TLDR Security; Saturday, November 15, 2025

.\ Windows kernel zero-day heads into KEV — patch before December 3

Microsoft’s November Patch Tuesday fixed 63 vulnerabilities, including a Windows kernel elevation-of-privilege bug, CVE-2025-62215, that’s already being exploited and is now in CISA’s Known Exploited Vulnerabilities catalog with a December 3 remediation due date. The flaw is a race condition in the kernel that lets a local attacker with low privileges escalate to SYSTEM, turning any initial foothold (phishing, browser exploit, misconfigured service) into full host compromise. Microsoft shipped fixes across supported Windows client and server builds in this month’s cumulative updates, and CISA’s alert effectively makes this a compliance issue for U.S. federal networks. For MSPs, this should go straight to an “emergency but testable” patch ring: prioritize internet-facing servers, RDS hosts, and high-value line-of-business systems, and verify that vulnerable but “supported” stragglers (especially late-lifecycle Windows 10) aren’t quietly excluded from your standard patch policies.

.\ Source shelf: Help Net Security overview · NVD entry · CISA KEV listing

.\ Akira ransomware levels up with Nutanix hits and updated CISA advisory

CISA, the FBI, and international partners pushed an updated Akira ransomware advisory this week detailing new tradecraft, including confirmed encryption of Nutanix AHV virtual machine disks — a notable expansion beyond the group’s previous focus on VMware ESXi and Hyper-V. Reporting from multiple firms ties recent incidents to a familiar combo: edge device bugs like SonicWall CVE-2024-40766, misconfigured MFA or OTP seeds on SSL VPNs, and exposed or poorly segmented backup platforms such as Veeam. The advisory also updates observed ransom proceeds (well into nine figures) and emphasizes Akira’s willingness to hit critical infrastructure and smaller enterprises alike. MSPs should treat this as a blueprint for hardening: verify SonicWall and other edge gear are fully patched and re-keyed, confirm VPN MFA secrets weren’t exposed in older breaches, lock down hypervisor and backup consoles to admin-only management networks, and test restore paths assuming hypervisors are trashed.

.\ Source shelf: CISA/FBI Akira advisory update · Dark Reading analysis · Industrial Cyber coverage

.\ Fortinet FortiWeb zero-day exploited, rushed into KEV — internet-facing WAFs at risk

Fortinet disclosed a critical path traversal / auth-bypass bug in its FortiWeb web application firewall appliances, tracked as CVE-2025-64446, which allows unauthenticated attackers to execute administrative commands via crafted HTTP/HTTPS requests. Researchers at Rapid7 and others say exploitation has been underway since October, with public proof-of-concept code now available and a Metasploit module already live, prompting CISA to add the flaw to its KEV catalog with an aggressive November 21 remediation deadline. Affected versions span multiple FortiWeb trains (7.0, 7.2, 7.4, 7.6 and 8.0) that are still widely deployed in front of customer-facing apps. For MSPs that manage FortiWeb, this needs “drop everything” patching: upgrade to fixed firmware, rotate any admin credentials configured on impacted devices, audit for suspicious or newly created admin accounts, and check reverse proxy logs for strange paths or unexplained configuration changes.

.\ shelf: Fortinet PSIRT advisory · Rapid7 write-up · CISA KEV entry

.\ WatchGuard Firebox VPN bug goes KEV — 50k+ firewalls in play

CISA also added CVE-2025-9242, a critical out-of-bounds write in WatchGuard Fireware OS’s iked process, to the KEV catalog alongside Windows’ kernel bug. The vulnerability impacts both Mobile User VPN and Branch Office VPN using IKEv2 with dynamic gateway peers and can give remote unauthenticated attackers code execution on affected Firebox firewalls. WatchGuard fixed the issue in September and published a detailed PSIRT advisory, but Shodan data and CISA’s stats suggest tens of thousands of devices remain exposed and unpatched, making this an attractive target for ransomware crews. For MSPs running Firebox fleets, don’t just “plan” upgrades — pull current firmware inventories, map which customer tunnels use IKEv2 dynamic peers, upgrade to the recommended fixed versions, and consider temporarily restricting VPN exposure (IP allowlists, geo-filters) until you can confirm patches and apply the vendor’s workarounds.

.\ shelf: WatchGuard advisory · CISA KEV listing · The Hacker News coverage

.\ Oracle E-Business zero-day fallout: Washington Post and GlobalLogic confirm data theft

The long tail from Oracle’s critical E-Business Suite zero-day, CVE-2025-61882, is getting clearer — and uglier. The Washington Post disclosed that nearly 10,000 employees and contractors had personal and financial data stolen from its Oracle environment, with extortion attempts following the breach, while engineering firm GlobalLogic confirmed similar theft of data for more than 10,000 current and former staff. Oracle’s own guidance and follow-on analysis from CrowdStrike and Google Cloud Mandiant indicate the bug was exploited as a zero-day as early as July, and CISA has flagged it in KEV as a favored ransomware vector. For MSPs, the lesson isn’t “avoid Oracle” so much as “map your dependencies”: inventory which clients rely on Oracle EBS (or third-party providers who do), confirm the October 2025 CPU is in place, and advise customers to treat any pre-patch exposure as a possible compromise requiring credential resets and targeted log review.

.\ shelf: Oracle CVE-2025-61882 alert · BleepingComputer on WaPo · TechRadar Pro on GlobalLogic

.\ Operation Endgame 3.0 seizes 1,025 servers behind Rhadamanthys, VenomRAT and Elysium

Law enforcement, led by Europol and Eurojust, ran another phase of Operation Endgame between November 10 and 13, dismantling infrastructure tied to the Rhadamanthys infostealer, the VenomRAT remote access trojan, and the Elysium botnet. Authorities say they seized or disrupted 1,025 servers, took over 20 domains, and arrested the alleged VenomRAT developer in Greece, with evidence of access to more than 100,000 cryptocurrency wallets and hundreds of thousands of infected systems. This follows earlier Endgame activity in May that hit loaders and ransomware-adjacent infrastructure, continuing a long-running whack-a-mole with the crimeware supply chain. For MSPs, this is a brief tailwind, not a safety blanket: assume Rhadamanthys-style stealer logs are already in circulation, treat any credential reused across tenants as burned, and use the takedown as an excuse to push customers toward phishing-resistant MFA, password managers, and regular credential rotation.

.\ shelf: Europol Endgame release · TechCrunch coverage · Reuters report

.\ Ops Bench

Windows, WatchGuard, Fortinet: treat KEV dates as your patch SLO. CISA’s KEV catalog now includes Microsoft’s kernel race condition CVE-2025-62215 and WatchGuard’s Firebox VPN bug CVE-2025-9242, both with December 3 remediation deadlines, plus Fortinet FortiWeb’s path traversal CVE-2025-64446 with a tighter November 21 date. Use those as hard targets for your patch calendar: export KEV-mapped assets from your RMM, sort by internet exposure and privilege level, and track completion the way you’d track an expiring SSL cert — loudly.

.\ shelf: CISA KEV alert on three new vulns · NVD on CVE-2025-62215 · NVD on CVE-2025-64446

Cisco ASA/Firepower: “patched” might not mean safe. CISA issued updated implementation guidance for its emergency directive on Cisco ASA and Firepower devices, after finding agencies that thought they were compliant but still exposed to actively exploited CVE-2025-20333 and CVE-2025-20362. If you manage Cisco firewalls, re-check that customers are on the specific fixed trains Cisco calls out, confirm web VPN services were restarted or disabled per guidance, and perform at least basic compromise checks (unexpected config changes, odd processes, disabled logging) on systems that were internet-facing during the vulnerable window.

.\ shelf: CISA emergency directive guidance · Cisco ASA/FTD background · TechRadar Pro summary

Ransomware runbooks: add hypervisors, WAFs, and VPNs to “assume owned.” Between Akira’s Nutanix targeting, Oracle EBS exploitation, and KEV additions for WatchGuard and FortiWeb, a realistic ransomware runbook now has to assume hypervisors, WAFs, and VPN gateways can all be initial access and blast-radius multipliers. Update your incident playbooks so that a suspected ransomware event automatically triggers checks (and if needed, rebuilds) on these tiers, not just file servers and domain controllers, and make sure your backup/DR designs don’t share trust with the devices that protect them.

.\ shelf: Akira ransomware advisory · Oracle EBS CVE-2025-61882 alert · CISA KEV catalog

Phew! If you made it this far, then I want to thank you for joining me on the first edition and hope that I am lucky enough to have you back next week!