Greenbone AG

November 2025 Threat Report: Data Theft Leads a Volatile Ransomware Landscape

Was November 2025 a quiet month for cyber security? No, of course not. Fallout from the Oracle EBS ransomware campaigns, which began in October, was widespread; over 29 organizations have been claimed by the Cl0p syndicate alone, with over 100 victims in total. This included Envoy Air (an American Airlines subsidiary), Cox Enterprises, Logitech, Harvard University, The Washington Post, Allianz UK, Schneider Electric, Mazda, Canon, the UK’s National Health Service (NHS), University of the Witwatersrand, Dartmouth College, and others. A free trial of Greenbone’s OPENVAS BASIC offers defenders access to essential cyber security capabilities. Scan your IT environment with Greenbone’s OPENVAS ENTERPRISE FEED to enjoy industry-leading coverage today.

In this month’s threat report, we will review the latest emerging threats to enterprise cyber security in November 2025, including some of the most risky new software vulnerabilities. Data theft and extortion are also hot topics as ransomware attacks continue to increase in 2025. New regulations and civil legal precedents are also coming into play, increasing the potential financial costs to organizations that leak private data.

It’s Time to Talk About Data Theft Again

The May 2025 Threat Report: Hack, Rinse, Repeat reviewed how stolen data is enabling subsequent cyber attacks by providing context for targeted social engineering campaigns, and sensitive information about an organization’s IT infrastructure. Alternatively, stolen data may be used directly for payment card fraud or identity theft, negatively impacting individual victims.

Every day, multiple major data breaches are disclosed globally. The Identity Theft Resource Center (ITRC) tracked 1,732 publicly reported data compromises in the first half of 2025 (≈9.6 per day) in the U.S. alone. The ENISA Threat Landscape 2025 report, released in October, tracked 4,875 incidents in the EU from July 2024 to June 2025 (≈13.4 per day). CrowdStrike’s 2025 European Threat Landscape Report claims that 92% of EU-based ransomware victims were listed on a Data Leak Site (DLS) associated with encryption-based extortion and data theft extortion tactics, while 8% of victims were listed on DLS of ransomware gangs that solely rely on data theft.

So where is this all going? Firstly, new EU regulations are poised to impose punitive incentives on organizations to encourage stronger cyber security posture. DORA (the Digital Operational Resilience Act) demands that financial entities assess both their own cyber security posture and that of third-party ICT providers. The German Bundesrat has now effectively approved the NIS 2 Implementation Act, a law that imposes financial penalties and even personal liability on the managing directors and boards of EU covered entities. NIS 2 enforcement is expected in late 2025 to early 2026.

The individuals impacted by data breaches are also making their voices heard. Breach-related litigation hit record levels in 2024 (≈124 per month) and continued growing into 2025. In early 2025, Conduent Business Solutions announced the theft of Personal Health Information (PHI) belonging to more than 10.5 million Americans. In October 2025, victims were notified and ten class action lawsuits have since been filed. In November, a U.S. Fourth Circuit Court ruled that the public leak of driver’s license numbers online equates to “concrete” harm, further widening the risk for companies who leak data.

One way or another, the powers that be are imposing greater financial costs on organizations who fail to implement appropriate cyber security measures. As a fundamental IT security control, risk-based vulnerability management provides widespread benefits: reducing unauthorized initial access to critical IT assets, deflecting mass exploitation attacks, preventing Denial of Service (DoS) attacks, contributing to the mitigation of advanced social engineering attacks, and reducing the blast radius of a breach if one does occur.

Rogue Devices: Another Reason to Scan Your IT Infrastructure

Emerging software vulnerabilities are not the only reason to conduct continuous scans of your organization’s IT infrastructure. A recent criminal case involving Nordex, a Dutch wind farm operator, demonstrates how easily rogue devices can slip into production networks. According to the ruling, a company manager secretly connected three cryptocurrency mining rigs and two Helium network nodes to internal systems at two sites. The now convicted operator plugged miners into a substation router and hid the wireless hotspots inside wind turbines. The rogue devices were only discovered during Nordex’s recovery from a Conti-linked ransomware incident that took place in 2022.

Continuous infrastructure scanning matters: unauthorized hardware could indicate minor policy violations, but may also represent malicious insiders or external attackers who have gained unauthorized access. OPENVAS SCAN is equipped with discovery scan configurations to alert when new devices appear on a network or when critical systems are down.

DNS Risk from New BIND 9 Cache-Poisoning Flaw

CVE-2025-40778 and CVE-2025-40780 (both CVSS 8.6) are unauthenticated vulnerabilities in BIND 9 recursive resolvers that enable remote DNS cache poisoning and record forgery. A third flaw, CVE-2025-8677 (CVSS 7.5) allows Denial of Service via CPU-exhaustion. Cache-poisoning bugs target the way recursive resolvers cache answers in memory. If an attacker can poison a resolver with a malicious DNS record, users will be redirected to the malicious IP until the TTL expires.

BIND 9 is a widely deployed, open-source DNS server developed and maintained by the Internet Systems Consortium (ISC). It is especially common for on-prem and ISP/enterprise deployments. Although in-the-wild exploitation has not been reported, CVE-2025-40778 has a public proof-of-concept (PoC) available [1] and numerous national CERT alerts have been issued globally [2][3][4][5][6][7][8].

Greenbone provides detection checks for all three CVEs across multiple Linux distributions and hardware devices. Broadly speaking, many BIND 9 versions between 9.11 and 9.21, including some Supported Preview (S1) builds, are vulnerable. See ISC’s security advisories for specific affected product information [9][10][11].

2-Year-Old Linux Use-After-Free Flaw Now a Ransomware Threat

CVE-2024-1086 (CVSS 7.8, EPSS > 99th pctl), published in early 2024, is now being leveraged in ransomware attacks. The CVE has been on CISA’s KEV list since mid-2024 and was flagged for use in ransomware attacks in November 2025. CVE-2024-1086 is a use-after-free [CWE-416] flaw that enables a local attacker to escalate privileges to root and achieve kernel-level arbitrary code execution. The flaw resides in Linux kernel netfilter/nf_tables and affects kernels prior to v6.1.77. A public PoC has been available since March 2024 [1].

Greenbone’s OPENVAS ENTERPRISE FEED and COMMUNITY FEED have provided detection for CVE-2024-1086 across multiple Linux distributions since early 2024.

CVE-2025-12480: Gladinet Triofox Flaw Under Active Attack

CVE-2025-12480 (CVSS 9.1, EPSS >98th pctl) is an improper access control flaw [CWE-284] in Gladinet Triofox that allows unauthenticated remote code execution (RCE). The flaw is being actively exploited by the UNC6485 threat group. Although successful ransomware attacks are not yet reported, analysis shows that attackers are importing remote access tools [T1219] and scanning for lateral-movement opportunities [T1046]. A full technical analysis has been published by Google’s Mandiant, increasing the risk of expanding exploitation.

The attack chain works by providing a malicious GET request that specifies localhost in the Host header. The HTTP Host header is used for routing on the server side, but can be spoofed because it is not used for routing across the internet. CVE-2025-12480 may also be considered an Origin Validation Error [CWE-346] because Triofox automatically trusts requests to localhost without proper verification. This spoofing attack subsequently allows access to the AdminAccount.aspx route, sensitive installation scripts, and configuration pages. RCE is finally achieved by supplying Triofox’s antivirus engine with a path to attacker-generated scripts.

Italy’s national cyber agency, the ACN, and Taiwan’s TWCERT have issued alerts for CVE-2025-12480 [1][2]. Greenbone’s OPENVAS ENTERPRISE FEED includes both an active check and version check to identify vulnerable systems. Users should upgrade to Triofox version 16.7.10368.56560 or higher immediately. Mitigation may also be achieved by configuring a WAF to reject external requests that specify localhost in the Host header.

CVE-2025-61757: Unauthenticated RCE in Oracle Identity Manager

CVE-2025-61757 (CVSS 9.8, EPSS > 98th pctl), is a pre-authentication RCE flaw in Oracle Identity Manager (OIM) and Oracle Identity Governance (OIG). OIM is Oracle’s core provisioning and identity lifecycle engine, while OIG includes additional governance features such as access reviews, role/SoD controls, analytics, and more. CVE-2025-61757 is actively exploited, at least one public PoC exploit exists, and a detailed technical analysis is available.

Exploitation for initial access against internet-exposed OIM instances is considered trivial; an attacker can bypass authentication with a single HTTP request. By either adding ?WSDL to the URL or appending ;.wadl as a path parameter, the SecurityFilter skips authentication checks. Researchers used this unauthorized API access to abuse an endpoint designed to syntax check Groovy scripts by compiling them. Although the Groovy script itself isn’t executed (just compiled), code annotations within the script are executed at compile time, providing RCE.

Several national CERT alerts have been issued for CVE-2025-61757 globally [1][2][3][4]. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check to verify vulnerability to CVE-2025-61757 with a specially crafted HTTP request. Versions 12.2.1.4.0 and 14.1.2.1.0 of OIM and OIG are affected.

CentOS Web Panel (CWP) Under Active Attack for RCE

CVE-2025-48703 (CVSS 9.0, EPSS >98th pctl) is a pre-auth remote command injection vulnerability [CWE-78] in Control Web Panel / CentOS Web Panel (CWP). Exploitation requires knowledge of a valid non-root username. The flaw is caused by an authentication bypass in the file-manager changePerm endpoint combined with OS command injection via the unsanitized t_total chmod parameter. As a result, an attacker could spawn a reverse shell as a valid user. A full technical description and PoC was published by Fenrisk, who discovered and reported the flaw.

In November, CISA flagged CVE-2025-48703 as actively exploited and Taiwan’s TWCERT has issued an alert [1]. Given CWP’s widespread use and the large number of internet-exposed instances, CVE-2025-48703 poses a high-risk globally. Greenbone’s OPENVAS ENTERPRISE FEED includes an authenticated version detection check to identify vulnerable CWP servers, allowing users to take immediate action. All versions of CWP before 0.9.8.1205 are affected.

Unpatched Microsoft Office is Exposed to New Social Engineering Attacks

CVE-2025-60724 (CVSS 9.8) is a new critical GDI+ heap overflow flaw [CWE-122] affecting the graphics component of Microsoft Office and Windows. RCE can be triggered on a victim’s computer if an attacker convinces them to open a specially crafted document or metafile. Microsoft has patched the flaw with its November Patch Tuesday rollout. Vulmon lists two public PoC exploits, but both have since been taken down by GitHub.

Sophisticated social engineering attacks often convince users to open a malicious file, which seeks to exploit a local software flaw. For a better understanding of how cyber adversaries execute this tactic, read our recent blog post, Greenbone Helps Defend Against Advanced Social Engineering Attacks. Greenbone includes detection for CVE-2025-60724 and other CVEs disclosed in Microsoft’s monthly patch cycle.

PoC Exploit Published for New Flaws in N-Central

Horizon.ai has published PoC exploit code and a detailed technical analysis for a new attack chain exploiting CVE-2025-9316 and CVE-2025-11700 in N-Able’s N-Central. N-Central is a managing and monitoring (RMM) software used by large enterprises and managed service providers (MSPs) to easily manage fleets of IT infrastructure including configuration, patching, and reporting and analytics. N-Central sits in the “blast radius” category of software; compromise could easily lead to downstream third-party breaches.

Belgium’s CERT.be and Italy’s ACN have issued CERT alerts for the new CVEs [1][2]. Two other critical severity CVEs in N-Central were disclosed and quickly saw active exploitation in August this year; further evidence that attackers consider N-Central a high-value target. Here is a brief summary of the two new exploitable CVEs in N-Central and another new high-risk CVE for the product:

The CVEs are fixed in N-Central 2025.4. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify all three CVEs referenced above, and an additional active check for CVE-2025-9316.

Summary

November 2025 was anything but quiet for cyber security. Ransomware campaigns targeting Oracle EBS flaws expanded to 100+ victims. Breach volumes keep rising and class action lawsuits on behalf of private victims are keeping pace. The EU’s DORA and NIS 2 are shifting into focus, increasing corporate and personal liability for management. On the vulnerability front, new actively exploited flaws in BIND 9, Linux, Triofox, N-Central, and more ensure that the ransomware war is far from its last act.

A free trial of Greenbone’s OPENVAS BASIC offers defenders access to essential cyber security capabilities. Scan your IT environment with Greenbone’s OPENVAS ENTERPRISE FEED to gain industry-leading coverage today.

Contact Test Now Buy Here Back to Overview

/by