Welcome to vFeed November 2025 edition of Cybersecurity and Vulnerability Newsletter.
TL;DR
November marked a tactical escalation in high-severity exploitation despite a dip in overall volume: Critical vulnerabilities (CVSS ≥ 9.0) surged to 379, driven by a striking rise in a perfect 10.0 risk score and a sharp pivot toward Identity, Edge infrastructure attacks. Security teams face immediate risks from Remote Code Execution and Authentication Bypass chains, headlined by the critical Azure Bastion replay attack (CVE‑2025‑49752) and a Samba Active Directory command injection (CVE‑2025‑10230). Furthermore, Microsoft confirmed active exploitation of a Windows Kernel zero-day (CVE-2025-62215), while WordPress ecosystems saw a massive spike in weaponized CWE-434 (Unrestricted File Upload) vectors, exposing web assets to full site takeover via unauthenticated API endpoints. With 2025 on track for record-breaking vulnerability counts, the priority must be emphasizing the urgent need to patch WordPress plugins, identifying cloud weakness, middleware and identity infrastructure.
Vulnerability Trends in November
November continued to be an active month for security analysts and incident security responders packed with several patterns of impactful and exploitable vulnerabilities across software packages, cloud vendors, and hardware platforms. The month saw steady and somewhat muted published vulnerabilities accounting 2,928 compared to 3,703 in October, and 3,738 in September. However, the month presented some challenges with several key exploitable vulnerabilities, while a large fraction of CVEs were updated with newer risk score updates and advisories. vFeed correlated and archived 34,652 new and published vulnerabilities overall during 2025, well on track to be one of the highest recorded in the last several years. Modified vulnerabilities that include modified risks, priorities, and advisories – accounted for about 4,479 in November compared to 5,234 in October, and 5,010 in September. During the prior year in 2024, November only saw about 4,463 modified vulnerabilities had their risk scores, advisories, and priorities revised, making the current month an ongoing active season.
vFeed vendor patches exceeded 2.61M, led by sources such as Debian, Suse, Microsoft, Ubuntu, and Oracle accounting for nearly 77% of patched advisories issued during the month. vFeed vendor advisories exceeded 2.44M, led by sources including Microsoft, Ubuntu, RedHat, Gentoo, GitHub, etc. vFeed has consolidated and kept track of nearly 854K affected package software just in the last 5 years, one of the significant counts.
vFeed vulnerability data feeds have continued to embrace NVD 2.0 schema for correlating and maintaining our threat intel feeds. Our feed database continues to build upon CVSS4 and EPSS4 risk scoring metrics as part of our threat intel feed, and so far we recorded 10,795 risk scoring in 2025 alone, the largest we have seen so far in any year. Of those, November alone accounted for about 625 new CVSS4 risk scores aggregated. Specifically, about 71 of those are determined to be critical vulnerabilities of which 23 also have a higher exploitability percentiles greater than 60%. A higher EPSS percentile score indicates the likelihood of being exploited in the wild soon in the coming months compared to other similar vulnerabilities in the platform.
Vulnerability Landscape
vFeed has kept track of nearly 89K exploits so far with exploits, github, metasploit, packetstorm accounting for a large portion of identified counts.
The number of critical vulnerabilities identified by vFeed in November – those with a critical score of 9.0 or higher continued to rise significantly to 379 in November compared to 408 in the previous month. Among those critical vulnerabilities, about 31 of them (~ 9%) had a high likelihood of exploitations in the next few months with a probability of more than 50%.
Among those, 24 critical ones (~ 6%) had a perfect 10.0 score observed in several hardware and software drivers and components, more than double from last month. November led to several high‑impact vulnerabilities disclosed affecting TNC Toolbox, Samba, FortiWeb, and GeoServer, with issues ranging from remote code execution and authentication bypass to XML External Entity (XXE) attacks and path traversal that can expose or compromise critical systems. CVE‑2025‑12539 in the TNC Toolbox Web Performance WordPress plugin exposes stored cPanel API credentials in a web‑accessible location, enabling unauthenticated attackers to retrieve them and potentially gain full control of the hosting environment via arbitrary file uploads and remote code execution. CVE‑2025‑10230 in Samba, CVE‑2025‑64446 in FortiWeb, and CVE‑2025‑58360 in GeoServer all involve remotely exploitable flaws in widely deployed server components, including authentication or access‑control weaknesses, path traversal, and unsafe XML processing that can lead to data exposure, privilege escalation, or full system compromise when services are Internet‑facing and handle untrusted input. In general, these November vulnerabilities illustrate a cluster of high‑impact issues on edge and middleware services that could lead to their potential for unauthenticated exploitation.
In November, several notable cloud vulnerabilities were disclosed, including a critical authentication bypass in Azure Bastion (CVE‑2025‑49752) and an access‑control issue in Grafana Enterprise’s SCIM implementation (CVE‑2025‑41115), along with multiple other cloud‑service flaws. CVE‑2025‑49752 is an elevation‑of‑privilege vulnerability in Azure Bastion, classified as CWE‑294 (authentication bypass by capture‑replay), with a CVSS score reported as 10.0, where an attacker who can intercept a valid token can replay it to gain administrative access over VMs reachable via the affected Bastion host without prior authentication or user interaction, prompting urgent guidance to apply Microsoft’s November 20, 2025 fix, restrict Bastion exposure, enforce MFA, and closely review Bastion audit logs for anomalous admin activity.
Platform Impacts
Elevation‑of‑privilege and remote code execution techniques were the most prominent categories across patched and actively exploited vulnerabilities, outpacing other classes like information disclosure or denial of service by volume and risk impact during the month. Reports also highlighted increased exploitation of authentication bypass and token replay-style attack, where attackers capture or forge session artifacts to gain higher privileges in cloud and edge services without needing valid credentials. This underscores revisiting identity and privilege management infrastructure.
A critical command‑injection flaw CVE‑2025‑10230 in Samba’s WINS server hook handling that was highlighted in November 2025. When Samba runs as an Active Directory Domain Controller with WINS support enabled and a non‑empty “wins hook” parameter, unsanitized NetBIOS names from WINS registration packets are inserted into a shell command, allowing an unauthenticated network attacker to execute arbitrary commands with the privileges of the Samba process. This may lead to full domain controller compromises.
A peculiar critical vulnerability in the AI Engine plugin for WordPress CVE‑2025‑11749 (CVSS 9.8) affects all versions up to and including 3.1.3 when the “No‑Auth URL” feature is enabled. In this configuration, the plugin’s MCP /mcp/v1/ REST API endpoint exposes a bearer token in the public REST API index, allowing an unauthenticated attacker to retrieve the token and then call MCP endpoints to perform privileged actions such as creating new administrator accounts, effectively leading to full site takeover. The issue has been fixed in version 3.1.4 and above, and guidance is to immediately update the plugin, disable the “No‑Auth URL” option, rotate any exposed tokens, and audit administrator accounts and recent admin‑level actions for signs of compromise.
CVE‑2025‑63888 is a critical RCE in ThinkPHP (version 5.0.24), specifically in the read function used by the template system. Due to improper control of file names and insufficient neutralization of special characters, an unauthenticated remote attacker can supply crafted input that is passed into file‑inclusion and command‑execution logic, allowing arbitrary PHP code execution with the privileges of the web server process and potentially full compromise of the affected application and host; recommended actions are to upgrade ThinkPHP beyond 5.0.24, add strict path validation and input filtering around template rendering, deploy WAF rules to block suspicious template paths, and closely monitor for indicators of exploitation.
WordPress vulnerabilities in various packages and plugins recorded a larger number of exploitable vulnerabilities, accounting for nearly 447 of vulnerabilities published in November alone, way more than in September and October. Of those 14 (~ 8%) are deemed critical, with about 14 having a high degree of exploitability of greater than 50% likelihood in the coming months. Several critical WordPress plugin issues stood out during the month, including CVE‑2025‑12813, CVE‑2025‑11456, and CVE‑2025‑11833. CVE‑2025‑12813 is a critical remote code execution flaw in the Holiday Class Post Calendar plugin (up to and including version 7.1), where unsanitized user input in the `contents` parameter is written to cache files and can be turned into executable PHP, allowing unauthenticated attackers to run arbitrary code and fully compromise the site and underlying server. CVE‑2025‑11833 was reported as a critical broken authentication issue in the SiteSEO – SEO Simplified plugin, enabling attackers to bypass normal login or role checks and gain elevated access, while CVE‑2025‑11456 (also affecting a popular plugin) involves improper access control or input handling that can let low‑privileged or unauthenticated users perform administrative actions.
In November, these WordPress plugins have a high exploitability risk: CVE-2025-12089 in the Supsystic Data Tables Generator plugin enabled authenticated admins to perform path traversal via the cleanCache(), allowing arbitrary file deletion and potential RCE by targeting critical files like wp-config.php. CVE-2025-9501 affected the W3 Total Cache plugin through improper input handling or access controls, posing risks of unauthorized cache manipulation or code injection on widely used sites. CVE-2025-12092 in the CYAN Backup plugin permitted authenticated users to conduct unauthorized backups or file access due to broken access controls, heightening data exfiltration threats, with all issues underscoring the need for immediate plugin updates and access hardening.
Microsoft accounted for about 24 published known vulnerabilities during the month from the vFeed dataset. However, Microsoft’s November 2025 Patch Tuesday addressed 68 vulnerabilities, including five critical ones and one actively exploited zero-day (CVE-2025-62215, a Windows Kernel elevation-of-privilege flaw added to CISA’s Known Exploited Vulnerabilities catalog), with elevation-of-privilege issues dominating at 29 total (1 critical) and remote code execution at 16 (3 critical). Those key critical flaws included CVE-2025-60724 (GDI+ heap-based buffer overflow for unauthenticated RCE via malicious metafiles), CVE-2025-62199 (Office use-after-free for local RCE), CVE-2025-60716 (DirectX Graphics Kernel use-after-free for SYSTEM privilege escalation), CVE-2025-62214 (Visual Studio command injection), and CVE-2025-30398 (Nuance PowerScribe information disclosure).
Top Weaknesses
vFeed identified several top weaknesses that contributed to critical impacts during the month. Of the 379 critical vulnerabilities identified in November, 88 (~ 2.3%) were CWE-74 Improper Neutralization injection weakness types, followed by 36 (~ 9%) CWE-119 Improper Restriction of Operations or buffer overflow, 24 (~ 6%) of CWE-434, and 18 (~ 4%) CWE-89 SQL Injection weakness types. A new pattern of weakness CWE-434 Unrestricted Upload of File with Dangerous Type, saw a sudden spike with elevated assignments in November reports, often as a primary or secondary weakness in web apps and plugins allowing unauthenticated file uploads or executables, leading to RCE and full compromise. This spike aligns with trends in WordPress plugins (e.g., Supsystic, AI Engine) and enterprise software where poor validation on upload endpoints enabled rapid exploitation, ranking high in vulnerability dispersion stats for high/critical severity issues.
Critical Exploitable Vulnerabilities – November 2025
Pay attention to these top critical vulnerabilities that are likely exploitable this month.
| CVE | Description | CVSS 3 / 4 Base | EPSS Percentile | Exploit PoC Available? | Date Published | Weakness | Versions Affected | References |
| CVE-2025-11749 | AI Engine plugin for WordPress vulnerable to Sensitive Information Exposure via the /mcp/v1/ REST API endpoint expoing Bearer Token value | 9.8 | 95.8% | Yes | 2025-11-05 | CWE-200 | < 3.1.3 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06eaf624-aedf-453d-8457-d03a572fac0d |
| CVE-2025-64446 | Path traversal vulnerability in Fortinet FortiWeb attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests | 9.8 | 98.4% | Yes | 2025-11-14 | CWE-23 | FortiWeb 8.0.x, 7.4.x | https://fortiguard.fortinet.com/psirt/FG-IR-25-910 |
| CVE-2025-58360 | GeoServer XML External Entity (XXE) vulnerability accepting XML input through a specific endpoint /geoserver/wms operation GetMap, leading attacker to craft external entities within XML request | 9.8 | 92.8% | Yes | 2025-11-25 | CWE-611 | < 2.25.6, 2.26.0-2 | https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 |
| CVE-2025-11953 | Metro Development Server, part of React Native Community CLI, server exposes endpoint vulnerable to OS command injection, allowing unauthenticated network attackers to send a POST request to run executables. | 9.8 | 65.3% | Yes | 2025-11-03 | CWE-78 | N/A | https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547 |
| CVE-2025-61304 | OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address | 9.8 | 59% | Yes | 2025-11-05 | CWE-78 | < 1.016 | https://github.com/pentastic-be/CVE-2025-61304 |
| CVE-2025-63888 | Read function ThinkPHP library contains RCE | 9.8 | 53.8% | Yes | 2025-11-20 | CWE-98 | 5.0.24 | https://www.yuque.com/lcc316/df0kgm/mglhbxltgbmzfh2s |
| CVE‑2025‑10230 | Flaw in Samba in front-end WINS hook handling: NetBIOS names from registration packets passed to a shell without proper validation or escaping. | 10.0 | 56.8% | Yes | 2025-11-07 | CWE-78 | 2.4.17.x | https://access.redhat.com/security/cve/CVE-2025-10230 |
May you live in interesting times! 🙂
Click here to schedule your demo with vFeed Threat Intel today!