惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

aimingoo的专栏
aimingoo的专栏
人人都是产品经理
人人都是产品经理
M
MIT News - Artificial intelligence
C
Cybersecurity and Infrastructure Security Agency CISA
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
爱范儿
爱范儿
Spread Privacy
Spread Privacy
P
Palo Alto Networks Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
T
The Blog of Author Tim Ferriss
The Cloudflare Blog
WordPress大学
WordPress大学
小众软件
小众软件
H
Help Net Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Blog — PlanetScale
Blog — PlanetScale
V2EX - 技术
V2EX - 技术
H
Hacker News: Front Page
Last Week in AI
Last Week in AI
D
DataBreaches.Net
V
V2EX
S
Securelist
C
CXSECURITY Database RSS Feed - CXSecurity.com
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tenable Blog
Cloudbric
Cloudbric
月光博客
月光博客
Y
Y Combinator Blog
博客园 - 三生石上(FineUI控件)
N
News and Events Feed by Topic
K
Kaspersky official blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
S
Secure Thoughts
S
Security Affairs
W
WeLiveSecurity
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Last Watchdog
The Last Watchdog
AI
AI
有赞技术团队
有赞技术团队
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
罗磊的独立博客
Google DeepMind News
Google DeepMind News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
N
Netflix TechBlog - Medium
PCI Perspectives
PCI Perspectives
SecWiki News
SecWiki News
IT之家
IT之家
Microsoft Azure Blog
Microsoft Azure Blog
V
Visual Studio Blog

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
2025-12-09 · via Recorded Future

November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.

What security teams need to know:

  • Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
  • LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
  • Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
  • OS Command Injection and Out-of-bounds Write were tied as the most common weakness types

Bottom line: The reduced volume shouldn't signal reduced vigilance. November's vulnerabilities demonstrate that threat actors favored quality over quantity in their exploitation campaigns.

Quick Reference: November 2025 Vulnerability Table

All 10 vulnerabilities below were actively exploited in November 2025.

#

Vulnerability

Risk
Score

Affected Vendor/Product

Vulnerability Type/Component

Public PoC

1

99

Gladinet Triofox

CWE-284 (Improper Access Control)

No

2

99

Microsoft Windows 10 and 11; Microsoft Windows Server 2019, 2022, and 2025

CWE-362 (Race Condition), CWE-415 (Double Free)

3

99

Fortinet FortiWeb

CWE-23 (Relative Path Traversal)

4

99

Google Chrome

CWE-843 (Type Confusion)

No

5

99

Fortinet FortiWeb

CWE-78 (OS Command Injection)

6

99

Oracle Identity Manager

CWE-306 (Missing Authentication for Critical Function)

7

99

WatchGuard Fireware OS

CWE-787 (Out-of-bounds Write)

8

99

Samsung Mobile Devices

CWE-787 (Out-of-bounds Write)

9

99

CentOS Web Panel

CWE-78 (OS Command Injection)

10

99

OpenPLC ScadaBR

CWE-79 (Improper Neutralization of Input During Web Page Generation [Cross-site Scripting])

No

Table 1: List of vulnerabilities that were actively exploited in November based on Recorded Future data (Source: Recorded Future)

Vendors Most Affected

  • Fortinet dominated with two critical FortiWeb vulnerabilities, both enabling remote exploitation
  • Microsoft faced a kernel-level race condition affecting all modern Windows versions
  • Samsung saw the weaponization of an image processing vulnerability for sophisticated mobile attacks
  • Additional affected vendors: Gladinet, Google, Oracle, WatchGuard, CentOS, and Autonomy (OpenPLC)

Most Common Weakness Types

  • CWE-78 – OS Command Injection (tied for first)
  • CWE-787 – Out-of-bounds Write (tied for first)
  • CWE-284 – Improper Access Control
  • CWE-362 – Race Condition
  • CWE-306 – Missing Authentication for Critical Function

Threat Actor Activity

LANDFALL Android spyware campaign marked November's most sophisticated operation:

  • Exploited CVE-2025-21042 for zero-click remote code execution on Samsung devices
  • Targeted Middle Eastern countries (Iraq, Iran, Turkey, Morocco) with commercial-grade spyware
  • Deployed via weaponized DNG image files through WhatsApp
  • Achieved persistent device compromise without user interaction
  • Demonstrated advanced anti-analysis and SELinux bypass capabilities

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2025-64446 | Fortinet FortiWeb

Risk Score: 99 (Very Critical) | CISA KEV: Added November 14, 2025

Why this matters: Unauthenticated attackers can bypass authentication entirely and create administrative accounts. With 4,768 exposed FortiWeb instances globally, this represents a critical internet-facing risk.

Affected versions: FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.4, 7.4.0-7.4.9, 7.2.0-7.2.11, 7.0.0-7.0.11

Immediate actions:

  • Apply Fortinet's security updates (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12)
  • Monitor for POST requests to /api/v2.0/cmd/system/admin%3F/../../../cgi-bin/fwbcgi
  • Check for unauthorized admin accounts created since October 2025
  • Review logs for Base64-encoded CGIINFO headers
  • Disable HTTP/HTTPS on internet-facing interfaces if patching is delayed

Exposure: ~4,768 FortiWeb instances visible on Shodan (Netherlands, US, Germany, Italy, Peru)

CVE-2025-21042 | Samsung Android Devices

Risk Score: 99 (Very Critical) | CISA KEV: Added November 10, 2025

Why this matters: Zero-click exploitation through image files enables complete device compromise without user interaction. The LANDFALL spyware campaign is actively targeting government and business users in the Middle East.

Affected versions: Samsung Galaxy devices running Android 13, 14, and 15

Immediate actions:

  • Install Samsung's April 2025 Security Maintenance Release
  • Monitor WhatsApp Media directories for suspicious DNG files
  • Check for unexpected processes in /data/data/com.samsung.ipservice/files/
  • Review device logs for b.so or l.so module execution
  • Educate users about image file risks in messaging apps

Targeted devices: Galaxy S22/S23/S24 series, Z Fold4, Z Flip4

CVE-2025-62215 | Windows Kernel

Risk Score: 99 (Very Critical) | CISA KEV: Added November 12, 2025

Why this matters: Local privilege escalation to SYSTEM allows complete Windows compromise. Attackers are chaining this with initial access techniques for full network penetration.

Affected versions: Windows 10/11 (all versions), Windows Server 2019-2025

Immediate actions:

  • Install Microsoft's November 2025 Patch Tuesday updates
  • Monitor for unusual memory allocation patterns in kernel space
  • Review logs for privilege escalation attempts
  • Implement application whitelisting to prevent exploitation tools
  • Deploy LAPS and enforce MFA as compensating controls

Technical Deep Dive: Exploitation Analysis

Fortinet FortiWeb Authentication Bypass (CVE-2025-64446)

The dual-flaw design failure: CVE-2025-64446 combines path traversal with authentication bypass in FortiWeb's CGI handling. The vulnerability chain works as follows:

  • Path traversal via API endpoints – Unsanitized ../ sequences in URIs allow escape to restricted directories
  • Authentication context injection – The cgi_auth() function trusts user-supplied HTTP_CGIINFO headers
  • Administrative impersonation – Base64-encoded JSON in headers creates valid admin sessions

Why this matters: Attackers achieve full administrative access without credentials, enabling complete WAF bypass and potential downstream application compromise.

Insikt Group created a Nuclei template for non-intrusive detection, available to Recorded Future customers. The template checks for vulnerable path traversal without creating accounts or modifying system state.

LANDFALL Android Spyware Campaign (CVE-2025-21042)

Zero-click sophistication: The LANDFALL campaign represents a significant evolution in mobile threats:

  • Weaponized DNG files contain embedded ZIP archives with ELF binaries
  • Two-stage infection deploys b.so (loader/backdoor) and l.so (privilege escalation)
  • SELinux bypass enables persistent system-level access
  • Anti-forensics includes cleanup routines and analysis environment detection

Key technical details:

  • Exploits Samsung's libimagecodec.quram.so library
  • Targets specific device models with hardcoded identifiers
  • Implements encrypted C2 communication with certificate pinning
  • Collects IMEI, IMSI, contacts, and location data

Why this matters: This campaign demonstrates nation-state-level capabilities in commercial spyware, targeting high-value individuals without requiring any user interaction.

Windows Kernel Race Condition (CVE-2025-62215)

Timing-based privilege escalation: The vulnerability exploits improper synchronization in shared kernel resources:

  • Concurrent threads access shared data without proper locking
  • Race condition enables memory corruption and object reuse
  • Successful exploitation grants SYSTEM-level privileges

Why this matters: Local attackers with limited access can achieve complete system control, making this a favorite post-exploitation tool for ransomware operators.

Nuclei Templates from Insikt Group®

Recorded Future customers can access Nuclei templates in the platform for:

  • CVE-2025-64446 (Fortinet FortiWeb) - Non-intrusive path traversal detection

Note: All templates are designed for authorized testing only and make no system modifications.

Recorded Future Product Integrations

November 2025 Summary

Quality over quantity. Threat actors focused on high-impact vulnerabilities with clear paths to compromise, particularly authentication bypasses and privilege escalations.

Mobile threats evolve. The LANDFALL campaign demonstrates that mobile devices face nation-state-level threats previously reserved for traditional endpoints.

Public exploits accelerate risk. With 70% of vulnerabilities having public PoCs, the window between disclosure and mass exploitation continues to shrink.

Take Action

Ready to see how Recorded Future can help your team detect active exploitation, prioritize patching, and reduce attack surface risk? Explore our demo center to see these capabilities in action, or dive deeper into Insikt Group research for more threat intelligence insights.

About Insikt Group®:

Recorded Future's Insikt Group® is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide. Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence.