Executive Summary
In November 2025, a sharp 69% drop in reported critical vulnerabilities masked a surge in the intensity of exploitation campaigns. Threat intelligence from Recorded Future revealed 10 high-risk CVEs—including two critical Fortinet FortiWeb flaws—actively targeted by threat actors. Notably, the LANDFALL spyware campaign weaponized Samsung's image processing vulnerability for zero-click remote attacks, while seven of ten vulnerabilities had public proof-of-concept code released. Vulnerabilities included OS command injection, out-of-bounds writes, access control failures, and issues affecting major vendors such as Microsoft, Oracle, and Google.
This incident highlights how attackers are shifting to fewer but far more impactful vulnerabilities, emphasizing quality over quantity in their exploitation. Security teams must adapt, maintaining vigilance even during perceived lulls and prioritizing fast patching, advanced monitoring, and comprehensive exposure management to counter rapidly evolving threats.
Why This Matters Now
Despite a drop in overall vulnerability volume, November 2025 demonstrated that active exploitation continues at pace—especially for internet-facing applications. With widespread proof-of-concept code and critical bugs in key platforms like Fortinet, Samsung, and Microsoft, organizations face urgent exposure risks requiring immediate remediation and enhanced monitoring.
Attack Path Analysis
Attackers exploited unpatched and internet-exposed FortiWeb appliances (CVE-2025-64446/58034) and Samsung Mobile flaws for initial compromise. They bypassed authentication controls to gain administrative privileges. Pivoting from breached devices, they moved laterally across network segments and workloads, leveraging network weaknesses. Command & Control was established via outbound traffic to adversary infrastructure, likely over encrypted channels or covert protocols. Exfiltration occurred through data and session exports, while impact was realized through persistent device compromise, potential data loss, and broader business disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers remotely exploited unpatched FortiWeb (relative path traversal/OS command injection) or Samsung image flaws to gain unauthorized access to public-facing assets.
Related CVEs
CVE-2025-21042
CVSS 8.8An out-of-bounds write vulnerability in Samsung's image processing library allows remote code execution via malicious DNG image files.
Affected Products:
Samsung Galaxy S22 – Android 13, Android 14, Android 15
Samsung Galaxy S23 – Android 13, Android 14, Android 15
Samsung Galaxy S24 – Android 13, Android 14, Android 15
Samsung Galaxy Z Fold4 – Android 13, Android 14, Android 15
Samsung Galaxy Z Flip4 – Android 13, Android 14, Android 15
Exploit Status:
exploited in the wildReferences:
https://techcrunch.com/2025/11/07/landfall-spyware-abused-zero-day-to-hack-samsung-galaxy-phones/https://www.tomsguide.com/computing/malware-adware/samsung-phones-infected-with-landfall-spyware-through-whatsapp-images-what-you-need-to-knowhttps://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-november-10-2025
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation of Remote Services
Create Account
Process Injection
Exploitation for Privilege Escalation
Execute a Command and Control Payload
Abuse Elevation Control Mechanism
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Patch Management and Vulnerability Remediation
Control ID: 6.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Identity and Access Management Controls
Control ID: Identity Pillar: Least Privilege/Segmentation
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
Critical infrastructure vulnerabilities in Fortinet FortiWeb and Microsoft Windows systems directly impact security providers' ability to protect clients from exploitation campaigns.
Financial Services
Banking systems face elevated risk from OS command injection and authentication bypass vulnerabilities, requiring immediate patching to maintain PCI compliance.
Government Administration
Public sector entities using affected Fortinet, Microsoft, and Oracle systems vulnerable to LANDFALL spyware and advanced persistent threat exploitation campaigns.
Health Care / Life Sciences
Healthcare organizations must urgently patch affected systems to maintain HIPAA compliance and protect patient data from zero-click mobile attacks.
Sources
- November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from Octoberhttps://www.recordedfuture.com/blog/november-2025-cve-landscapeVerified
- ‘Landfall’ spyware abused zero-day to hack Samsung Galaxy phoneshttps://techcrunch.com/2025/11/07/landfall-spyware-abused-zero-day-to-hack-samsung-galaxy-phones/Verified
- Samsung phones infected with 'Landfall' spyware through WhatsApp images — what you need to knowhttps://www.tomsguide.com/computing/malware-adware/samsung-phones-infected-with-landfall-spyware-through-whatsapp-images-what-you-need-to-knowVerified
- Cyware Daily Threat Intelligence, November 10, 2025https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-november-10-2025Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
The attack lifecycle could have been significantly constrained by enforcing Zero Trust segmentation, east-west and egress security, real-time anomaly detection, and encrypted traffic controls, all available via CNSF-aligned capabilities. These controls would block initial exploit ingress, restrict internal propagation, disrupt outbound C2, and detect attempts at privilege escalation and exfiltration.
Control: Cloud Firewall (ACF)
Mitigation: Blocking of unauthorized inbound exploit attempts.
Control: Zero Trust Segmentation
Mitigation: Limiting privilege escalation opportunities to only authorized identity contexts.
Control: East-West Traffic Security
Mitigation: Prevention and detection of unauthorized internal movement.
Control: Egress Security & Policy Enforcement
Mitigation: Disruption of outbound C2 and data channels.
Control: Threat Detection & Anomaly Response
Mitigation: Detection and rapid response to abnormal data flows.
Containment and rapid remediation of compromised workloads.
Impact at a Glance
Affected Business Functions
- Mobile Communications
- Data Security
- User Privacy
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive user data including photos, messages, contacts, and call logs due to spyware infection.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately patch all public-facing appliances and review remote API exposures.
- • Enforce zero trust segmentation to limit lateral movement and reduce excessive privileges internally.
- • Deploy robust egress filtering to block C2, data theft, and outbound exploits.
- • Enable real-time threat detection, anomaly response, and logging for early breach visibility.
- • Utilize east-west traffic security and cloud firewall controls for comprehensive attack surface reduction.
