Critical Vulnerabilities and Security Updates in November–December 2025
Security researchers identified a significant drop in the number of critical vulnerabilities in November 2025, with only 10 high-impact CVEs requiring immediate attention, compared to 32 in October. Notable threats included two actively exploited FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034), a Samsung image processing flaw (CVE-2025-21042) weaponized for zero-click Android attacks, and several vulnerabilities with public proof-of-concept code available. The vulnerabilities spanned products from Microsoft, Google, Oracle, WatchGuard, and others, with exploitation campaigns favoring quality over quantity.
In December 2025, Adobe and Microsoft released their final security updates of the year, addressing a large number of vulnerabilities across products such as Adobe Reader, ColdFusion, Experience Manager, and Creative Cloud Desktop. While Adobe patched 139 CVEs, most were cross-site scripting issues, and none were known to be under active attack at the time of release. Microsoft’s updates were also part of the regular Patch Tuesday cycle, emphasizing the ongoing need for organizations to remain vigilant and promptly apply security patches to mitigate risk from both newly disclosed and actively exploited vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses active exploitation of CVE-2025-62221
As part of the December 9, 2025 security update, Microsoft identified CVE-2025-62221 in the Windows Cloud Files Mini Filter Driver as under active attack. The vulnerability affects all supported Windows versions.
Microsoft releases December 2025 Patch Tuesday updates
On December 9, 2025, Microsoft released patches for 56 new CVEs, or 70 including Chromium-related issues, affecting Windows, Office, Edge, Exchange, Azure, Copilot, and PowerShell. Three were rated Critical in the release.
Adobe releases December 2025 security updates for 139 CVEs
On December 9, 2025, Adobe published security updates covering 139 unique CVEs across Reader, ColdFusion, Experience Manager, Creative Cloud Desktop, and the DNG SDK. The release included several critical code-execution issues, though none were reported as under active attack.
Microsoft Windows kernel privilege-escalation flaw is actively exploited
In November 2025, Microsoft faced active exploitation of CVE-2025-62215, a kernel-level race condition that allowed privilege escalation. The flaw was listed among the month's critical vulnerabilities under real-world attack.
Fortinet FortiWeb vulnerabilities come under active exploitation
In November 2025, two critical Fortinet FortiWeb flaws, CVE-2025-64446 and CVE-2025-58034, were reported as actively exploited. They were among a small set of high-impact November vulnerabilities that were all observed under exploitation.
LANDFALL spyware weaponizes Samsung DNG flaw for zero-click Android attacks
In November 2025, the LANDFALL spyware campaign exploited Samsung image processing vulnerability CVE-2025-21042 to deliver zero-click Android attacks via WhatsApp-delivered DNG files. The activity targeted high-value individuals in Middle Eastern countries and demonstrated advanced capabilities including SELinux bypass and anti-forensics.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Vulnerabilities and Exploitation Trends in 2025
Security researchers highlighted several high-impact vulnerabilities that shaped the threat landscape in 2025, including unauthenticated remote code execution flaws in widely used platforms such as React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), PAN-OS (CVE-2025-0108), Cisco IOS XE (CVE-2025-20188), and Erlang/OTP SSH (CVE-2025-32433). These vulnerabilities were notable for their rapid exploitation following public disclosure, with attackers leveraging unauthenticated access and broad software reach to maximize impact. The year saw a shift in attacker focus, with perimeter devices and enterprise software becoming primary entry points, and defenders were forced to respond quickly as the window between disclosure and exploitation narrowed. In December 2025, Microsoft released one of its lightest Patch Tuesday updates, addressing 56 new CVEs. Despite the lower volume, security experts emphasized the importance of prioritizing vulnerabilities that were already exploited, publicly disclosed, or rated as critical with a high likelihood of exploitation. The analysis provided actionable intelligence for defenders, including technology-specific threat insights and resources for mitigating risk. The convergence of these trends underscored the need for rapid vulnerability management and highlighted recurring blind spots in enterprise defense strategies.
Mar 21, 2026
October 2025 Patch Tuesday Security Updates from Microsoft, Adobe, SAP, and Ivanti
Microsoft, Adobe, SAP, and Ivanti released a coordinated set of security updates addressing over 200 vulnerabilities as part of the October 2025 Patch Tuesday. Microsoft led the effort by patching more than 175 vulnerabilities, including three that are actively being exploited in the wild. Among the most severe issues is a critical remote code execution vulnerability in Windows Server Update Services, identified as CVE-2025-59287, which could allow unauthenticated attackers to execute arbitrary code via unsafe object deserialization. Two other exploited vulnerabilities, CVE-2025-24990 and CVE-2025-59230, are elevation-of-privilege flaws affecting Windows components. Additionally, Microsoft addressed a Secure Boot bypass vulnerability in Linux-based IGEL OS (CVE-2025-47827) and disclosed several publicly known issues, such as CVE-2025-0033 in AMD EPYC processors, which remains unpatched, as well as flaws in TPM 2.0 reference code and the Agere Modem driver. Seventeen of Microsoft’s patched vulnerabilities were rated as critical, underscoring the urgency for organizations to apply updates. Adobe released 12 security bulletins covering 36 unique CVEs across a range of products, including Connect, Commerce, Creative Cloud Desktop, Bridge, Animate, Experience Manager Screens, Substance 3D Viewer, Substance 3D Modeler, FrameMaker, Illustrator, Dimension, and Substance 3D Stager. The most critical Adobe updates addressed five code execution vulnerabilities in Substance 3D Stager and four in Dimension. Illustrator’s patch fixed two code execution bugs, while Commerce’s update resolved five CVEs, including two security feature bypasses. FrameMaker’s update addressed two critical code execution vulnerabilities. Other Adobe products, such as Animate and Substance 3D Viewer, also received patches for critical issues. Notably, none of the Adobe vulnerabilities were publicly known or under active attack at the time of release. SAP contributed by issuing 17 security notes, with four addressing critical command execution vulnerabilities in NetWeaver. Ivanti released patches for Endpoint Manager Mobile and Neurons for MDM, though none of these vulnerabilities had been exploited prior to the update. Security teams are strongly advised to prioritize the deployment of these patches to mitigate the risk of exploitation, especially for those vulnerabilities already being targeted by threat actors. The breadth of affected products highlights the ongoing need for comprehensive patch management across diverse enterprise environments. The updates reflect a continued trend of attackers focusing on privilege escalation and remote code execution flaws, which can have significant impact if left unaddressed. Organizations should also be aware of the unpatched AMD EPYC processor vulnerability and monitor for future updates. The coordinated release of these patches demonstrates the industry’s commitment to addressing security risks in a timely manner. Regular review of vendor advisories and prompt application of updates remain critical components of an effective cybersecurity strategy. The October 2025 Patch Tuesday serves as a reminder of the evolving threat landscape and the importance of maintaining up-to-date defenses. Security professionals should review the detailed advisories for each product to ensure all relevant patches are applied. The inclusion of both actively exploited and critical vulnerabilities in this cycle underscores the need for vigilance and rapid response. By addressing these vulnerabilities, organizations can significantly reduce their exposure to cyber threats.
Mar 21, 2026
Microsoft November 2025 Patch Tuesday Security Updates
Microsoft released security updates addressing 63 vulnerabilities as part of its November 2025 Patch Tuesday, including five rated as critical and one zero-day vulnerability actively exploited in the wild. The zero-day, tracked as CVE-2025-62215, is a Windows Kernel elevation of privilege flaw that allows a local, authenticated attacker to gain higher privileges due to a race condition. Other critical vulnerabilities include remote code execution issues in GDI+, Microsoft Office, and Visual Studio, as well as an elevation of privilege vulnerability in the DirectX Graphics Kernel. The GDI+ vulnerability (CVE-2025-60724) is particularly notable for its high CVSS score and the potential for exploitation via specially crafted metafiles, which could be triggered through documents or web services without user interaction. Security researchers note that while the number of vulnerabilities is significant, the overall risk profile is considered moderate, with no "Patch Now" emergencies aside from the actively exploited zero-day. The update also marks the first extended security update (ESU) for Windows 10, with Microsoft urging organizations still using the unsupported OS to upgrade or enroll in the ESU program. The vulnerabilities span a wide range of Microsoft products and services, including Azure, Dynamics 365, Visual Studio, and various Windows components, emphasizing the need for comprehensive patch management across enterprise environments.
Mar 21, 2026