10 Exploited CVEs in Nov 2025: Fewer, Riskier Attacks

November 2025 recorded 10 actively exploited critical vulnerabilities, down from 32 in October—a 69% drop. That sounds like good news until you look at what actually happened: attackers didn’t slow down, they concentrated.

Most security teams get distracted by volume. The reality is that a smaller list of CVEs can be more dangerous when it’s packed with high-impact flaws (auth bypass, command injection, kernel privilege escalation) and—crucially—when public proof-of-concept (PoC) code is floating around. In November, 7 of the 10 had public PoCs.

This post is part of our AI in Cybersecurity series, and I’m going to take a stance: if your vulnerability program still treats “critical CVSS” as the main sorting rule, you’re patching in the wrong order. AI-driven vulnerability prioritization (paired with attack surface visibility and real-time exploitation signals) is how teams keep up when adversaries choose quality over quantity.

Why a 69% drop in critical CVEs can raise your risk

A lower count of exploited CVEs doesn’t mean a lower chance of breach. It often means the opposite: defenders relax while attackers focus on repeatable, high-payoff paths.

Here’s what made November’s landscape riskier than the raw number suggests:

• Active exploitation across all 10 CVEs. These weren’t “theoretical” issues; they were being used.
• Public PoCs for 70% of the list. Once a PoC is public, exploitation spreads fast—from skilled operators to copy-paste attackers.
• Concentration in internet-facing and high-control systems. WAFs, identity platforms, firewall OS, Windows kernel, mobile devices—these are choke points.

A useful way to explain this to leadership: CVE count is a lagging metric. Exploitation is the leading metric. Your program should optimize for what’s actually being weaponized.

The pattern: attackers are shopping for “time-to-impact”

If I had to summarize November in one line:

Attackers picked vulnerabilities that minimize time-to-impact: auth bypass for immediate admin access, command injection for direct execution, and kernel bugs for fast privilege escalation.

That selection pressure is exactly why AI belongs in the loop. Humans are great at judgment. Humans are not great at continuously correlating patch data, exposure, exploitation telemetry, and asset criticality across thousands of systems.

The 10 exploited CVEs that defined November 2025

November’s exploited set spans endpoints, perimeter appliances, identity systems, and mobile. Here’s the practical way to bucket them for action.

Internet-facing appliances: fast compromise, fast blast radius

When attackers get unauthenticated access to an edge device, they’re not “in the network” yet—but they’re often one step away.

• Fortinet FortiWeb (CVE-2025-64446) — Path traversal + authentication bypass pattern enabling admin account creation. Confirmed exploitation and widely exposed instances.
• Fortinet FortiWeb (CVE-2025-58034) — OS command injection. Straightforward remote impact is why command injection keeps showing up in breach reports.
• WatchGuard Fireware OS (CVE-2025-9242) — Out-of-bounds write class issues can be brutal because they often lead to memory corruption and potential code execution.
• CentOS Web Panel (CVE-2025-48703) — Another OS command injection scenario; web panels are popular targets because they sit in privileged operational paths.

My opinion: edge and admin panels should be treated like production crown jewels, even when they “only” protect other things. If your WAF or firewall OS falls over, everything behind it becomes negotiable.

Identity and access systems: one bug, many accounts

Identity systems amplify risk. A flaw here doesn’t just compromise a box—it can compromise who can do what.

• Oracle Identity Manager (CVE-2025-61757) — Missing authentication for a critical function. This category is a gift to attackers: skip the login, get the capability.
• Gladinet Triofox (CVE-2025-12480) — Improper access control. Access-control failures often become data access events, then ransomware events.

If you’re prioritizing with AI, identity systems should receive an automatic weighting bump because the blast radius is systemic.

Endpoint and browser: the classic chain (initial access → SYSTEM)

• Windows (CVE-2025-62215) — Kernel race condition/double free class leading to local privilege escalation to SYSTEM. This is the kind of vulnerability ransomware crews love because it turns a foothold into full control.
• Google Chrome (CVE-2025-13223) — Type confusion. Browser exploits remain a reliable entry path because browsers are everywhere, constantly exposed to untrusted content.

The security operations reality: you rarely see a kernel exploit as the first move. You see it after something else succeeded (phish, stolen token, exposed service). That’s why patching LPE bugs is still urgent—attackers plan to chain them.

Mobile: LANDFALL shows how “zero-click” changes the rules

• Samsung Android devices (CVE-2025-21042) — Out-of-bounds write weaponized for zero-click remote code execution via image processing, used in the LANDFALL spyware campaign.

This is the part too many enterprises still underestimate. Phones aren’t “just endpoints.” They’re where MFA prompts arrive, where executives chat, where travel happens, where sensitive contacts live.

• OpenPLC ScadaBR (CVE-2021-26829) — XSS may sound less dramatic, but in industrial-adjacent environments, web app weaknesses can become stepping stones into operational tooling.

What November’s exploit mix says about 2026 security planning

The clearest signal from November is the weakness type distribution: OS command injection (CWE-78) and out-of-bounds write (CWE-787) were the most common.

That matters because it tells you where to invest engineering time.

Command injection keeps winning because it’s operationally simple

OS command injection is popular for a boring reason: attackers can operationalize it quickly.

• It often works remotely.
• It often needs minimal exploit engineering.
• It often lands you directly in execution.

Defensive stance I recommend:

• Reduce exposure of admin interfaces (no direct internet access where possible).
• Add compensating controls if patching is delayed (temporary access restrictions, WAF rules, strict allowlists).
• Watch for post-exploitation behaviors (new admin users, suspicious scheduled tasks, unexpected outbound connections).

Memory corruption and kernel issues are the “multiplier bugs”

Out-of-bounds writes and kernel race conditions are harder to exploit reliably, but they’re worth it because they can yield:

• Privilege escalation
• Sandboxing bypasses
• Persistence opportunities

If your organization has a large Windows footprint, treat kernel patches as breach prevention, not “maintenance.” I’ve seen too many teams delay these updates because “it’s local-only.” Local-only is exactly what attackers need once they have a foothold.

Where AI actually helps: prioritization, detection, and response

AI in cybersecurity isn’t about replacing your analysts. It’s about removing the parts of the workflow that are basically impossible to do manually at scale.

1) AI-driven vulnerability prioritization beats “CVSS-first” sorting

An AI-assisted model can prioritize based on exploitation reality, not just theoretical severity. That means weighting factors like:

• Known active exploitation (the strongest signal)
• Public PoC availability (increases likelihood of broad exploitation)
• Internet exposure (asset is reachable vs. internal-only)
• Asset business criticality (domain controller vs. test VM)
• Observed attack paths in your environment (which controls are missing)

A practical output is a queue like: “Patch FortiWeb on these 12 exposed instances within 24 hours,” rather than “Patch 400 criticals sometime this month.”

2) AI-assisted detection: turn messy telemetry into usable signals

November’s FortiWeb and mobile exploitation examples share a theme: defenders need to spot behavioral traces, not just signatures.

AI can help by correlating weak signals across logs and endpoints:

• Unusual POST patterns to sensitive API paths
• New admin account creation events on appliances
• Abnormal process/module activity on mobile endpoints
• Kernel-level anomaly patterns associated with exploitation tooling

You still validate with human judgment. But the AI should do the triage and correlation work that burns analyst time.

3) AI-enabled rapid response: shrinking the PoC-to-compromise window

When PoCs go public, defenders are racing a clock. The winning move is to automate the “first 80%”:

1. Identify affected assets (including shadow IT and internet-facing instances)
2. Confirm exposure and versioning
3. Apply patches or isolate systems
4. Hunt for compromise indicators tied to the exploit path

If your team is still doing steps 1–2 manually, you’re donating time to the attacker.

A practical playbook for security teams this month

If you want something you can run in a weekly cadence, here’s what works.

Week 1: Build the “exploited CVE” fast lane

• Create a dedicated workflow for actively exploited vulnerabilities.
• Set an internal SLA (example: internet-facing exploited CVEs patched in 24–72 hours).
• Require compensating controls when patching can’t happen immediately.

Week 2: Map exposure, not just inventory

• Identify which affected products are internet-reachable.
• Confirm ownership (team, vendor, contract) so patching doesn’t stall.
• Track “unknown owner” assets as a risk category.

Week 3: Add detection around the most abused weakness classes

Focus on what November highlights:

• For command injection: monitor unusual child processes spawned by web services, suspicious outbound connections, and unexpected admin changes.
• For auth bypass: alert on new privileged accounts and anomalous session creation.
• For kernel LPE: tighten application control and alert on exploit-tool behaviors.

Week 4: Pressure-test mobile security assumptions

LANDFALL is a reminder that “users didn’t click anything” is no longer a comfort.

• Ensure mobile OS patch compliance is measurable.
• Reduce sensitive app sprawl on unmanaged devices.
• Treat high-risk roles (execs, finance, gov-facing teams) as a separate mobile threat tier.

Snippet you can reuse internally: Zero-click means your controls must assume compromise and focus on containment, visibility, and rapid patching.

What to do next (and what to stop doing)

The November 2025 CVE landscape is a clean demonstration of why AI in cybersecurity is showing up in modern security programs: fewer exploited CVEs doesn’t reduce workload, it raises the precision required.

If you do one thing after reading this, make it this: prioritize by exploitation + exposure + business impact, not by severity score alone. That’s the difference between a patching program that looks busy and one that prevents incidents.

If you’re planning your 2026 roadmap, ask a hard question: when the next month looks like November—short list, high impact, public PoCs—will your team know what to patch first in under an hour?