November 2025 notable vulnerabilities and related headlines summary

Notable Headlines

1. Widespread Zero-Day Exploitation Across Enterprise Infrastructure

Attackers are actively exploiting zero-day vulnerabilities in Oracle Identity Manager, Google Chrome, Fortinet FortiWeb, WatchGuard Firebox, Cisco ASA/FTD/ISE, and Citrix NetScaler. These flaws enable full system compromise, unauthenticated remote code execution, or privilege escalation, prompting multiple CISA Known Exploited Vulnerability (KEV) catalog additions.

2. Critical Consumer & Endpoint Software Under Attack

Actively exploited vulnerabilities in 7-Zip, Windows Kernel, Windows Graphics, and XWiki are being leveraged for malware deployment, privilege escalation, and botnet expansion. The 7-Zip RCE and Windows Kernel zero-day in particular have been widely weaponized.

3. Mobile Zero-Click Exploits Targeting Samsung Devices

A serious zero-click flaw in Samsung Galaxy devices (CVE-2025-21042) is being used to deliver LANDFALL spyware via malicious images and WhatsApp messages—representing a growing trend of mobile espionage attacks.

4. Rapid Growth of Botnet Operations

New botnet campaigns—including Mirai ShadowV2 and Operation WrtHug—are exploiting IoT and router vulnerabilities to hijack tens of thousands of devices, amplifying global DDoS and malware distribution capacity.

5. Infrastructure Attacks Escalating via WSUS, NTLM, and Control Web Panel

Threat actors are exploiting flaws in WSUS, NTLM authentication, and Control Web Panel to steal sensitive data, deploy malware such as ShadowPad, and gain privileged system access.

6. Increased Activity Around Industrial & Enterprise Software

Vulnerabilities in OpenPLC ScadaBR, SAP, NVIDIA Isaac-GROOT, QNAP, GitHub, Zoom, Microsoft Teams, and AI/ML tools (including Keras) were also highlighted, indicating expanding attacker focus on both developer platforms and operational technologies.

Priority CVEs from CISA Known to be Actively Exploited

CVEs identified by CISA which were actively exploited by threat actors during November . These include:

1. OpenPLC Cross-Site Scripting Vulnerability (CVE-2021-26829)

2. Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability (CVE-2025-61757)

3. Google Chromium V8 Type Confusion Vulnerability (CVE-2025-13223)

4. Fortinet FortiWeb OS Command Injection Vulnerability (CVE-2025-58034)

5. Fortinet FortiWeb Relative Path Traversal Vulnerability (CVE-2025-64446)

6. Gladinet Triofox Improper Access Control Vulnerability (CVE-2025-12480)

7. Microsoft Windows Kernel Race Condition Privilege Escalation Vulnerability (CVE-2025-62215)

8. WatchGuard Firebox Out-of-Bounds Write Remote Code Execution Vulnerability (CVE-2025-9242)

9. Samsung Mobile Devices Out-of-Bounds Write Vulnerability in libimagecodec.quram.so (CVE-2025-21042)

10. CWP Control Web Panel OS Command Injection Vulnerability (CVE-2025-48703)

11. Gladinet CentreStack & Triofox Files Accessible to External Parties Vulnerability (CVE-2025-11371)

Priority CVEs Known to be Used in Ransomware Campaigns

None of the CVEs listed are marked as *known* to be associated with ransomware campaigns.

Author: Hackerstorm.com

References:

https://www.cisa.gov/news-events/news

https://nvd.nist.gov

https://www.ncsc.gov.uk/section/keep-up-to-date/reports-advisories

https://cert.europa.eu/publications/security-advisories/2024

https://cert.europa.eu/publications/threat-intelligence/cb24-03

https://www.jpcert.or.jp/english/at/2024.html

https://auscert.org.au/bulletins

https://www.csa.gov.sg/alerts-advisories/security-bulletins