November 2025 CVEs Fell 69%—Risk Didn’t

A 69% drop sounds like good news—until you look at what dropped. In November 2025, the number of high-impact, actively exploited vulnerabilities fell from 32 to 10. That’s not “less risk.” That’s a tighter, more curated set of exploits that attackers are confident will work.

Here’s the part most companies get wrong: they treat vulnerability volume like a proxy for danger. But attackers don’t get paid per CVE. They get paid for access, persistence, and impact. When the list gets shorter and the exploitation stays active, it usually means threat actors are choosing quality over quantity.

This post is part of our AI in Cybersecurity series, and it’s a perfect example of where AI actually earns its keep: triaging what matters now, spotting exploitation signals early, and turning “we should patch” into “we patched the right thing first.”

Why fewer critical CVEs can mean more real-world risk

A smaller monthly CVE list can be more dangerous when it’s dominated by vulnerabilities that are:

• Internet-facing (WAFs, firewalls, admin panels)
• Easy to operationalize (public proof-of-concept code, reliable exploit chains)
• High privilege (kernel-level escalation, auth bypass)
• High-value targets (Windows fleets, mobile executives, identity systems)

In November 2025, 7 of the 10 actively exploited vulnerabilities had public PoC code available. That matters because public PoC compresses your timeline: defenders move at ticket speed; attackers move at copy-paste speed.

The reality? Your patch queue is already longer than your team’s capacity. If your process is “patch by severity score,” you’ll miss what attackers are exploiting this week.

What AI changes in this exact scenario

AI-driven vulnerability management isn’t about replacing engineers. It’s about replacing the weakest part of most programs: manual prioritization under uncertainty.

A practical AI workflow uses signals like:

• Exploitation in the wild (versus theoretical impact)
• Presence and maturity of PoC code
• Exposure (is the asset reachable from the internet?)
• Asset criticality (identity, perimeter, privileged systems)
• Behavioral signals (scanning spikes, suspicious requests, exploit fingerprints)

When the month’s list shrinks to 10, you’d think prioritization gets easier. It does—if you can connect the dots quickly across your environment. That’s where AI is strongest.

The November 2025 exploitation pattern: perimeter, privilege, and phones

The 10 exploited CVEs spanned a familiar attacker playbook, with two themes that should jump out to security leaders:

1. Perimeter and admin-plane compromise (especially WAF and firewall-adjacent systems)
2. Privilege escalation and persistence (Windows kernel, identity platforms)
3. Mobile zero-click tradecraft moving from “rare” to “operational”

If you want a short, useful stance: assume attackers will chain one internet-facing weakness with one privilege escalation, then automate the rest.

Fortinet FortiWeb: auth bypass and command injection in the blast radius

Two FortiWeb vulnerabilities were actively exploited:

• CVE-2025-64446 (relative path traversal with authentication bypass)
• CVE-2025-58034 (OS command injection)

This is the nightmare combo: compromise the security control that sits in front of your apps, then use it as a pivot. The reported exposure of 4,768 internet-visible FortiWeb instances underscores why perimeter products get hammered: they’re reachable, they’re trusted, and they often have powerful credentials.

From an AI-in-cybersecurity perspective, FortiWeb is a great use case for anomaly detection on “normal” admin behavior. Perimeter appliances don’t change configuration constantly in most orgs. That makes it easier to build high-confidence detections around:

• New admin account creation patterns
• Unusual API endpoint paths
• Base64-like header content anomalies
• Configuration changes outside change windows

When you can’t patch immediately, AI-based monitoring becomes your compensating control—imperfect, but far better than silence.

Windows kernel LPE: the classic second-stage move

CVE-2025-62215 hit modern Windows versions (Windows 10/11 and Windows Server 2019–2025) and enables local privilege escalation to SYSTEM.

Local privilege escalation vulnerabilities matter because they’re the “make it real” step. Attackers don’t need them to get in—they need them to:

• Disable EDR
• Dump credentials
• Install persistence
• Turn a single foothold into domain-wide control

AI helps here in two practical ways:

1. Behavior correlation: model “normal” process trees and flag rare privilege transitions (for example, a user-context process suddenly triggering kernel exploitation patterns).
2. Exploit-chaining detection: identify sequences like phishing/remote access → new tool drop → suspicious token manipulation → SYSTEM-level actions.

Most teams still investigate alerts one-by-one. Attackers operate in sequences. AI is good at sequences.

Mobile zero-click exploitation: security teams are behind here

The LANDFALL campaign weaponized CVE-2025-21042 (Samsung image processing out-of-bounds write) for zero-click Android attacks, reportedly delivered through weaponized DNG images in messaging.

This is a line in the sand for enterprise security in 2026 planning:

Mobile endpoints now face the same “silent compromise” reality that servers and laptops have dealt with for years.

If your mobile security program is “MDM plus a policy doc,” you’re underestimating the problem—especially for executives, legal, finance, and anyone traveling internationally.

AI-assisted defense on mobile isn’t about scanning every photo. It’s about:

• Detecting unusual process activity and module execution patterns
• Identifying suspicious persistence behaviors
• Correlating messaging app artifact anomalies with device telemetry
• Prioritizing high-risk users and regions based on threat intelligence

Zero-click means the user doesn’t get a chance to be careful. Your controls have to assume compromise is possible even when behavior looks “normal.”

What to prioritize first: an AI-driven patch triage model

Answer first: patch what’s exploited, exposed, and easy to weaponize—before you chase theoretical severity.

Here’s a simple prioritization model I’ve found works well in real security programs, and it maps directly to November’s CVE landscape.

Step 1: Build a “right now” score, not a “someday” score

Use a weighted score that favors operational risk:

1. Active exploitation confirmed (highest weight)
2. Asset exposure (internet-facing > partner-accessible > internal)
3. Exploit availability (public PoC, metasploit-style modules, exploit kits)
4. Privilege outcome (auth bypass, RCE, SYSTEM/root)
5. Business criticality (identity, edge, finance, production)

In November 2025, this model naturally pushes FortiWeb, Windows kernel, and Samsung mobile to the top because they combine multiple high-weight factors.

Step 2: Let AI do the painful correlation work

Most orgs already have the data needed to prioritize correctly, but it’s scattered:

• Vulnerability scanner results
• Asset inventory (often incomplete)
• External attack surface visibility
• Threat intel feeds
• SIEM/EDR logs
• Ticketing and patch compliance data

AI helps by joining those datasets and producing outputs that humans can actually act on:

• “These 14 assets are running affected FortiWeb versions and are externally reachable.”
• “These 220 endpoints are missing the November 2025 Windows update and have suspicious post-exploitation tooling signals.”
• “These 30 executives have Samsung models in scope and have traveled to targeted regions; push emergency update and tighten WhatsApp media handling.”

That’s not magic. It’s the difference between searching and knowing.

Step 3: Automate the response paths you repeat every month

If your team is rebuilding the same playbook for every exploited CVE, you’re wasting your best people on rinse-and-repeat work.

The automation targets that pay off fastest:

• Auto-create tickets with asset owner, exposure context, and patch deadline
• Auto-tag vulnerabilities with “exploited + PoC” for SLA escalation
• Auto-deploy compensating controls (WAF rules, IPS signatures, endpoint hardening)
• Auto-trigger targeted hunting queries (specific endpoints, headers, paths, processes)

This is where AI in security operations becomes a lead indicator, not a reporting tool.

Practical detection ideas for November’s top exploitation themes

Answer first: you won’t detect every exploit, but you can detect the operational footprints attackers leave behind.

Here are defensible, actionable detection ideas aligned to the November 2025 exploited CVEs.

Perimeter and WAF exploitation signals (FortiWeb-type issues)

Focus on high-signal indicators that don’t require deep packet inspection everywhere:

• Unusual POST requests to administrative or CGI-style endpoints
• Request paths containing traversal patterns (encoded or partially encoded)
• Rare headers or header values that look encoded/structured
• New admin users created outside approved workflows
• Configuration changes paired with new outbound connections

AI helps reduce noise by learning what “normal admin traffic” looks like in your environment. Most orgs have very little of it.

Privilege escalation and post-exploitation (Windows kernel LPE)

Prioritize behavior sequences over single events:

• New tooling execution shortly after initial access events
• Token/privilege changes followed by credential access attempts
• EDR tampering behaviors (service stop attempts, driver loads, policy edits)
• Lateral movement within hours of a workstation compromise

AI-based correlation is especially effective here because kernel exploitation often appears as a set of weak signals that only become obvious when stitched together.

Mobile zero-click response posture (Samsung zero-click)

Mobile telemetry is messy, so keep it simple and focused:

• Enforce rapid patching for high-risk device families and OS versions
• Restrict auto-download of media in high-risk messaging apps for sensitive groups
• Monitor for anomalous file artifacts in app media directories (where available)
• Run incident response playbooks that include mobile forensics, not just laptop imaging

If you treat mobile like a “personal device with email,” you’ll miss the fact it’s often the most privileged microphone and camera in your company.

What security leaders should do before the year turns

Answer first: use the quieter month to harden your process, not your slide deck.

December is when teams catch up—or get buried. A 69% drop in critical CVEs is a gift if you use it to improve how you respond when the next spike hits.

Here’s a short, high-impact checklist that aligns with an AI-driven security posture:

1. Validate attack surface reality: confirm which edge systems are truly internet-facing.
2. Create an “exploited CVE” fast lane: special SLA, dedicated change window, executive backing.
3. Automate enrichment: every vuln ticket should include exposure, owner, and exploit status.
4. Hunt for exploit footprints weekly, not quarterly.
5. Bring mobile into IR: make sure your incident response plan includes mobile containment and forensic steps.

The broader theme of this AI in Cybersecurity series is straightforward: AI is most valuable when it reduces time-to-action. November 2025’s CVE landscape is a clean demonstration—fewer items, higher confidence, faster exploitation.

If your team wants to turn threat intelligence into prioritized patching and faster detection, start by asking one uncomfortable question: when the next “only 10” month arrives, will you know within hours whether you’re exposed—or will you need a week of meetings to find out?