Fortiweb Vulnerability
Fortinet, with significant delay, acknowledged a recently patched vulnerability after exploit attempts were seen publicly.
https://isc.sans.edu/diary/Honeypot+FortiWeb+CVE202564446+Exploits/32486
https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
https://fortiguard.fortinet.com/psirt/FG-IR-25-910?ref=labs.watchtowr.com
Flnger.exe and ClickFix
Attackers started to use the finger.exe binary to retrieve additional payload in ClickFix attacks
https://isc.sans.edu/diary/Finger.exe%20%26%20ClickFix/32492

SmartApeSG campaign uses ClickFix page to push NetSupport RAT
A detailed analysis of a recent SamtApeSG campaign taking advantage of ClickFix
https://isc.sans.edu/diary/32474
Formbook Delivered Through Multiple Scripts
An analysis of a recent version of Formbook showing how it takes advantage of multiple obfuscation tricks
https://isc.sans.edu/diary/32480
sudo-rs vulnerabilities
Two vulnerabilities were patched in sudo-rs, the version of sudo written in Rust, showing that while Rust does have an advantage when it comes to memory safety, there are plenty of other vulnerabilities to worry about
https://ubuntu.com/security/notices/USN-7867-1
https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw?ref=itsfoss.com
SANS Holiday Hack Challenge
https://sans.org/HolidayHack

OWASP Top 10 2025 Release Candidate
OWASP published a release candidate for the 2025 version of its Top 10 list
https://owasp.org/Top10/2025/0x00_2025-Introduction/
Citrix/Cisco Exploitation Details
Amazon detailed how Citrix and Cisco vulnerabilities were used by advanced actors to upload webshells
https://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/
Testing Quantum Readyness
A website tests your services for post-quantum computing-resistant cryptographic algorithms
https://qcready.com/

Microsoft Patch Tuesday for November 2025
https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+for+November+2025/32468/
Gladinet Triofox Vulnerability
Triofox uses the host header in lieu of proper access control, allowing an attacker to access the page managing administrators by simply setting the host header to localhost.
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/
SAP November 2025 Patch Day
SAP fixed a critical vulnerability, fixed default credentials in its SQL Anywhere Monitor
https://onapsis.com/blog/sap-security-patch-day-november-2025/
Ivanti Endpoint Manager Updates
https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2025-for-EPM-2024?language=en_US

It isn t always defaults: Scans for 3CX Usernames
Our honeypots detected scans for usernames that may be related to 3CX business phone systems
https://isc.sans.edu/diary/It%20isn%27t%20always%20defaults%3A%20Scans%20for%203CX%20usernames/32464
Watchguard Default Password Controversy
A CVE number was assigned to a default password commonly used in Watchguard products. This was a documented username and password that was recently removed in a firmware upgrade.
https://github.com/cyberbyte000/CVE-2025-59396/blob/main/CVE-2025-59396.txt
https://nvd.nist.gov/vuln/detail/CVE-2025-59396
JavaScript expr-eval Vulnerability
The JavaScript expr-eval library was vulnerable to a code execution issue.
https://www.kb.cert.org/vuls/id/263614

Honeypot Requests for Code Repository
Attackers continue to scan websites for source code repositories. Keep your repositories outside your document root and proactively scan your own sites.
https://isc.sans.edu/diary/Honeypot%3A%20Requests%20for%20%28Code%29%20Repositories/32460
Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads
Newly discovered malicious .NET packages attempt to deliver a time-delayed attack targeting ICS systems.
https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads
Side Channel Leaks in Encrypted Traffic to LLMs
Traffic to LLMs can be profiled to discover the nature of prompts sent by a user based on the amount and structure of the encrypted data.
https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/

Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary]
Windows, with PowerShell, has a great scripting platform to match common Linux/Unix command line utilities.
https://isc.sans.edu/diary/Binary%20Breadcrumbs%3A%20Correlating%20Malware%20Samples%20with%20Honeypot%20Logs%20Using%20PowerShell%20%5BGuest%20Diary%5D/32454
RondoDox v2 Increases Exploits
The RondoDox (or RondoWorm) added a substantial amount of new exploits to its repertoire.
https://beelzebub.ai/blog/rondo-dox-v2/
Google Chrome Updates
Google released an update for Google Chrome addressing five vulnerabilities.
https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html
Cisco Unified Contact Center Express Remote Code Execution Vulnerabilities
Cisco patched two critical vulnerabilities in its Contact Center Express software. These vulnerabilities may lead to a full system compromise.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

Updates to Domainname API
Some updates to our domainname API will make it more flexible and make it easier and faster to get the complete dataset.
https://isc.sans.edu/diary/Updates%20to%20Domainname%20API/32452
Microsoft Teams Impersonation and Spoofing Vulnerabilities
Checkpoint released details about recently patched spoofing and impersonation vulnerabilities in Microsoft Teams
https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/
NViso Report: VSHELL
NViso published an amazingly detailed report describing the remote control implant VSHELL. The report includes details about the inner workings of the tool as well as detection ideas.
https://www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool

Apple Patches Everything, Again
Apple released a minor OS upgrade across its lineup, fixing a number of security vulnerabilities.
https://isc.sans.edu/diary/Apple%20Patches%20Everything%2C%20Again/32448
Remote Access Tools Used to Compromise Trucking and Logistics
Attackers infect trucking and logistics companies with regular remote management tools to inject malware into other companies or learn about high-value loads in order to steal them.
https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics
Google Android Patch Day
Google released its usual monthly Android updates this week
https://source.android.com/docs/security/bulletin/2025-11-01

XWiki SolrSearch Exploit Attempts CVE-2025-24893
We have detected a number of exploit attempts against XWiki taking advantage of a vulnerability that was added to the KEV list on Friday.
https://isc.sans.edu/diary/XWiki%20SolrSearch%20Exploit%20Attempts%20%28CVE-2025-24893%29%20with%20link%20to%20Chicago%20Gangs%20Rappers/32444
AMD Zen 5 Random Number Generator Bug
The RDSEED function for AMD s Zen 5 processors does return 0 more often than it should.
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html
SleepyDuck malware invades Cursor through Open VSX
Yet another Open VSX extension stealing crypto credentials
https://secureannex.com/blog/sleepyduck-malware/