Patch Tuesday week yielded nearly 1,000 vulnerabilities from Microsoft and other vendors. Here are some important ones to focus on. 

Cyble Vulnerability Intelligence researchers tracked 971 vulnerabilities in the last week, and at least 37 of the disclosed vulnerabilities quickly had a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 60 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 17 received a critical severity rating based on the newer CVSS v4.0 scoring system.  

These are some of the vulnerabilities flagged by Cyble threat intelligence researchers in reports to clients this week, which included Patch Tuesday updates from Microsoft and other vendors. 

The Week’s Top IT Vulnerabilities 

CVE-2025-60724 is a 9.8-severity Heap-based Buffer Overflow vulnerability in the Microsoft Graphics Device Interface Plus component on Windows systems that could potentially allow an unauthorized attacker to execute code remotely over a network. 

CVE-2025-13026 is a vulnerability in Mozilla Firefox arising from incorrect boundary condition checks, which could potentially let attackers escape the browser’s sandbox and execute arbitrary code. 

CVE-2025-52425 is a critical SQL injection vulnerability in QuMagie, a multimedia application used in QNAP NAS systems, which could potentially be exploited remotely and without authentication to execute unauthorized code or commands. 

CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: 

• CVE-2025-21042, a Samsung Galaxy Out-of-Bounds Write vulnerability that could lead to full device compromise and has reportedly been used to deliver spyware 

• CVE-2025-9242, a WatchGuard Firebox Out-of-Bounds Write vulnerability 

• CVE-2025-12480, a Gladinet Triofox Improper Access Control vulnerability 

• CVE-2025-62215, a Microsoft zero-day Windows Race Condition vulnerability 

• CVE-2025-64446, a Fortinet FortiWeb Path Traversal vulnerability 

CISA also issued updated orders to federal agencies to patch Cisco vulnerabilities CVE-2025-20333 and CVE-2025-20362. 

CVE-2025-12480 and CVE-2025-20333 have also generated significant discussion in open source communities in the last week. CVE-2025-12480 is the second Gladinet vulnerability added to the CISA KEV catalog this month, following CVE-2025-11371 on November 4. CVE-2025-12480 could allow attackers to bypass authentication by manipulating HTTP Host headers, potentially gaining access to the product’s initial setup and protected configuration pages. 

CVE-2025-20333 is a critical Buffer Overflow vulnerability affecting Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices. The flaw could allow authenticated remote attackers (VPN users) to execute arbitrary code with root privileges, potentially leading to complete device compromise. 

Cyble also flagged one industrial control system (ICS) vulnerability this week. CVE-2025-12636 affects Ubia Ubox v1.1.124. A failure to adequately secure API credentials could enable an attacker to connect to backend services, which could allow them to gain unauthorized access to available cameras to view live feeds or modify settings. 

 Vulnerabilities Discussed on Cybercrime Forums 

Cyble dark web researchers observed several threat actors discussing weaponizing vulnerabilities on underground and dark web forums. Among the vulnerabilities under discussion were: 

CVE-2025-6554, a critical zero-day type confusion vulnerability in the V8 JavaScript and WebAssembly engine used by Google Chrome and other Chromium-based browsers. This flaw could allow a remote attacker to perform arbitrary read/write operations by serving a crafted HTML page, which in some cases could lead to full remote code execution. 

CVE-2025-60710, a high-severity local privilege escalation vulnerability in the Host Process for Windows Tasks affecting Microsoft Windows 11 Version 25H2 (build 10.0.26200.0). The vulnerability involves improper link resolution before file access. The flaw could allow an authorized attacker with limited local privileges to exploit improper handling of symbolic links or junction points in the Host Process for Windows Tasks, redirecting file operations to unintended locations and escalating their privileges. 

CVE-2025-64495, a high-severity stored DOM-based Cross-Site Scripting (XSS) vulnerability in Open WebUI, a self-hosted artificial intelligence platform, affecting versions 0.6.34 and below. The vulnerability exists in the chat window’s prompt insertion feature, where user-controlled HTML from custom prompts is assigned directly to the DOM sink .innerHTML without proper sanitization when the “Insert Prompt as Rich Text” setting is enabled. While the marked library is used to parse the content, it does not sanitize HTML, potentially allowing attackers with low-level privileges to create malicious prompts containing JavaScript payloads that execute when other users insert those prompts via slash commands. 

CVE-2025-61932, a critical remote code execution vulnerability affecting Motex Lanscope Endpoint Manager (On-Premises), specifically the Client Program (MR) and Detection Agent (DA) components in versions 9.4.7.1 and earlier. This stems from improper verification of communication channel sources, potentially allowing attackers to remotely execute arbitrary code by sending specially crafted network packets to TCP port 443 on vulnerable systems. 

Conclusion 

The high number of critical and exploited vulnerabilities in the last week underscores the demands placed on security teams to respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.   

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.   

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.