November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October

November 2025 saw a 69% decrease in actively exploited critical vulnerabilities (10 vs 32 in October), but the severity remains extreme. Fortinet dominates with two FortiWeb flaws (CVE-2025-64446, CVE-2025-58034) enabling unauthenticated admin account creation on ~4,768 exposed instances. The LANDFALL campaign emerged as the most sophisticated threat, weaponizing Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks targeting Middle Eastern countries (Iraq, Iran, Turkey, Morocco) via weaponized WhatsApp DNG images. Seven of ten vulnerabilities have public exploit code. OS Command Injection and Out-of-bounds Write are the leading weakness types. Despite reduced volume, threat actors demonstrated quality-over-quantity exploitation. Immediate patching of Fortinet, Samsung, Microsoft, Oracle, and WatchGuard products is critical.

November 2025 CVE landscape: 10 exploited critical vulnerabilities, a 69% drop from October, and why Fortinet and Samsung flaws need urgent patching.

November 2025 saw a 69% decrease in actively exploited critical vulnerabilities (10 vs 32 in October), but the severity remains extreme. Fortinet dominates with two FortiWeb flaws (CVE-2025-64446, CVE-2025-58034) enabling unauthenticated admin account creation on ~4,768 exposed instances. The LANDFALL campaign emerged as the most sophisticated threat, weaponizing Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks targeting Middle Eastern countries (Iraq, Iran, Turkey, Morocco) via weaponized WhatsApp DNG images. Seven of ten vulnerabilities have public exploit code. OS Command Injection and Out-of-bounds Write are the leading weakness types. Despite reduced volume, threat actors demonstrated quality-over-quantity exploitation. Immediate patching of Fortinet, Samsung, Microsoft, Oracle, and WatchGuard products is critical. November 2025 CVE landscape: 10 exploited critical vulnerabilities, a 69% drop from October, and why Fortinet and Samsung flaws need urgent patching. November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October . What security teams need to know: Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available OS Command Injection and Out-of-bounds Write were tied as the most common weakness types Bottom line: The reduced volume shouldn't signal reduced vigilance. November's vulnerabilities demonstrate that threat actors favored quality over quantity in their exploitation campaigns. Quick Reference: November 2025 Vulnerability Table All 10 vulnerabilities below were actively exploited in November 2025. # Vulnerability Risk Score Affected Vendor/Product Vulnerability Type/Component Public PoC 1 CVE-2025-12480 99 Gladinet Triofox CWE-284 (Improper Access Control) No 2 CVE-2025-62215 99 Microsoft Windows 10 and 11; Microsoft Windows Server 2019, 2022, and 2025 CWE-362 (Race Condition), CWE-415 (Double Free) Yes 3 CVE-2025-64446 99 Fortinet FortiWeb CWE-23 (Relative Path Traversal) Yes 4 CVE-2025-13223 99 Google Chrome CWE-843 (Type Confusion) No 5 CVE-2025-58034 99 Fortinet FortiWeb CWE-78 (OS Command Injection) Yes 6 CVE-2025-61757 99 Oracle Identity Manager CWE-306 (Missing Authentication for Critical Function) Yes 7 CVE-2025-9242 99 WatchGuard Fireware OS CWE-787 (Out-of-bounds Write) Yes 8 CVE-2025-21042 99 Samsung Mobile Devices CWE-787 (Out-of-bounds Write) Yes 9 CVE-2025-48703 99 CentOS Web Panel CWE-78 (OS Command Injection) Yes 10 CVE-2021-26829 99 OpenPLC ScadaBR CWE-79 (Improper Neutralization of Input During Web Page Generation [Cross-site Scripting]) No Table 1: List of vulnerabilities that were actively exploited in November based on Recorded Future data (Source: Recorded Future) Key Trends: November 2025 Vendors Most Affected Fortinet dominated with two critical FortiWeb vulnerabilities, both enabling remote exploitation Microsoft faced a kernel-level race condition affecting all modern Windows versions Samsung saw the weaponization of an image processing vulnerability for sophisticated mobile attacks Additional affected vendors: Gladinet, Google, Oracle, WatchGuard, CentOS, and Autonomy (OpenPLC) Most Common Weakness Types CWE-78 – OS Command Injection (tied for first) CWE-787 – Out-of-bounds Write (tied for first) CWE-284 – Improper Access Control CWE-362 – Race Condition CWE-306 – Missing Authentication for Critical Function Threat Actor Activity LANDFALL Android spyware campaign marked November's most sophisticated operation: Exploited CVE-2025-21042 for zero-click remote code execution on Samsung devices Targeted Middle Eastern countries (Iraq, Iran, Turkey, Morocco) with commercial-grade spyware Deployed via weaponized DNG image files through WhatsApp Achieved persistent device compromise without user interaction Demonstrated advanced anti-analysis and SELinux bypass capabilities Priority Alert: Active Exploitation These vulnerabilities demand immediate attention due to confirmed exploitation in the wild. CVE-2025-64446 | Fortinet FortiWeb Risk Score: 99 (Very Critical) | CISA KEV: Added November 14, 2025 Why this matters: Unauthenticated attackers can bypass authentication entirely and create administrative accounts. With 4,768 exposed FortiWeb instances globally, this represents a critical internet-facing risk. Affected versions: FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.4, 7.4.0-7.4.9, 7.2.0-7.2.11, 7.0.0-7.0.11 Immediate actions: Apply Fortinet's security updates (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12) Monitor for POST requests to /api/v2.0/cmd/system/admin%3F/../../../cgi-bin/fwbcgi Check for unauthorized admin...