InfoSec Watch — Issue #112

This week’s big moves: Microsoft patched an actively exploited Windows kernel zero‑day, CISA added Fortinet FortiWeb CVE‑2025‑64446 to the KEV (evidence of in‑the‑wild exploitation), and the Akira ransomware crew expanded to encrypt Nutanix AHV VMs. Treat hypervisors, backup infrastructure, and edge devices as Tier‑0 assets and make sure your patching and monitoring plans reflect that.

Microsoft Patch Tuesday fixes actively exploited Windows kernel 0‑day (CVE‑2025‑62215) and critical GDI+ RCE (CVE‑2025‑60724)— November Patch Tuesday ships 60+ fixes including an exploited kernel elevation‑of‑privilege bug and a critical GDI+ file‑parsing RCE. Enterprises should prioritize endpoints and servers that handle untrusted documents or sit on the edge. MSRC Release Notes

💡Key Takeaway:Patch Windows quickly, especially high‑risk users and servers; monitor for suspicious token manipulation, LSASS access, and spikes in GDI+ parsing errors.

CISA adds Fortinet FortiWeb path traversal (CVE‑2025‑64446) to KEV— CISA’s KEV entry confirms active exploitation of a FortiWeb path traversal that lets unauthenticated attackers execute admin‑level commands. Internet‑exposed WAFs are a prime target because they sit in front of critical apps. CISA KEV Entry · Fortinet PSIRT

💡Key Takeaway:Patch FortiWeb immediately, restrict management exposure, and review logs for suspicious requests, new admin users, or webshell‑like behavior.

Akira ransomware pivots to Nutanix AHV and edge devices— An updated #StopRansomware advisory shows Akira now encrypting Nutanix AHV VMs while leveraging SonicWall and Veeam vulnerabilities plus remote‑access tools like AnyDesk. The goal is to hit many workloads at once and knock out backups. CISA Advisory · IC3 CSA PDF

💡Key Takeaway:Harden hypervisor management planes, isolate backup networks, and ensure you have tested offline or immutable backups for critical VMs.

Fortinet FortiWeb path traversal / auth bypass (CVE‑2025‑64446)— Unauthenticated path traversal in FortiWeb allows crafted HTTP(S) requests to run administrative commands. As a WAF, FortiWeb often fronts sensitive apps, making compromise especially serious. Fortinet PSIRT

💡Key Takeaway:Treat this as an incident‑ready vuln: patch, lock down access, and look for signs of exploitation (unexpected config changes, new accounts, outbound connections from the WAF itself).

Microsoft Graphics (GDI+) RCE (CVE‑2025‑60724)— Crafted metafiles/images can trigger RCE via GDI+, impacting Windows and apps that process untrusted content. File‑scanning, DMS, and collaboration tools are particularly exposed. CrowdStrike Patch Tuesday Analysis

💡Key Takeaway:Prioritize patching systems that automatically process or preview external files; consider temporarily tightening file‑type policies for high‑risk workflows.

Windows kernel 0‑day LPE (CVE‑2025‑62215)— An in‑the‑wild exploited kernel race condition enables SYSTEM‑level escalation once attackers have a foothold. It’s ideal for disabling EDR, dumping credentials, and lateral movement. MSRC CVE Entry

💡Key Takeaway:Roll out patches to admin workstations, jump hosts, and VPN‑connected endpoints first, and make sure your EDR baselines for post‑exploitation behavior, not just known malware.

Ransomware drops below the hypervisor— Akira’s Nutanix playbook is part of a broader trend: ransomware crews are systematically targeting hypervisors, backup platforms, and edge appliances instead of just endpoints. Once they own the virtualization layer, they can encrypt many workloads and evade some endpoint defenses. CISA Akira Update

💡Key Takeaway:Reclassify hypervisors, backup servers, and edge devices as Tier‑0 assets. Give them the same level of patch urgency, monitoring, and IR planning you apply to domain controllers and identity systems.

Verizon 2025 Data Breach Investigations Report (DBIR)— The latest DBIR provides data‑backed insight into which attack patterns actually cause breaches across industries, from ransomware and credential abuse to web app attacks and social engineering. Verizon DBIR 2025

💡Key Takeaway:Use DBIR stats to align your risk narrative and budget: make sure your top controls map to the top patterns hitting your sector, not just the loudest internal fears.

Intel issues firmware and microcode fixes for 30+ vulnerabilities— Intel’s November updates address privilege‑escalation and disclosure flaws across CPUs, drivers, and server firmware, including a critical UEFI bug impacting data center platforms. Intel Security Center
💡Key Takeaway:Add firmware and microcode into your regular patch cycle—an unpatched platform bug can undermine otherwise strong OS‑level defenses.

U.S. Congressional Budget Office discloses cyber incident— The CBO reported a breach that may have exposed communications with congressional offices, raising downstream phishing risks as attackers reuse content and identities. CBO Statement
💡Key Takeaway:Train staff to treat even “trusted” .gov senders with caution; pair DMARC enforcement with layered anti‑phishing controls.

Ports and terminals face tougher cyber mandates— New rules from the U.S. Coast Guard and EU regulators are raising the bar on cyber requirements for ports, terminals, and associated OT environments. Kalmar Article
💡Key Takeaway:Logistics and maritime operators should treat cyber as a core safety and continuity domain, with clear OT visibility and tested playbooks for cyber‑driven physical disruptions.

Healthcare ransomware pressure keeps climbing— Recent industry reporting shows a sharp increase in attacks on healthcare vendors and service partners, not just hospitals, magnifying systemic risk. Industrial Cyber Report
💡Key Takeaway:Strengthen third‑party risk management for billing, claims, MSPs, and specialty providers, and build joint incident‑response expectations into contracts.

Conduent breach highlights shared‑services risk— Business services provider Conduent disclosed a breach affecting millions of individuals’ personal and health‑related data, underscoring how a single vendor can expose many downstream customers. Texas AG Notice
💡Key Takeaway:For any shared‑services provider, press for data minimization, strong segmentation, and explicit breach‑notification and coordination clauses.

Run a 7‑day “virtualization & edge appliance hardening” sprint.Sequence the week to: (1) inventory and patch hypervisors, FortiWeb, SonicWall, and Veeam; (2) lock down remote‑access tools (AnyDesk, LogMeIn, TeamViewer); (3) validate offline/immutable backups for key VMs; (4) tighten access and monitoring on hypervisor and WAF management planes; and (5) add alerts for unusual VM disk activity, new admin accounts, and config changes on edge devices.

Edge devices, hypervisors, and shared‑service providers are where attackers are getting the most leverage right now. Close the gap between what you call “Tier‑0” on paper and what’s actually powering your workloads and dependencies in production—and make sure your patching and monitoring priorities reflect today’s reality, not last year’s threat model.

Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.

✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed

No code. No engineering. Just onboarding that adapts as you grow.

See how it works