Weekly Cybersecurity Recap - 17 November 2025

Introduction

This week highlighted significant shifts across the cybersecurity landscape - from critical vulnerabilities in leading AI inference engines to massive-scale software supply chain attacks and a record level of ransomware group fragmentation. Organizations also faced new threats to identity infrastructure, cloud-hosted platforms, and widely deployed web security tools. Here’s a deeper look at the most impactful developments security teams need to monitor.

AI and Emerging Tech

Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks

Researchers uncovered critical remote code execution vulnerabilities affecting major AI inference engines maintained by Meta, Nvidia, Microsoft, and open-source ecosystems such as PyTorch, vLLM, and SGLang. The underlying issue is linked to a systemic pattern dubbed ShadowMQ, where insecure deserialization logic spread across multiple projects through code reuse. The findings highlight how shared AI tooling pipelines can multiply risk across the entire industry.

Critical Vulnerabilities and Exploited Zero-Days

Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability

Fortinet warned that a critical FortiWeb flaw has been actively exploited for weeks, even before patches were quietly released and the issue was added to CISA’s Known Exploited Vulnerabilities list. Tracked as CVE-2025-64446 (CVSS 9.1), the vulnerability stems from a relative path traversal weakness allowing remote, unauthenticated attackers to send crafted HTTP/S requests and execute administrative commands. The bug enables full takeover of FortiWeb WAF appliances.

Hackers Exploited Cisco ISE Zero-Day

AWS security researchers reported detecting threat actors exploiting a zero-day in Cisco’s Identity Service Engine prior to its patch release earlier this year. The flaw, CVE-2025-20337, was identified via AWS’s MadPot honeypot, which captured attempts by attackers to target network access control infrastructure - a highly sensitive part of enterprise environments.

Corporate Breaches and Extortion

Checkout.com Discloses Data Breach After Extortion Attempt

Checkout.com confirmed it was targeted by a hacking group that attempted extortion after accessing data stored in an old, third-party cloud file storage system. The company emphasized that the breached system has been unused since 2020 and that its core payment processing platform was not affected. Still, the incident underscores the long-tail risks of legacy cloud assets lingering in vendor environments.

Web Hosting and Server Security

Imunify360 Vulnerability Could Expose Millions of Sites to Hacking

A serious vulnerability in ImunifyAV - part of the Imunify360 security suite widely used in Linux web hosting - could enable attackers to execute arbitrary code on shared servers simply by uploading a crafted file. With the vendor reporting more than 56 million protected sites as of late 2024, the potential blast radius is enormous, especially for hosting providers and resellers relying on shared infrastructure.

RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet

The RondoDox botnet is actively exploiting a critical XWiki vulnerability, CVE-2025-24893, which enables remote code execution via an eval injection flaw. Attackers can abuse the "/bin/get/Main/SolrSearch" endpoint as a guest user, pulling unpatched servers into the botnet. While fixes were issued across multiple XWiki versions earlier this year, many deployments remain unpatched and exposed.

Ransomware and Threat Groups

Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns

Check Point Research recorded 85 active ransomware and extortion groups in Q3 2025 - the highest number ever tracked. The once-concentrated RaaS ecosystem has splintered into numerous smaller, short-lived operations run by former affiliates. The proliferation of leak sites marks a structural shift driven by enforcement pressure on major players, creating a more unpredictable and decentralized threat environment.

Akira RaaS Targets Nutanix VMs, Threatens Critical Orgs

The Akira ransomware group is experimenting with new tools and exploiting new attack surfaces, including targeting Nutanix virtual machines. Although they typically hit SMBs, the group has also struck critical sectors like healthcare, agriculture, and manufacturing - expanding its impact footprint and adopting increasingly specialized tooling.

Enterprise Identity and Infrastructure

Active Directory Under Siege: Why Critical Infrastructure Needs Stronger Security

Active Directory continues to underpin authentication for over 90% of Fortune 1000 organizations, and its role has grown amid hybrid cloud adoption. However, this added complexity has made AD an even more appealing target. Because every device, user, and application depends on it, a single compromise can cascade into a full-network takeover - prompting new calls for stronger hardening, monitoring, and identity-first defense.

Malware and Website Compromise

GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites

GootLoader resurged with a clever new evasion technique that uses custom font files to conceal its malicious payloads on compromised WordPress websites. Huntress observed multiple infections since late October, two of which escalated into hands-on intrusions that compromised domain controllers within 17 hours - underscoring how quickly attackers can pivot after initial access.

Supply Chain and NPM Attacks

150,000 Packages Flood NPM Registry in Token Farming Campaign

Amazon security researchers identified more than 150,000 malicious NPM packages uploaded in a large-scale, self-replicating attack designed to harvest tokens for the tea.xyz protocol. This "defining moment in supply chain security" mirrors recent incidents like the Shai-hulud worm and illustrates how NPM continues to be weaponized to compromise developers and open-source ecosystems.