Running a little late this week due to the fam, but the attackers weren’t, so let’s catch up. A handful of bugs turned into “drop what you’re doing” moments, and a few vendors reminded us why weekends are for patching, not resting.

.\ Fortinet FortiWeb zero-day is being actively exploited — yes, again

Fortinet spent the week proving that WAFs can absolutely become “exposed critical infrastructure.” CVE-2025-64446, a path-traversal flaw that leads straight to admin-level command execution, is now under active exploitation. CISA shoved it into the KEV catalog with a seven-day countdown, which is Washington-speak for “why isn’t this patched already?” If you manage FortiWeb for clients, assume compromise until proven otherwise: update firmware, rotate creds, check for surprise admin users, and yank public management access if you haven’t already. When your WAF can be breached with a GET request, it’s not a WAF — it’s a welcome mat.

.\ Source shelf: Cybersecurity Dive · The Record · Dark Reading

.\ Chrome zero-day: visit the wrong site, lose your browser

Google quietly pushed an emergency patch for CVE-2025-13223, a V8 type-confusion flaw already weaponized in the wild. If attackers can run code by getting someone to visit a link, that’s not a browser — it’s a suggestion box. Make sure managed fleets are on Chrome 142.0.7444.175/.176 or later. MSPs should also double-check policies for auto-updates (you’d be shocked how many “we thought Chrome updates itself” environments exist). If you have kiosks, labs, POS terminals, or any “special-case” browsers, treat them like they’re dangling over a shark tank.

.\ Source shelf: Malwarebytes · DIESEC summary

.\ 7-Zip exploited in the wild — the world’s favorite ZIP tool becomes an attack vector

When 7-Zip is the headline, you know it’s been a weird week. CVE-2025-11001 abuses symbolic links inside ZIP files to escape extraction directories and plant files wherever the attacker chooses. If you’re thinking “we only use 7-Zip for random downloads,” that’s exactly the problem. Automated extraction workflows, RMM scripts, ticketing attachments, even update pipelines are all affected. Patch to version 25.00 or later and run extra scrutiny on any machine doing unattended archive extraction. A ZIP file should not be able to redecorate your filesystem.

.\ Source shelf: SecurityWeek · Cybernews

.\ Oracle Identity Manager zero-day gives attackers the keys to the kingdom

Oracle Identity Manager has a new gift for defenders: CVE-2025-61757, an unauthenticated remote-code-execution flaw that CISA says is being exploited. Identity platforms are not the kind of systems you want compromised unless you enjoy rebuilding every account, MFA profile, and SSO chain by hand. MSPs supporting enterprise identity: patch immediately, audit logs for privilege changes, and consider forced password resets for impacted orgs. IAM compromise is the cybersecurity equivalent of termites — if you see one sign, assume the whole structure needs inspection.

.\ Source shelf: Cyberpress

.\ Ops Bench (for MSPs)

Fortinet KEV deadlines are not optional homework. Treat CVE-2025-64446 as a sprint, not a jog. Inventory every FortiWeb device, patch, rotate creds, and scan configs for tampering. Don’t trust what you can’t verify.

.\ Source shelf: The Record

Chrome & 7-Zip: the “boring tools” are now entry points. These two bugs turning up exploited in the same week is a reminder that anything running code — even utilities — deserve patch discipline. Don’t leave software gaps wide open just because they’re “not servers.”

.\ Source shelf: Malwarebytes · SecurityWeek

Identity systems need dedicated monitoring. If you manage IAM for customers, stop treating it like “just another app.” Add explicit log-review tasks, alerting around privilege spikes, and mandatory patch verification. Identity is the blast radius multiplier.

.\ Source shelf: Cyberpress

Thanks for running late with me this week. I hope everyone has a wonderful holiday and finger crossed for more of a silent work week!