Vulnerability Review – November 2025
This blog is a recap of the most critical vulnerabilities disclosed between 01 November and 30 November 2025 that most likely impact software utilized by managed service providers (MSPs).
While not all MSPs use the software discussed here, the software has been labeled as priority software by Blackpoint’s Adversary Pursuit Group (APG) due to the overall number of MSPs (and other organizations) that use it.
Key Findings
- There were more than 3,037 vulnerabilities disclosed between 01 November and 30 November 2025, with more than 1,300 vulnerabilities being scored with a high or critical Common Vulnerability Scoring System (CVSS) rating.
- Several vulnerabilities have been actively exploited and 11 have been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating reliable reports of active exploitation.
- Blackpoint’s APG assesses with high confidence that threat actors will continue to leverage known and unknown vulnerabilities in ubiquitous software and services over the next 12 months.
Vulnerabilities
Network Edge Devices
Network edge devices – firewalls, routers, VPN gateways, etc. – are the critical gatekeepers between internal networks and the internet. These devices manage and filter traffic, enforce security policies, and often provide remote access capabilities, making them high-value targets for threat actors. Edge devices often operate with elevated privileges and are typically exposed to the internet; they’re frequently targeted via vulnerabilities, exposed devices, or misconfigurations.
Fortinet FortiWeb
Fortinet disclosed a command injection vulnerability impacting multiple versions of the FortiWeb Web Application Firewall (WAF), CVE-2025-58034.
- CVE-2025-58034 is an OS command-injection issue that stems from improper handling of user-supplied input.
An attacker who has valid authentication on the appliance can submit specially crafted HTTP requests or CLI commands that exploit the injection flaw to execute arbitrary OS commands on the underlying system.
This vulnerability was added to the U.S. CISA KEV Catalog on November 18, 2025.
Fortinet disclosed a second vulnerability impacting FortiWeb Web Application Firewall (WAF), CVE-2025-64446.
- CVE-2025-64446 is a relative path traversal vulnerability [CWE-23] in FortiWeb may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
This vulnerability was added to the U.S. CISA KEV Catalog on November, 14, 2025.
Enterprise Software
Enterprise software solutions are essential to business operations and are frequently targeted by threat actors due to the level of access, the ability to deploy malware, gain persistence on a network, and the ability to move laterally through a compromise environment.
Microsoft Windows Kernel
In November’s Patch Tuesday (November 11, 2025), Microsoft released updates for 63 vulnerabilities, including one zero-day vulnerability CVE-2025-62215.
- CVE-2025-62215: A Windows Kernel Elevation of Privilege vulnerability that was exploited to gain SYSTEM privileges on Windows devices. Microsoft elaborated that “concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Kernel allows an authorized attacker to elevate privileges locally.”
Details surrounding the exploitation of this vulnerability remain unknown; however, the vulnerability was added to the U.S. CISA KEV Catalog on November 12, 2025.
Browsers
Browsers, such as Google Chrome, Microsoft Edge, and Mozilla Firefox/ESR, are often attractive targets for threat actors due to the user-level privileges these run with, sit at the intersection of user interaction and the internet, and the large attack surface. Targeting browsers can allow threat actors to access and steal browser-stored credentials, execute code on the system; and escape browser-based protections and sandboxing to access the operating systems.
Google Chrome
Google released an emergency patch for a zero-day vulnerability, CVE-2025-13223.
- CVE-2025-13223 is a type confusion vulnerability in the V8 JavaScript engine and impacts Chrome across Windows, macOS, and Linux.
This could be exploited to grant the attacker the ability to run arbitrary code within the browser context, which can lead to credential harvesting, installation of second-stage malware, session hijacking, or full endpoint compromise.
This vulnerability was added to the U.S. CISA KEV Catalog on November 19, 2025.
Collaboration & Communication
Collaboration and communication tools are essential for organization to manage internal operations, coordinate with clients, and streamline service delivery. These types of tools often store sensitive conversations, documentation, credentials, and product data. A successful attack targeting collaboration and communication tool could allow a threat actor to intercept communications, harvest sensitive data, hijack projects, or impersonate staff to conduct phishing attacks.
Cisco Unified Contact Center Express (CCX)
Cisco released updates for two critical vulnerabilities impacting Cisco Unified Contact Center Express (CCX), CVE-2025-20354 and CVE-2025-20358.
- CVE-2025-20354: A Remote Code Execution vulnerability that is caused by improper authentication and can be exploited by sending specially crafted files via the RMI service.
- CVE-2025-20358: An Authentication Bypass vulnerability that could give threat actors admin permissions in the editor and allow execution of arbitrary scripts on the underlying CCX server as a non-root user.
Blackpoint’s APG Analysis
Blackpoint’s Security Operations Center (SOC) consistently monitors and actions lateral movement and remote execution within our customer’s environments. Additionally, Blackpoint has detections in place to identify the behaviors associated with the vulnerabilities detailed within this blog.
These vulnerabilities are attractive targets for threat actors of all types due to the level of access granted, the ubiquity of the impacted software/device, and impact successful exploitation can have. Financially motivated, nation-state, and initial access brokers are likely to target these vulnerabilities to gain initial access, persistence, and defense evasion with the intent of deploying malware, stealing sensitive information, or selling access to additional threat groups.
Blackpoint’s APG assesses with high confidence that threat actors will continue to target, or begin targeting, these vulnerabilities over the next 12 months to deploy malware, steal sensitive information, and gain unauthorized access to organizations. It is likely that these vulnerabilities will be targeted by multiple types of threat actors, including both nation-state and financially motivated threat actors over the next 12 months.