November 17, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Nov 17, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

00:42 [VULNERABILITY] FortiWeb Zero-Day Vulnerability (CVE-2025-64446) Exploited to Create Admin Accounts
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

02:03 [PATCHING] Microsoft Patch Tuesday Addresses 68 Issues, One Zero-Day
Microsoft has fixed 68 vulnerabilities in November’s patch cycle and Microsoft Edge releases.

03:00 [MALWARE] DANABOT Capability Updates
DANABOT developers recently announced on their Telegram channel that the malware has undergone a complete code revision and noted to work "4 times faster and more stable." This follows a quiet period after Operation Endgame, which saw law enforcement actions shut down many popular information stealers and other malware families.

04:15 [MALWARE] Operation Endgame Updates
Europol have announced that the latest phase of Operation Endgame has taken place, coordinated from their headquarters in The Hague. They noted that "the actions targeted one of the biggest infostealers RHADAMANTHYS, the Remote Access Trojan VENOMRAT, and the botnet ELYSIUM, all of which played a key role in international cybercrime."

05:07 [VULNERABILITY] New Open Source Vulnerabilities Released
A critical vulnerability with a CVS 3.1 score of 9.8 in the popular expr-eval JavaScript library has been disclosed. The library is used to parse user-supplied mathematical expressions at runtime, for example in tools such as online calculators or financial tools, alongside use in Natural Language Processing (NLP) and is downloaded from NPM over 800,000 times a week.

07:28 [RANSOMWARE] Visual Studio Code “Vibe-Coded” Ransomware
A malicious Visual Studio Code extension called “susvsex” was found in the official Visual Studio Marketplace. Secure Annex founder John Tuckner identified the extension, which possesses basic ransomware and data-stealing capabilities.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.