primary pre-authentication SQL injection flaws — disabling it eliminates the no-credential exploitation path regardless of patch status.
- Is the Cacti monitoring interface restricted to trusted internal networks or VPN-gated access? Has any public internet exposure of the Cacti web interface been eliminated?
- Have Cacti database logs been reviewed for anomalous SQL patterns — specifically unexpected RLIKE clauses, unusual JOIN operations, or queries accessing tables outside normal Cacti operation — that may indicate active exploitation via CVE-2026-39893 or CVE-2026-39948?
- Have file access logs been reviewed for unexpected file inclusion patterns that may indicate CVE-2026-39938 LFI exploitation attempts, particularly any access to sensitive server files such as SSH keys, application configuration files, or etc-passwd?
Remediation recommendations
- Upgrade all Cacti deployments to version 1.2.31 immediately — this is the only release that fully addresses all four vulnerabilities, including the unsanitized rfilter SQL concatenation, the secondary SQL injection paths, and the local file inclusion flaw.
- Disable guest access in the Cacti configuration immediately as an interim mitigation if upgrading cannot be performed without delay. Guest viewing is the unauthenticated prerequisite for CVE-2026-39893 and CVE-2026-39955 — its removal closes the no-credential exploitation path while patching is arranged.
- Restrict all Cacti web interface access to trusted internal IP ranges or VPN-gated connections; eliminate any direct public internet exposure of the monitoring dashboard.
- Implement database-level query monitoring and alerting for anomalous SQL patterns, specifically targeting queries involving the rfilter parameter or unusual RLIKE/REGEXP clauses, to detect active exploitation attempts.
- Review web server access logs for anomalous file path parameters in GET/POST requests that may indicate CVE-2026-39938 LFI exploitation; correlate with file access logs for unexpected reads of sensitive server-side files.

Black Kite's Cacti - Jun2026 FocusTag® details critical insights on the event for TPRM professionals.
Gogs - Jun2026 (CVE-2026-52813, CVE-2026-52806, CVE-2026-52811)
What is this vulnerability?
Three critical-severity vulnerabilities — CVE-2026-52813, CVE-2026-52806, and CVE-2026-52811 — were identified in Gogs, a self-hosted Git service with approximately 50,000 GitHub stars and widespread deployment as a lightweight alternative to GitHub and GitLab in enterprise, research, and development environments. The highest CVE carries the maximum possible CVSS 10.0 score. All three vulnerabilities are reachable by self-registered users — and Gogs permits open account self-registration by default — meaning any external visitor can create an account and immediately reach the exploit surface without requiring pre-existing insider or administrative access. Public PoC exploits are available.
CVE-2026-52813 (CVSS 10.0, EPSS 1.11%) is a path traversal to Remote Code Execution vulnerability via organization names. Gogs fails to properly sanitize user-supplied organization names, allowing an attacker to embed directory traversal sequences that break out of intended storage boundaries and write malicious files to the server filesystem. By targeting an editable Git worktree, the attacker can overwrite a Git hook script — such as pre-receive, post-receive, or update hooks. When the hook is subsequently triggered by any Git operation on that repository, the malicious hook executes arbitrary shell commands with the same privileges as the Gogs process user (typically 'git'), yielding full host compromise. CVE-2026-52806 (CVSS 9.9, EPSS 1.03%) is an argument injection via the pull request rebase feature. An attacker can craft a malicious branch name containing specific command-line arguments that are injected directly into the underlying git command invocation when a rebase operation occurs during a merge. This forces arbitrary attacker-controlled OS commands to execute on the server without requiring victim interaction or administrative rights beyond repository access. CVE-2026-52811 (CVSS 9.0, EPSS 0.47%) is a symlink-based arbitrary file write vulnerability via the repository file upload path. Gogs validates only the final path component for symbolic links, allowing an attacker to upload a crafted file structure that references a planted parent symlink, redirecting write operations outside the repository's designated working tree. This enables persistent backdoor installation — unauthorized SSH keys or malicious hook scripts — that survive system restarts. Impacts Linux and macOS deployments. Not listed in CISA KEV. Listed in EUVD: EUVD-2026-39084, EUVD-2026-39073, EUVD-2026-39082. Affects: all Gogs versions prior to 0.14.3. Fixed in Gogs 0.14.3. ~1,938 internet-facing instances on Shodan.
Why should TPRM professionals care?
Gogs executes as a single process user — typically 'git' — that owns and has write access to every hosted repository on the instance. This architectural characteristic means a single successful exploitation of any of the three CVEs yields access to the complete repository fleet: every codebase, every commit history, every branch, and every deployment key or CI/CD integration secret stored in any repository on the server. For vendors who use Gogs to host proprietary source code, internal tooling, infrastructure-as-code, deployment scripts, or API integration configurations, the blast radius of a single exploitation event encompasses the entirety of their software development intellectual property and potentially their production deployment credentials. The open self-registration default compounds this dramatically: unlike vulnerabilities requiring pre-existing insider access, CVE-2026-52813 and CVE-2026-52806 are reachable by any external actor who creates a Gogs account — a trivial step against any publicly accessible Gogs instance. CVE-2026-52811's persistent backdoor capability (SSH key injection, hook persistence through reboots) means that even if an initial exploitation is detected and the vulnerability patched, an undetected prior compromise may maintain persistent access to the host. For TPRM professionals, vendors running publicly accessible Gogs instances represent an immediate priority for upgrade confirmation to version 0.14.3 and forensic IoC review.
What questions should TPRM professionals ask vendors?
- Have all Gogs instances been upgraded to version 0.14.3 — the only release that introduces the sanitization, argument validation, and path verification fixes for all three CVEs? What is the confirmed installed version and upgrade timeline for any pre-0.14.3 deployments?
- Has open account self-registration been disabled as an immediate interim mitigation for pre-0.14.3 instances? Disabling self-registration prevents external actors from creating accounts and reaching CVE-2026-52813 and CVE-2026-52806 without pre-existing credentials.
- Have Git hooks across all hosted repositories been audited for unauthorized scripts, modifications, or unexpected hook files that may indicate prior exploitation via CVE-2026-52813? Specifically, have pre-receive, post-receive, and update hooks been reviewed against known-good baselines?
- Has the server's authorized_keys file been reviewed for unexpected or unrecognized SSH public keys that may have been injected via CVE-2026-52811 to establish persistent unauthorized access? Have any unfamiliar SSH keys been immediately revoked?
- Is the Gogs instance publicly internet-accessible? If so, has access been restricted to trusted IP ranges or VPN-gated connections while the upgrade is being planned? What is the population of users with self-registered accounts on the affected instance?
Remediation recommendations
- Upgrade all Gogs instances to version 0.14.3 immediately — this is the only release that addresses all three vulnerabilities with organization name sanitization, argument validation for branch names during rebase operations, and symlink path verification for file uploads.
- If immediate upgrade is not possible, disable open account self-registration in Gogs configuration settings to prevent external actors from creating accounts and reaching CVE-2026-52813 and CVE-2026-52806. Restrict organization and repository creation to authorized administrative accounts only.
- Conduct an immediate IoC audit: review all Git hook scripts across hosted repositories for unauthorized shell commands or modifications; check the system authorized_keys file for unrecognized SSH public keys; and look for unexpected files outside repository working trees that may indicate CVE-2026-52811 symlink writes.
- Revoke any unauthorized SSH keys discovered during the IoC audit immediately, and rotate deployment keys and CI/CD integration secrets stored in or accessible from the Gogs host as a precautionary measure following any period of pre-0.14.3 exposure with public internet access.
- Restrict the Gogs management interface and Git access to trusted IP ranges; eliminate public internet exposure for any Gogs instance that does not require it operationally.

Black Kite's Gogs - Jun2026 FocusTag® details critical insights on the event for TPRM professionals.
How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities
This week's four FocusTags® collectively represent three distinct categories of urgency that TPRM professionals must distinguish and triage simultaneously. SharePoint - CVE-2026-45659 is the active-exploitation emergency: CISA KEV-listed with a 72-hour federal remediation deadline, public PoC, and confirmed in-the-wild exploitation against one of the most sensitive data-hosting platforms in enterprise environments. Gogs and Cacti represent the public-PoC acceleration category: critical-severity vulnerabilities with working exploit code that transitions the threat from theoretical to immediately operational, requiring upgrade confirmation within the shortest possible window. ProFTPD represents the no-patch-available category — arguably the most difficult for TPRM programs to address because the standard remediation question ('have you patched?') has no valid affirmative answer, and engagement must instead verify specific configuration-level workarounds that most standard assessments are not designed to probe.
Black Kite's FocusTags® address all three categories within a unified intelligence layer. For SharePoint, tagging immediately identifies which vendors in the portfolio run on-premises SharePoint Server 2016, 2019, or Subscription Edition and enables build-number-specific remediation verification — not just 'are you patched?' but 'what build number is installed, confirmed against the specific thresholds of 16.0.5552.1002, 16.0.10417.20128, or 16.0.19725.20280?' For ProFTPD, tagging enables the configuration-verification conversation — DefaultRoot chroot status, RNFR/RNTO restriction — that no generic vulnerability assessment tool reaches. For Gogs, tagging surfaces vendors running a developer infrastructure tool that never appears in standard technology inventories yet hosts their complete source code and production deployment credentials. The operational result is TPRM engagement that matches the actual threat: differentiated, technically precise, and deployed at the speed that confirmed active exploitation demands.
Strengthening TPRM Outcomes with Black Kite’s FocusTags®
Black Kite's FocusTag® technology provides TPRM teams with the intelligence infrastructure needed to keep pace with an accelerating threat landscape. By automatically correlating newly disclosed vulnerabilities with the technology profiles of vendors in your ecosystem, Black Kite transforms reactive patch tracking into proactive vendor risk management.
• Instant Vendor Exposure Mapping: FocusTags® automatically identify which vendors in your portfolio are running affected products, eliminating the manual effort of mapping CVEs to vendor technology inventories across large, complex third-party ecosystems.
• Precision-Targeted Remediation Requests: Each FocusTag® includes specific, technically grounded vendor questions — moving beyond generic patch status inquiries to version-specific, control-specific questions that surface genuine remediation versus compliance theater.
• Continuous Risk Score Integration: FocusTag® exposure feeds directly into Black Kite's vendor risk scores, ensuring that critical vulnerability exposure is immediately reflected in your third-party risk ratings without waiting for the next scheduled assessment cycle.
• Operational Efficiency at Scale: By consolidating multi-product vulnerability intelligence into a single prioritized view, FocusTags® enable TPRM teams to manage concurrent threat events across diverse technology categories without scaling headcount — ensuring risk teams operate at the speed of the threat landscape.
About Focus Friday
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTags® in the Last 30 Days:
- SharePoint - CVE-2026-45659: CVE-2026-45659, High-Severity Deserialization of Untrusted Data Vulnerability in Microsoft SharePoint List Item Update Workflow Allowing Low-Privilege Network Remote Code Execution.
- ProFTPD : CVE-2026-35025, High-Severity ACL Bypass Vulnerability in ProFTPD via /proc/self/root RNFR Path Prefix Allowing Authenticated Access to Restricted Directories.
- Cacti - Jun2026 : CVE-2026-39893, CVE-2026-39948, CVE-2026-39955, CVE-2026-39938, Critical Pre-Authentication SQL Injection, Regex Validation Bypass, and Unauthenticated Local File Inclusion Vulnerabilities in Cacti.
- Gogs - Jun2026: CVE-2026-52813, CVE-2026-52806, CVE-2026-52811, Critical Path Traversal, Git Hook Overwrite, Rebase Argument Injection, Arbitrary OS Command Execution, and Symlink File Write Vulnerabilities in Gogs Leading to Remote Code Execution and Persistent Backdoors.
- Squidbleed: CVE-2026-47729, CVE-2026-50012, Critical Heap Over-Read Vulnerability in Squid Proxy FTP Directory-Listing Parser Leading to Cleartext HTTP Request and Token Disclosure.
- UniFi OS Devices: CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-33000, CVE-2026-34911, Critical Improper Access Control, Path Traversal, Command Injection, and Information Disclosure Vulnerabilities in UniFi OS Devices.
- pgAdmin - Jun2026: CVE-2026-12046, CVE-2026-12045, CVE-2026-12048, Critical Unauthenticated Remote Code Execution, AI Assistant Transaction Bypass, OS Command Execution, and Stored XSS Vulnerabilities in pgAdmin 4.
- FreeBSD - Jun2026: CVE-2026-45257, High-Severity Local Privilege Escalation Vulnerability in FreeBSD KTLS sendfile(2) Handling Allowing Page Cache Modification and Root Compromise.
- TinyProxy - Jun2026: CVE-2026-54388, CVE-2026-54387, CVE-2026-55202, Critical HTTP Request Smuggling, CL/TE Desynchronization, Request Injection, Cache Poisoning, Access Control Bypass, and StatHost Bypass Vulnerabilities in TinyProxy.
- NGINX Rift Chain : CVE-2026-42945, CVE-2026-46376, Critical Heap-Based Buffer Overflow and Remote Code Execution Vulnerability in NGINX ngx_http_rewrite_module.
- FortiBleed Breach: Active exploitation of Fortinet vulnerabilities has led to confirmed breach activity, enabling attackers to compromise exposed Fortinet environments and creating significant third-party risk for affected organizations.
- Langflow - Jun2026 (Latest): CVE-2026-5027, High-Severity Path Traversal and Unauthenticated Remote Code Execution Vulnerability in Langflow.
- Jenkins - Jun2026 : CVE-2026-53435, CVE-2026-53441, High-Severity Deserialization Type Bypass, User Impersonation, Arbitrary File Read, Script Console Remote Code Execution, and Stored XSS Vulnerabilities in Jenkins.
- MongoDB - Jun2026 : CVE-2026-11933, CVE-2026-9740, CVE-2026-9750, CVE-2026-9743, High-Severity Use-After-Free Memory Disclosure, Unauthenticated Denial of Service, Metadata Corruption, and Null Pointer Dereference Vulnerabilities in MongoDB.
- LiteSpeed cPanel Plugin : CVE-2026-54420, High-Severity Privilege Escalation to Root Vulnerability in LiteSpeed cPanel Plugin.
- SimpleHelp - Jun2026 : CVE-2026-48558, Critical OIDC Authentication Bypass and Administrative Account Takeover Vulnerability in SimpleHelp.
- Automatic Tank Gauge (ATG) Systems : Critical Internet-Exposed Automatic Tank Gauge Systems Enabling Unauthenticated Remote Command Execution.
- LiteLLM : CVE-2026-42271, High-Severity Authenticated Command Execution Vulnerability in LiteLLM AI Proxy Server.
- Ivanti EPMM - Jun2026 : CVE-2026-6973, CVE-2026-10727, High-Severity Remote Code Execution and OS Command Injection Vulnerabilities in Ivanti Endpoint Manager Mobile.
- Exchange Server - Jun2026 : CVE-2026-45504, CVE-2026-45503, CVE-2026-47631, CVE-2026-45583, CVE-2026-45501, CVE-2026-45500, CVE-2026-45502, High-Severity Privilege Escalation, SSRF, Spoofing, Remote Code Execution, and Information Disclosure Vulnerabilities in Microsoft Exchange Server.
- SharePoint - Jun2026 : CVE-2026-45484, CVE-2026-47298, CVE-2026-47634, CVE-2026-45481, CVE-2026-45454, High-Severity Privilege Escalation, Remote Code Execution, Spoofing, and Path Traversal Vulnerabilities in Microsoft SharePoint.
- MariaDB - Jun2026 : CVE-2026-49261, CVE-2026-48165, CVE-2026-48163, Critical and High-Severity Remote Code Execution, Authentication Bypass, and Server-Side Vulnerabilities in MariaDB Community Server.
See Black Kite's full CVE Database and the critical TPRM vulnerabilities that have an applied FocusTags® at https://blackkite.com/cve-database.
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
https://nvd.nist.gov/vuln/detail/CVE-2026-45659
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45659
https://github.com/mistbarbarianspot/CVE-2026-45659-SharePoint-RCE
https://securityonline.info/proftpd-acl-bypass/
https://github.com/proftpd/proftpd/issues/2170
https://securityonline.info/cacti-vulnerabilities-1-2-31/
https://nvd.nist.gov/vuln/detail/CVE-2026-39893
https://nvd.nist.gov/vuln/detail/CVE-2026-39948
https://nvd.nist.gov/vuln/detail/CVE-2026-39955
https://nvd.nist.gov/vuln/detail/CVE-2026-39938
https://github.com/Cacti/cacti/security/advisories/GHSA-69gg-mjfm-jjpc
https://github.com/Cacti/cacti/pull/7039
https://www.cve.org/CVERecord?id=CVE-2026-52813
https://www.cve.org/CVERecord?id=CVE-2026-52806
https://www.cve.org/CVERecord?id=CVE-2026-52811
https://securityonline.info/gogs-rce-vulnerability/
https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5