Focus Friday: Fortifying TPRM Against Kernel Compromise, Buffer Overflow, and Directory Traversal Vulnerabilities

Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we delve into the critical realm of Third-Party Risk Management (TPRM) in the face of emerging cyber threats. This edition addresses three significant vulnerabilities that demand immediate attention from TPRM professionals: a kernel compromise in Juniper Junos OS, a buffer overflow in the MongoDB C driver, and a directory traversal vulnerability in SAP NetWeaver AS Java. Each of these vulnerabilities presents unique challenges and risks, and we’ll explore how Black Kite’s FocusTags? can empower organizations to effectively mitigate these threats.

CVE-2025-21590: Juniper Junos OS Kernel Compromise

What is the Juniper Junos OS Kernel Compromise?

CVE-2025-21590 is a medium-severity improper isolation or compartmentalization vulnerability within the Juniper Junos OS kernel. This flaw allows an attacker with shell access to inject malicious code silently, thereby compromising the integrity and persistence of Juniper MX routers. The vulnerability has a CVSS score of 6.7 and an EPSS score of 5.75%. This issue was first published in March 2025 and has been actively exploited in the wild by the Chinese nation-state threat group UNC3886. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on March 13, 2025. Juniper has released an out-of-cycle security bulletin, JSA93446, addressing this issue.

View the IoC Table for Juniper Junos OS Vulnerability on our blog.

Why Should TPRM Professionals Care?

Compromised Juniper MX routers, often found in critical infrastructure like telecom and ISP networks, pose a significant risk. These devices, when compromised, can lead to substantial data breaches, service disruptions, and the potential for persistent backdoors. Given that these routers manage critical network traffic, a successful attack could result in the exfiltration of sensitive data, manipulation of network traffic, and potential disruption of essential services. The fact that threat actors have replaced critical binaries, such as TACACS+, and bypassed security protections demonstrates the sophistication and potential impact of this vulnerability.

What Questions Should TPRM Professionals Ask Vendors About the Vulnerability?

To assess the risk posed by CVE-2025-21590, TPRM professionals should ask vendors:

1. Have you upgraded all instances of Junos OS to the latest supported versions (21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2) to mitigate the risk of CVE-2025-21590?
2. Have you executed the Juniper Malware Removal Tool (JMRT) Quick Scan and Integrity Check after upgrading to detect any signs of compromise related to the CVE-2025-21590 vulnerability?
3. Can you confirm if you have implemented enhanced network monitoring, device lifecycle management, and configuration management programs to detect and prevent potential exploitation of the “Improper Isolation or compartmentalization vulnerability” in the Junos OS kernel?
4. Have you secured all authentication systems, including TACACS+, and enforced multifactor authentication (MFA) for all network device management systems to prevent unauthorized access and potential exploitation of the CVE-2025-21590 vulnerability?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to mitigate the risk:

1. Immediately upgrade all Juniper MX routers to the latest supported Junos OS versions, as specified in the Juniper Security Advisory JSA93446.
2. Restrict shell access to trusted users only as a temporary mitigation measure.
3. Implement YARA and Snort/Suricata rules to detect the provided Indicators of Compromise (IOCs).
4. Execute the Juniper Malware Removal Tool (JMRT) Quick Scan and Integrity Check after upgrading to detect any signs of compromise.
5. Enforce MFA for all network device management systems and secure authentication systems, including TACACS+.
6. Implement a centralized Identity and Access Management (IAM) system with robust multi-factor authentication (MFA) and granular role-based access control (RBAC).

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite released the “Juniper Junos OS – Mar2025” FocusTag to help organizations identify vendors potentially exposed to CVE-2025-21590. This tag, published in March 2025, allows TPRM professionals to quickly identify vendors using vulnerable Juniper MX routers. Black Kite provides asset information, including IP addresses and subdomains, that may be affected, enabling targeted remediation efforts. By leveraging this FocusTag, organizations can efficiently prioritize vendor outreach and mitigation efforts, reducing the time and resources required for risk assessment. Black Kite’s ability to pinpoint specific vulnerable assets within a vendor’s infrastructure is a key differentiator, providing actionable intelligence for effective TPRM.

CVE-2017-12637: SAP NetWeaver AS Java Directory Traversal

What is the SAP NetWeaver AS Java Directory Traversal Vulnerability?

CVE-2017-12637 is a high-severity directory traversal vulnerability found in the scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS component of SAP NetWeaver Application Server Java 7.5. This flaw allows remote attackers to read arbitrary files on the server by exploiting a “.. (dot dot)” sequence in the query string. The vulnerability has been actively exploited in the wild since August 2017. Although systems might have applied the initial patch from SAP Security Note 2486657, the vulnerability can still be triggered through specific URLs. This issue affects SAP NetWeaver AS for JAVA, version ADSSSAP 7.50. The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog on March 19, 2025. The CVSS score for the vulnerability is 7.5, and the EPSS score is 80.11%.

Why Should TPRM Professionals Care?

A directory traversal vulnerability in SAP NetWeaver AS Java can lead to the unauthorized disclosure of sensitive files, potentially exposing critical business data. Given that SAP NetWeaver is widely used in enterprise environments, a successful exploit could result in significant data breaches and compromise sensitive information. The ability of attackers to read arbitrary files on the server poses a substantial risk to data confidentiality. Therefore, TPRM professionals must ensure that vendors using SAP NetWeaver AS Java have implemented the necessary security measures to mitigate this vulnerability.

What Questions Should TPRM Professionals Ask Vendors About the Vulnerability?

To assess the risk posed by CVE-2017-12637, TPRM professionals should ask vendors:

1. Can you confirm if you have applied the recommendations from SAP Knowledge Base Article 3476549 to address potential residual vulnerabilities related to CVE-2017-12637 in your SAP NetWeaver AS Java system?
2. Have you implemented strict access controls to limit access to sensitive files and directories on the SAP NetWeaver AS Java server to mitigate the risk of unauthorized access due to the directory traversal vulnerability (CVE-2017-12637)?
3. Have you updated your SAP NetWeaver AS for JAVA to a version beyond ADSSSAP 7.50 to address the directory traversal vulnerability (CVE-2017-12637)?
4. Can you confirm if you have thoroughly reviewed the web application configuration of your SAP NetWeaver AS Java system to identify and mitigate any potential directory traversal vulnerabilities, specifically related to the scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS component?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to mitigate the risk:

1. Even if the patch level is higher than the original fix, apply the recommendations from SAP Knowledge Base Article 3476549 to address potential residual vulnerabilities.
2. Monitor web server logs for suspicious activity, such as attempts to access unauthorized files.
3. Implement strict access controls to limit access to sensitive files and directories on the SAP NetWeaver AS Java server.
4. Confirm the current patch level of SAP NetWeaver AS Java and ensure all relevant patches, including those beyond the initial fix in SAP Security Note 2486657, are applied.
5. Thoroughly review the web application configuration to identify and mitigate any potential directory traversal vulnerabilities.
6. Ensure that SAP NetWeaver AS Java systems are within securely segmented networks.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite released the “SAP NetWeaver JAVA – Mar2025” FocusTag to help organizations identify vendors potentially exposed to CVE-2017-12637. This tag, published on March 20, 2025, allows TPRM professionals to quickly identify vendors using vulnerable versions of SAP NetWeaver AS Java 7.5. Black Kite provides asset information, including IP addresses and subdomains, that may be affected. By leveraging this FocusTag, organizations can efficiently prioritize vendor outreach and mitigation efforts, reducing the time and resources required for risk assessment. Black Kite’s ability to pinpoint specific vulnerable assets within a vendor’s infrastructure is a key differentiator, providing actionable intelligence for effective TPRM.

CVE-2025-0755: MongoDB C Driver Buffer Overflow

What is the MongoDB C Driver Buffer Overflow?

CVE-2025-0755 is a high-severity buffer overflow vulnerability found in the bson_append functions of the MongoDB C driver library (libbson). This vulnerability arises from inadequate memory overflow protection when creating BSON documents that exceed the maximum allowable size (INT32_MAX). Exploitation of this flaw can lead to application crashes. The vulnerability has a CVSS score of 8.4 and an EPSS score of 0.01%. This vulnerability was first disclosed on July 21, 2024. Currently, there is no public proof-of-concept (PoC) exploit code available, and CVE-2025-0755 has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Affected versions include libbson prior to 1.27.5, MongoDB Server versions prior to 8.0.1 (8.0 line), and MongoDB Server versions prior to 7.0.16 (7.0 line).

Why Should TPRM Professionals Care?

A buffer overflow within the MongoDB C driver can lead to application instability and potential service disruptions. Given that MongoDB is widely used for data storage in various applications, a crash could impact critical business operations. The vulnerability’s presence in the underlying libbson library means that numerous applications relying on MongoDB are potentially at risk. This can lead to data integrity issues and potential denial-of-service scenarios. Therefore, TPRM professionals should ensure that vendors using MongoDB have applied the necessary patches to mitigate this risk.

What Questions Should TPRM Professionals Ask Vendors About the Vulnerability?

To assess the risk posed by CVE-2025-0755, TPRM professionals should ask vendors:

1. Can you confirm if you have upgraded the MongoDB Server to versions 8.0.1 or later for the 8.0 line and 7.0.16 or later for the 7.0 line to mitigate the risk of CVE-2025-0755?
2. Have you updated the libbson driver to version 1.27.5 or later to address the buffer overflow vulnerability in the MongoDB C driver library?
3. Are you monitoring your application logs for unusual activity, such as application crashes or segmentation faults, which could indicate exploitation of the buffer overflow vulnerability in the MongoDB C driver?
4. After upgrading the MongoDB Server and libbson driver, did you conduct thorough testing to verify that your applications are functioning normally and are no longer susceptible to the buffer overflow vulnerability?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to mitigate the risk:

1. Upgrade the libbson driver to version 1.27.5 or later.
2. Upgrade MongoDB Server 8.0 to version 8.0.1 or later, or MongoDB Server 7.0 to version 7.0.16 or later.
3. Conduct thorough application testing after the update to ensure proper functionality.
4. Implement a regular update plan for future MongoDB updates.
5. Monitor application logs for unusual activity, such as application crashes or segmentation faults.
6. Regularly scan MongoDB installations for known vulnerabilities.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite released the “SAP NetWeaver JAVA – Mar2025” FocusTag to assist organizations in identifying vendors potentially exposed to CVE-2025-0755. This tag, published on July 21, 2024, enables TPRM professionals to quickly identify vendors using vulnerable versions of MongoDB. Black Kite provides asset information, including IP addresses and subdomains, that may be affected. By leveraging this FocusTag, organizations can efficiently prioritize vendor outreach and mitigation efforts, reducing the time and resources required for risk assessment. Black Kite’s ability to pinpoint specific vulnerable assets within a vendor’s infrastructure is a key differentiator, providing actionable intelligence for effective TPRM.

Streamlining TPRM with Black Kite’s FocusTags?

In the dynamic landscape of cybersecurity, maintaining robust Third-Party Risk Management (TPRM) strategies is paramount. Black Kite’s FocusTags? serve as an essential tool, offering real-time insights and actionable data to effectively manage emerging threats. This week’s vulnerabilities in Juniper Junos OS, MongoDB, and SAP NetWeaver highlight the necessity of proactive risk assessment and mitigation.

Here’s how Black Kite’s FocusTags? enhance TPRM:

• Rapid Vendor Identification: Quickly pinpoint vendors impacted by critical vulnerabilities, enabling immediate response and remediation.
• Strategic Risk Prioritization: Prioritize risks based on vendor criticality and vulnerability severity, ensuring resources are allocated efficiently.
• Targeted Vendor Engagement: Facilitate informed discussions with vendors, focusing on their specific security posture and mitigation efforts.
• Comprehensive Threat Awareness: Provide a holistic view of the threat landscape, empowering organizations to strengthen their overall security posture.

Black Kite’s FocusTags? transform complex cybersecurity data into actionable intelligence, enabling TPRM professionals to proactively address vulnerabilities and strengthen their defense against evolving cyber threats. By providing specific asset information, including IP addresses and subdomains, Black Kite enables precision in risk mitigation, a critical advantage in today’s threat landscape.

Want to take a closer look at FocusTags??

Take our platform for a test drive and request a demo today.

Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

• Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
• SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.
• MongoDB – Mar2025 : CVE-2025-0755, Heap-based Buffer Overflow Vulnerability in MongoDB’s C driver library (libbson).
• DrayTek Vigor – Mar2025 : CVE-2024-41334, CVE-2024-41335, CVE-2024-41336, CVE-2024-41338, CVE-2024-41339, CVE-2024-41340, CVE-2024-51138, CVE-2024-51139, Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Observable Discrepancy, Sensitive Information Disclosure Plaintext Storage of a Password, Sensitive Information Disclosure NULL Pointer Dereference, DoS Vulnerability Code Injection Vulnerability, Arbitrary Code Execution Vulnerability Unrestricted Upload of File with Dangerous Type, Arbitrary Code Execution Vulnerability Stack-based Buffer Overflow Vulnerability Buffer Overflow Vulnerability Cross-Site Request Forgery (CSRF) Vulnerability in DrayTek Vigor Routers.
• VMware ESXi – Mar2025 : CVE-2025-22224, CVE-2025-22225, CVE-2025-22226, Heap Overflow Vulnerability, TOCTOU Race Condition Vulnerability, Arbitrary Write Vulnerability, Information Disclosure Vulnerability in VMware ESXi.
• Apache Tomcat – Mar2025 : CVE-2025-24813, Remote Code Execution Vulnerability, Information Disclosure and Corruption Vulnerability in Apache Tomcat.
• Axios HTTP Client : CVE-2025-27152, Server-Side Request Forgery (SSRF) Vulnerability, Credential Leakage in Axios HTTP Server.
• PostgreSQL – Feb2025: CVE-2025-1094, SQLi Vulnerability, Improper Neutralization of Quoting Syntax in PostgreSQL.
• Zimbra XSS: CVE-2023-34192, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration Suite (ZCS).
• PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
• Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra – Feb2025: CVE-2025-25064, SQLi Vulnerability in Zimbra Collaboration.
• Cacti – Feb2025: CVE-2025-22604, Remote Code Execution Vulnerability in Cacti.
• FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-21590

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers

https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-Bulletin-Junos-OS-A-local-attacker-with-shell-access-can-execute-arbitrary-code-CVE-2025-21590?language=en_US

https://www.darkreading.com/cyberattacks-data-breaches/china-hackers-backdoor-carrier-grade-juniper-mx-routers

https://nvd.nist.gov/vuln/detail/CVE-2017-12637

https://github.com/advisories/GHSA-5p56-56jf-wfv2

https://userapps.support.sap.com/sap/support/knowledge/en/3476549

https://nvd.nist.gov/vuln/detail/CVE-2025-0755

https://jira.mongodb.org/browse/SERVER-94461

https://securityonline.info/cve-2025-0755-mongodb-c-driver-vulnerability-could-lead-to-buffer-overflow