Vulnerability Report - November 2025

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for November 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

The most frequently sighted vulnerability in November was CVE-2025-64446 (105 sightings), a Critical-severity vulnerability in Fortinet FortiWeb. Fortinet featured prominently, with a second FortiWeb vulnerability, CVE-2025-58034 (High severity), also in the top 10.

Other critical vulnerabilities in the top 10 include CVE-2025-59287 in Microsoft Windows Server 2019 (88 sightings) and CVE-2025-61757 in Oracle Corporation Identity Manager (67 sightings). The list also features a highly sighted vulnerability in Samsung Mobile Devices (CVE-2025-21042), a High-severity flaw in Google Chrome (CVE-2025-13223), and an older but still active vulnerability in Cisco IOS XE Software (CVE-2023-20198).

November saw 11 new entries added to the CISA Known Exploited Vulnerabilities catalog, highlighting actively exploited threats. Notable additions include:

CVE-2025-64446 and CVE-2025-58034: Fortinet FortiWeb
CVE-2025-21042: Samsung Mobile Devices
CVE-2025-13223: Google Chrome
CVE-2025-9242: A Critical vulnerability in WatchGuard Fireware OS

No new entries were added to the ENISA KEV catalog in November.

The report also details vulnerabilities that have reserved CVE IDs but have limited public information, showing early sightings detected on the internet. CVE-2023-42344 and CVE-2025-13086 were the most sighted in this category, each with 6 occurrences.

In addition, contributor insights covered topics like RCE in Agent DVR, an APT exploiting Cisco and Citrix zero-days discovered by Amazon, and the UNC6148 Backdoors utilizing the OVERSTEP Rootkit on SonicWall SMA 100 Series Devices.

Evolution of published CVE in 2025

More information.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-64446	105	Fortinet	FortiWeb	Critical (confidence: 0.9084)
CVE-2025-59287	88	Microsoft	Windows Server 2019	Critical (confidence: 0.9565)
CVE-2025-21042	86	Samsung Mobile	Samsung Mobile Devices	High (confidence: 0.9308)
CVE-2025-58034	84	Fortinet	FortiWeb	High (confidence: 0.9584)
CVE-2025-13223	84	Google	Chrome	High (confidence: 0.9675)
CVE-2023-20198	71	Cisco	Cisco IOS XE Software	High (confidence: 0.9908)
CVE-2025-61757	67	Oracle Corporation	Identity Manager	Critical (confidence: 0.9961)
CVE-2025-11001	65	7-Zip	7-Zip	High (confidence: 0.9967)
CVE-2025-1248	64	TrioFox	TrioFox	Critical (confidence: 0.4751)
CVE-2015-2051	59	dlink	dir-645	High (confidence: 0.744)

Except CVE-2025-11001, all listed vulnerabilities are in CISA.

Sightings forecast

The following visualizations represent the forecasted number of sightings for various vulnerabilities, using an adaptive model (decay or logistic growth), with vulnerabilities selected based on having a sufficient number of sightings and relatively consistent patterns.

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-48703	04/11/25	centos-webpanel	CentOS Web Panel	Critical (confidence: 0.9836)
CVE-2025-11371	04/11/25	Gladinet	CentreStack and TrioFox	Medium (confidence: 0.9575)
CVE-2025-21042	10/11/25	Samsung Mobile	Samsung Mobile Devices	High (confidence: 0.9308)
CVE-2025-9242	12/11/25	WatchGuard	Fireware OS	Critical (confidence: 0.9381)
CVE-2025-62215	12/11/25	Microsoft	Windows 10 Version 1809	High (confidence: 0.9918)
CVE-2025-12480	12/11/25	TrioFox	TrioFox	Critical (confidence: 0.4751)
CVE-2025-64446	14/11/25	Fortinet	FortiWeb	Critical (confidence: 0.9084)
CVE-2025-58034	18/11/25	Fortinet	FortiWeb	High (confidence: 0.9584)
CVE-2025-13223	19/11/25	Google	Chrome	High (confidence: 0.9675)
CVE-2025-61757	21/11/25	Oracle Corporation	Identity Manager	Critical (confidence: 0.9961)
CVE-2021-26829	28/11/25	scadabr	scadabr	Medium (confidence: 0.9951)

ENISA

No new entry in November.

Top 10 Weaknesses of the Month

Click the image for more information.

CVE reserved, but partial information has already appeared on the public internet

Sightings detected between 2025-11-01 and 2025-11-30 that are associated with vulnerabilities without public records.

Vulnerability ID	Occurrences	Comment
CVE-2025-59396	7	Not a security vulnerability (GCVE - watchguard / firebox).
CVE-2023-42344	6	source: The Shadowserver (honeypot/common-vulnerabilities)
CVE-2025-13086	6	OpenVPN
CVE-2025-66270	5	KDE Connect
CVE-2025-11002	5	7-Zip
CVE-2025-9820	4	gnutls
CVE-2025-12686	3	BeeStation
CVE-2024-9183	2	Race condition issue in CI/CD cache impacts GitLab CE/EE
CVE-2025-13167	2	Synology
CVE-2025-13392	2	Synology
CVE-2025-13593	2	Synology
CVE-2025-13699	2	mariadb-dump Utility
CVE-2020-23125	2	Vulncheck KEV
GHSA-x697-jf34-gp5x	3	Wazuh Agent (v4.10.1)
CVE-2024-1045	1	GRUB 2
CVE-2025-36270	1	Fedora 42 Kubernetes
CVE-2025-28840	1	Fedora 42 Kubernetes
CVE-2024-24481	1	Tenda 4G03 Pro and N300 Routers
CVE-2024-59373	1	ASUS
CVE-2025-12345	1	SUSE Linux Enterprise Server (SLES) security patch
CVE-2025-13207	1	Tenda 4G03 Pro and N300 Routers
CVE-2025-13698	1	Deciso OPNsense
CVE-2025-13700	1	DreamFactory saveZipFile
CVE-2025-13703	1	VIPRE Advanced Security
CVE-2025-21140	1	Oracle Linux 8
CVE-2025-30333	1	Federal civilian agencies are failing to adequately patch vulnerable Cisco devices amid ongoing exploitation
CVE-2025-33514	1	W3 Total Cache WordPress plugin
CVE-2025-33515	1
CVE-2025-44446	1	Fortiweb
CVE-2025-52022	1	emsloyalty backend
CVE-2025-52023	1	gemscms backend
CVE-2025-52024	1	gemscms POS Platform (backend)
CVE-2025-52025	1	gemscms backend (POS platform)
CVE-2025-52026	1	gemscms backend (POS platform)
CVE-2025-58388	1	Android: Vulnerability-Lookup bundle
CVE-2025-58390	1	Android: Vulnerability-Lookup bundle
CVE-2025-58392	1	Android: Vulnerability-Lookup bundle
CVE-2025-58394	1	Android: Vulnerability-Lookup bundle
CVE-2025-58396	1	Android: Vulnerability-Lookup bundle
CVE-2025-58397	1	Android: cVulnerability-Lookup bundle
CVE-2025-593656	1	ASUS
CVE-2025-60274	1	Windows graphic component (GDI+)
CVE-2025-63721	1	HummerRisk
CVE-2025-65882	1	OpenMPTCProuter

Insights from Contributors

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

eu_funded_en

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release