
























November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.
What security teams need to know:
Bottom line: The reduced volume shouldn't signal reduced vigilance. November's vulnerabilities demonstrate that threat actors favored quality over quantity in their exploitation campaigns.
All 10 vulnerabilities below were actively exploited in November 2025.
#
Vulnerability
Risk
Score
Affected Vendor/Product
Vulnerability Type/Component
Public PoC
1
99
Gladinet Triofox
CWE-284 (Improper Access Control)
No
2
99
Microsoft Windows 10 and 11; Microsoft Windows Server 2019, 2022, and 2025
CWE-362 (Race Condition), CWE-415 (Double Free)
3
99
Fortinet FortiWeb
CWE-23 (Relative Path Traversal)
4
99
Google Chrome
CWE-843 (Type Confusion)
No
5
99
Fortinet FortiWeb
CWE-78 (OS Command Injection)
6
99
Oracle Identity Manager
CWE-306 (Missing Authentication for Critical Function)
7
99
WatchGuard Fireware OS
CWE-787 (Out-of-bounds Write)
8
99
Samsung Mobile Devices
CWE-787 (Out-of-bounds Write)
9
99
CentOS Web Panel
CWE-78 (OS Command Injection)
10
99
OpenPLC ScadaBR
CWE-79 (Improper Neutralization of Input During Web Page Generation [Cross-site Scripting])
No
Table 1: List of vulnerabilities that were actively exploited in November based on Recorded Future data (Source: Recorded Future)
LANDFALL Android spyware campaign marked November's most sophisticated operation:
These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.
Risk Score: 99 (Very Critical) | CISA KEV: Added November 14, 2025
Why this matters: Unauthenticated attackers can bypass authentication entirely and create administrative accounts. With 4,768 exposed FortiWeb instances globally, this represents a critical internet-facing risk.
Affected versions: FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.4, 7.4.0-7.4.9, 7.2.0-7.2.11, 7.0.0-7.0.11
Immediate actions:
/api/v2.0/cmd/system/admin%3F/../../../cgi-bin/fwbcgiExposure: ~4,768 FortiWeb instances visible on Shodan (Netherlands, US, Germany, Italy, Peru)
Risk Score: 99 (Very Critical) | CISA KEV: Added November 10, 2025
Why this matters: Zero-click exploitation through image files enables complete device compromise without user interaction. The LANDFALL spyware campaign is actively targeting government and business users in the Middle East.
Affected versions: Samsung Galaxy devices running Android 13, 14, and 15
Immediate actions:
/data/data/com.samsung.ipservice/files/Targeted devices: Galaxy S22/S23/S24 series, Z Fold4, Z Flip4
Risk Score: 99 (Very Critical) | CISA KEV: Added November 12, 2025
Why this matters: Local privilege escalation to SYSTEM allows complete Windows compromise. Attackers are chaining this with initial access techniques for full network penetration.
Affected versions: Windows 10/11 (all versions), Windows Server 2019-2025
Immediate actions:
The dual-flaw design failure: CVE-2025-64446 combines path traversal with authentication bypass in FortiWeb's CGI handling. The vulnerability chain works as follows:
../ sequences in URIs allow escape to restricted directoriescgi_auth() function trusts user-supplied HTTP_CGIINFO headersWhy this matters: Attackers achieve full administrative access without credentials, enabling complete WAF bypass and potential downstream application compromise.
Insikt Group created a Nuclei template for non-intrusive detection, available to Recorded Future customers. The template checks for vulnerable path traversal without creating accounts or modifying system state.
Zero-click sophistication: The LANDFALL campaign represents a significant evolution in mobile threats:
Key technical details:
libimagecodec.quram.so libraryWhy this matters: This campaign demonstrates nation-state-level capabilities in commercial spyware, targeting high-value individuals without requiring any user interaction.
Timing-based privilege escalation: The vulnerability exploits improper synchronization in shared kernel resources:
Why this matters: Local attackers with limited access can achieve complete system control, making this a favorite post-exploitation tool for ransomware operators.
Recorded Future customers can access Nuclei templates in the platform for:
Note: All templates are designed for authorized testing only and make no system modifications.
Quality over quantity. Threat actors focused on high-impact vulnerabilities with clear paths to compromise, particularly authentication bypasses and privilege escalations.
Mobile threats evolve. The LANDFALL campaign demonstrates that mobile devices face nation-state-level threats previously reserved for traditional endpoints.
Public exploits accelerate risk. With 70% of vulnerabilities having public PoCs, the window between disclosure and mass exploitation continues to shrink.
Ready to see how Recorded Future can help your team detect active exploitation, prioritize patching, and reduce attack surface risk? Explore our demo center to see these capabilities in action, or dive deeper into Insikt Group research for more threat intelligence insights.
About Insikt Group®:
Recorded Future's Insikt Group® is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide. Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。