Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 8-14 November
Microsoft update fixes 0-day vulnerability in Windows kernel
Microsoft has released security updates for Patch Tuesday in November 2025, addressing a total of 63 vulnerabilities in its products. Among them is CVE-2025-62215 (CVSSv3 7.1 according to the vendor), a 0-day vulnerability in the Windows kernel that allowed privilege escalation to SYSTEM level through an actively exploited race condition.
The flaw, attributed to the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC), has already been fixed. Of the total, 29 flaws correspond to privilege escalation, 16 to remote code execution, 11 to information disclosure, three to denial of service, two to security feature bypass, and two to impersonation. Four vulnerabilities were classified as critical, including two remote execution vulnerabilities.
This update also marks the start of the Extended Security Update (ESU) program for Windows 10, aimed at organizations that have not yet migrated to Windows 11, accompanied by an out-of-band patch to resolve errors in the ESU enrollment process.
GlassWorm malware returns to OpenVSX with three new VSCode extensions
After the initial GlassWorm incident was declared under control on 21 October 2025, a new wave of infections was detected on 6 November, compromising three additional OpenVSX extensions and affecting some 10,000 installations.
This self-propagating worm, which hides its malicious code with invisible Unicode characters, continues to use the Solana blockchain to update its command and control (C2) servers, demonstrating the resilience of its infrastructure. Koi Security researchers managed to access one of the attacker's servers, discovering a partial list of victims in the United States, South America, Europe, Asia, and a government entity in the Middle East, as well as data suggesting that the attacker is Russian-speaking and uses the RedExt infrastructure.
It was also confirmed that GlassWorm has jumped to GitHub repositories, where it spreads through seemingly legitimate AI-generated commits, using stolen credentials to insert its malicious payload.
Multiple critical vulnerabilities in Firefox allow remote code execution
On November 11, 2025, the Mozilla Foundation issued three security advisories that fix 16 vulnerabilities in Firefox 145 and ESR versions 115.30 and 140.5. Twelve of them were classified as high impact, allowing arbitrary code execution and sandbox evasion without user interaction.
Among the most serious flaws are those identified as CVE-2025-13023 and CVE-2025-13026, which allow escape from the browser's isolation environment. Other vulnerabilities affect WebGPU components, the JavaScript engine, and the graphics module, exposing a wide attack vector. In addition, multiple Same-Origin Policy bypass flaws and race conditions were identified.
ESR versions include memory security patches relevant to corporate environments. Mozilla recommends immediately updating to the latest versions to mitigate remote exploitation risks.
The new LandFall spyware exploited a 0-day vulnerability in Samsung via WhatsApp messages
Researchers at Unit 42 discovered LANDFALL, a family of commercial spyware for Android that exploited a zero-day vulnerability (CVE-2025-21042) in Samsung's image processing library. This flaw allowed malicious code to be executed via manipulated DNG files sent via WhatsApp, without user interaction (zero-click). Active since mid-2024, LANDFALL performed comprehensive espionage: audio recording, location tracking, theft of photos, contacts and call logs, mainly against targets in the Middle East.
The malware was specifically designed for Galaxy S22, S23, S24, Z Flip4 and Fold4 devices, and used C2 servers disguised under legitimate domains. In addition, it shared infrastructure and techniques with commercial spyware operators such as Stealth Falcon and Variston, although without direct attribution.
Samsung fixed the vulnerability in April 2025, and another related vulnerability (CVE-2025-21043) in September.
Critical Cisco UCCX flaws lets attackers run commands as root
Cisco has issued an alert about two critical vulnerabilities in its Unified Contact Centre Express (CCX) platform, identified as CVE-2025-20354 (CVSSv3 9.8, according to the manufacturer) and CVE-2025-20358 (CVSSv3 9.4, according to the manufacturer). Both flaws, originating in the Java Remote Method Invocation (RMI) process and the CCX Editor, are due to deficiencies in authentication mechanisms, which could allow unauthenticated remote attackers to upload malicious files, execute arbitrary code, and escalate privileges to root level.
In addition, these vulnerabilities make it possible to bypass authentication controls and create or execute scripts with administrative permissions, seriously compromising system security. As there are no temporary solutions, Cisco recommends immediately updating to the corrected versions (12.5 SU3 ES07 and 15.0 ES01).
Finally, the Cisco Product Security Incident Response Team (PSIRT) noted that there is no evidence of active exploitation at this time, but warns of the critical importance of applying the available mitigations.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
