SecureIT logo
Main post image

SecureIT - Top Vulnerabilities - November 2025



Hot Topic

In November 2025 Cloudflare experienced a major outage that disrupted a large portion of the internet. A change in an internal system assigned incorrect permissions to a database, which caused a configuration file used by Cloudflare’s bot management to grow far beyond its expected size. Once this oversized file propagated across the network, routing software could no longer parse it, leading to widespread 5xx errors and several hours of service disruption.

The takeaway mirrors what we saw with October’s outages. Core infrastructure that organizations rely on can fail without warning. Operations halt, customers lose access, and teams burn time and budget on emergency response. Redundant DNS, multiple service providers for critical workloads, and tested failover paths reduce the business impact when events like this occur.

Every organization should identify where it relies on a single point of failure and strengthen its continuity plans. Clear procedures and validated failover options protect revenue and reputation when internet infrastructure breaks.

Microsoft Windows Server Update Services (WSUS)

CVE-2025-59287

What happened

Attackers can send a crafted update message to a WSUS server and run their own code with system level rights [remote code execution via unsafe deserialization]. In live intrusions they have used this access to deploy malware such as ShadowPad from the update server itself.

Impact

Control of WSUS lets an attacker turn enterprise patching into a malware delivery system. Malicious updates pushed from a trusted server can compromise every Windows endpoint that syncs to it, leading to ransomware, data theft, or silent backdoors across the fleet. Recovery can mean rebuilding WSUS, reissuing update signing certificates, and revalidating endpoint integrity at scale.

Who is at risk

Any organization that uses WSUS for central patching is exposed, especially where WSUS is reachable from untrusted network segments or the internet. Environments with upstream and downstream WSUS hierarchies risk cascading compromise from a single infected server.

What to do

Apply the current emergency updates for all supported Windows Server versions that run WSUS, then reboot. Where WSUS may have been exposed or attacked, review logs, update approvals, and group policies, and look for new scheduled tasks, services, or scripts before returning it to normal duty. If patching must wait, restrict network access to WSUS, block WSUS ports from untrusted segments, and prepare to move clients to a known good update source.

Sources:

  1. Microsoft documentation for cumulative updates referencing CVE-2025-59287
  2. BleepingComputer coverage of the WSUS remote code execution flaw and PoC exploit

Microsoft Windows Kernel

CVE-2025-62215

What happened

This bug lets an attacker who already has a basic account on a Windows system jump to full system level control [local privilege escalation]. It comes from a timing bug in the Windows kernel that corrupts memory when two operations compete for the same resource [race condition].

Impact

Once attackers hold system level rights they can disable security tools, clear logs, dump credentials, and deploy ransomware or remote access tools. Servers that host domain controllers, file shares, or critical applications become launch pads for lateral movement and data theft. Because the bug is used after initial access, it blends into normal system activity until the final payload is visible.

Who is at risk

Any supported Windows 10, Windows 11, or Windows Server system that has not yet received the November 2025 security updates is exposed. Systems where many users log in, such as shared servers, jump hosts, and admin workstations, are especially attractive targets.

What to do

Confirm the November 2025 security rollup that fixes CVE-2025-62215 is deployed on all servers and workstations, with special focus on domain controllers and admin laptops. Monitor for unusual use of built in tools such as PowerShell, task scheduler, and WMI on systems that were unpatched during the exploitation window. Reduce local admin rights and remove stale accounts so attackers have fewer starting points to trigger this bug.

Sources:

  1. Microsoft Security Update Guide entry for CVE-2025-62215
  2. Cyber Security News summary of the actively exploited Windows kernel vulnerability

Fortinet FortiWeb Web Application Firewall.

CVE-2025-58034, CVE-2025-64446

What happened

One flaw lets attackers abuse path handling to reach internal admin functions on FortiWeb without any login [path traversal with authentication bypass]. The other lets them run commands on the appliance operating system through crafted web or command line input [OS command injection]. Chained together, unauthenticated attackers can gain admin control of the device and then execute system commands on the underlying host [remote code execution].

Impact

Once FortiWeb is under attacker control, every protected application can be observed and manipulated. Attackers can redirect traffic, steal authentication cookies, weaken security rules, or drop a hidden control page for long term access [web shell]. A compromised FortiWeb instance also becomes a bridge into internal networks that trust its position at the edge.

Who is at risk

Organizations that expose FortiWeb interfaces to the internet or allow management from less trusted networks are at highest risk. CISA and multiple security vendors report broad scanning and active exploitation across thousands of FortiWeb devices worldwide.

What to do

Upgrade all FortiWeb appliances to current fixed releases that address both CVE-2025-58034 and CVE-2025-64446, and disable HTTP and HTTPS management from the internet. Before trusting any previously exposed device, review configuration and logs for unknown admin accounts, strange API calls, or command execution events, and rebuild the appliance if there is any doubt. Place management behind a dedicated admin network or VPN and monitor for new administrator accounts or rule changes outside normal change control.

Sources:

  1. Fortinet PSIRT advisory series for FortiWeb vulnerabilities including CVE-2025-58034 and CVE-2025-64446
  2. BleepingComputer and CSO reporting on FortiWeb zero day exploitation / https://www.csoonline.com/article/4091939/fortinets-silent-patch-sparks-alarm-as-a-critical-fortiweb-flaw-is-exploited-in-the-wild.html

Google Chrome browser

CVE-2025-13223

What happened

A memory flaw in Chrome’s V8 JavaScript engine lets a malicious web page corrupt browser memory and run attacker code in the browser process [remote code execution through type confusion]. Google confirms that exploits for CVE-2025-13223 are already in use and that this is the seventh Chrome zero day this year.

Impact

A user only has to visit a malicious or compromised site for the exploit to fire. Attackers can then steal session cookies, capture data entered into web applications, or use the browser foothold to drop additional malware on the endpoint. Browsers used for banking, administration portals, or corporate SaaS become direct paths into key business systems.

Who is at risk

Any desktop platform running Chrome versions before 142.0.7444.175 or equivalent builds in Chromium based browsers is exposed. Systems with auto update disabled, portable browser installs, or unmanaged user devices will lag behind in receiving the fix.

What to do

Push the latest Chrome release across Windows, macOS, and Linux fleets and confirm that managed browsers report a version at or above 142.0.7444.175. Ensure users close and reopen their browsers after updating so the patched code is running, and enforce this on shared machines or kiosks where possible. Use proxy and endpoint telemetry to watch for visits to known exploit hosting sites and for browser processes that unexpectedly spawn command shells or scripting tools.

Sources:

  1. Google Chrome Releases stable channel update advisory for CVE-2025-13223
  2. BleepingComputer report on the Chrome V8 zero day exploited in attacks

Oracle Identity Manager

CVE-2025-61757

What happened

A flaw in Oracle Identity Manager web services allows a remote attacker on the network to bypass login checks and run their own code on the server [pre authentication remote code execution]. By appending specific query strings and path elements, an attacker can slip past the authentication filter and reach a Groovy script checking endpoint, then supply code that runs during script compilation.

Impact

Compromise of Oracle Identity Manager gives attackers control over user accounts and access rights across connected applications. They can create or modify accounts, extend access to finance and HR systems, and abuse valid identities for fraud or data theft. Cleanup can require rotating credentials, reviewing entitlements for large user populations, and handling regulatory reporting for unauthorized access to personal and financial data.

Who is at risk

Organizations running Oracle Identity Manager versions 12.2.1.4.0 or 14.1.2.1.0 that have not yet applied the October 2025 Critical Patch Update are directly affected. Environments that expose OIM portals to the internet or rely on OIM for shared identity across many business units carry higher risk.

What to do

Apply Oracle’s October 2025 Critical Patch Update to all affected Oracle Identity Manager instances and ensure that old, vulnerable builds are removed from test and staging environments as well. Review OIM and application server logs for unusual access to Groovy related endpoints or requests with odd extra suffixes and query strings, and treat any confirmed abuse as full compromise of identity data. Restrict network access so only trusted admin consoles and application servers can reach OIM, and enable close monitoring of high privilege identity administration actions.

Sources:

  1. Oracle Critical Patch Update Advisory, October 2025
  2. runZero and CSO analyses of active exploitation of CVE-2025-61757 / https://www.csoonline.com/article/4095150/oracle-oim-zero%E2%80%91day-pre%E2%80%91auth-rce-forces-rapid-patching-across-enterprises.html

Samsung Galaxy devices

CVE-2025-21042

What happened

Attackers hid spyware inside crafted image files that abused a flaw in Samsung’s image processing library so code ran as soon as the device handled the picture [remote code execution in image parsing]. The vulnerability, active for months before an April 2025 firmware fix, was used to deliver LANDFALL Android spyware to selected Samsung Galaxy devices through messaging channels including WhatsApp.

Impact

Compromised phones were turned into listening and tracking devices that could record audio, collect photos and messages, and send contacts, call logs, and location data back to attacker servers. For executives, journalists, and government staff this exposes confidential discussions, travel patterns, and contact networks. Because the exploit chain could run with no taps or clicks in some cases [zero click delivery], activity blended into normal chat use and stayed hidden for long periods.

Who is at risk

The documented campaign focused on Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 devices, mainly in parts of the Middle East, but similar exploits can still succeed on phones that never received the April 2025 patch. Organizations that allow personal Galaxy devices for sensitive work without enforcing firmware patch levels face ongoing exposure.

What to do

Confirm that all supported Samsung phones used for business run firmware that includes the April 2025 security release or later, and block access to sensitive systems from devices that fall behind. Use mobile device management to enforce security patch levels and enable built in mobile threat protection where available. For high risk users, such as senior leaders and diplomatic staff, review mobile telemetry with specialist support and consider moving them to fresh, fully patched devices if there is any suspicion of spyware activity.

Sources:

  1. Samsung Mobile Security bulletin referencing CVE-2025-21042
  2. Unit 42 and The Hacker News analysis of LANDFALL exploitation of Samsung CVE-2025-21042 / https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html

7 Zip desktop archiver

CVE-2025-11001, CVE-2025-11002

What happened

Specially crafted ZIP archives can abuse how 7 Zip handles symbolic links during extraction so files are written outside the intended folder and attacker code is planted on the system [directory traversal leading to remote code execution]. Researchers and the Zero Day Initiative have published technical advisories, and there is now a public proof of concept tool for CVE-2025-11001.

Impact

A user only needs to open or extract a malicious archive for the attack to run with their account rights. On desktops where users have local admin rights, this can lead to full system compromise, installation of backdoors, and data theft. In server or automation environments that process archives automatically, attackers can hijack batch jobs, upload workflows, or integration services that rely on 7 Zip.

Who is at risk

Any Windows system that still runs 7 Zip versions earlier than 25.00 is affected, including unmanaged standalone installs outside normal patch processes. Public and healthcare sectors, especially in the United Kingdom, have received specific alerts due to widespread use of old 7 Zip builds on shared systems.

What to do

Discover all installations of 7 Zip across desktops and servers and upgrade them to at least version 25.00, with a preference for the current 25.01 release obtained from the official site. Where 7 Zip is rarely needed, remove it or restrict its use to controlled admin accounts. Monitor for unusual archive extraction activity, especially archives that write into startup folders, program directories, or other unexpected paths, and investigate any such events.

Sources:

  1. Zero Day Initiative advisory ZDI 25 949 for CVE-2025-11001
  2. NHS Digital and The Hacker News alerts concerning 7 Zip CVE-2025-11001 and public PoC / https://thehackernews.com/2025/11/hackers-actively-exploiting-7-zip.html

What to prioritize this week

  1. Patch all WSUS servers for CVE-2025-59287, then review update approvals, certificates, and scheduled tasks for signs of tampering before trusting them again.
  2. Confirm the November 2025 Windows security updates that fix CVE-2025-62215 are deployed on domain controllers, key servers, and admin workstations.
  3. Upgrade every FortiWeb appliance to the current fixed release, disable internet access to management interfaces, and check for unknown admin accounts or suspicious configuration changes.
  4. Force an update of Chrome and other Chromium based browsers across managed fleets so they run a version that fixes CVE-2025-13223, and verify via central reporting.
  5. Apply Oracle’s October 2025 Critical Patch Update to all Oracle Identity Manager instances, then audit identity administration logs for unusual account changes or Groovy endpoint access.
  6. Ensure Samsung Galaxy devices used for sensitive work have firmware including the April 2025 patch for CVE-2025-21042, and block outdated phones from reaching high value systems.
  7. Upgrade or remove legacy 7 Zip installs, standardize on 7 Zip 25.00 or later, and add detections for archives that extract files into startup or program directories.