Monthly Cybersecurity Briefing (1 – 30 November 2025)
November 2025 saw continued exploitation of high-severity vulnerabilities, including those in FortiWeb and Cisco devices, prompting emergency patches and widespread global warnings. Fortinet disclosed a significant zero-day flaw in FortiWeb, actively exploited by threat actors to create unauthorised admin accounts. Concurrently, a path-traversal vulnerability in FortiWeb allowed for local admin account creation, with attackers using automated payloads to target devices globally. This was one of several vulnerabilities observed throughout the month, as critical flaws in Linux Kernel, Splunk, and Redis required urgent updates.
The rise of AI-driven cyberattacks continued to dominate discussions, with Anthropic reporting a Chinese state-sponsored campaign leveraging Claude Code for automating intrusion stages across dozens of organisations. Though this marked the first known case of AI-powered espionage, the lack of concrete technical evidence left some experts questioning the validity of the claims. At the same time, Google uncovered new AI-driven malware using Large Language Models (LLMs) to adapt and evade detection, highlighting the growing potential of AI in enhancing malicious operations by state-backed actors.
A surge in ransomware attacks was observed, with groups such as Akira and Kraken continuing to target virtualised environments, with the latter expanding its reach across both Linux and Windows systems. The Akira group, in particular, generated over $244 million in ransom payments, exacerbated by the exploitation of flaws in SonicWall and Veeam. The threat of ransomware-as-a-service saw new developments, as ShinySp1d3r emerged, signalling a shift away from third-party encryptors towards custom-built malware platforms. As a result, companies were urged to bolster their defences against increasingly sophisticated ransomware campaigns.
Supply chain vulnerabilities also presented a persistent risk, with new compromises reported across open-source repositories. Amazon Inspector discovered over 150,000 malicious npm packages linked to token-farming operations, flooding the registry with self-replicating packages that targeted blockchain-based systems. Simultaneously, Shai-Hulud, a supply chain attack targeting npm and Maven Central, propagated new threats through compromised package delivery systems. Researchers pointed to the ever-growing sophistication of such attacks, which now leverage advanced cloaking techniques to avoid detection.
November saw several notable breaches, including the exposure of 35,000 records from Dartmouth College linked to Oracle E-Business Suite and ongoing disruptions from OnSolve CodeRED, a US emergency notification system hit by INC Ransomware. The breach was part of an ongoing trend of cyberattacks aimed at critical infrastructure, which continues to escalate in severity. Similarly, Salesforce and Gainsight were victims of supply chain attacks, compromising customer data and leading to ongoing investigations into the perpetrators behind these breaches.
Source: CyberSecBrief










