This Month in Security: November 2025 - Shai-Hulud is back, Windows Kernel Zero-Day, Telecom Rule Roll Back, and more

"Data Security Breach" by Visual Content is licensed under CC BY 2.0.

November 2025 brought several zero-days, spyware attacks, and another wave of “Shai-Hulud”.

‍

Critical Zero-Day Exploits

• Windows Kernel Zero-Day (CVE-2025-62215): November’s Patch Tuesday’s headliner was a privilege escalation vulnerability in the Windows Kernel. While the attack is highly complex Microsoft did confirm that it was actively being executed. The attack allows a local user to gain SYSTEM privileges through a race condition (BleepingComputer).
• Samsung Mobile “LANDFALL” Spyware: CISA added a critical vulnerability in Samsung’s mobile image processing library to its Known Exploited Vulnerabilities (KVE) catalog this month. It allows remote code execution without any user interaction via malicious image files. Reports indicate that this is being used to deploy “LANDFALL” spyware (Malwarebytes).

‍

Notable Threats and Incidents

• “Shai-Hulud” is Back: “Shai-Hulud”, the self-replicating npm supply chain attack launched a second wave of attacks. This compromised hundreds of packages from major organizations including Zapier, ENS, and Postman. The worm infects dev environments to steal API keys and secrets, then publishes them to public GitHub repositories. The attack was timed just before npm’s deadline to revoke classic tokens (Aikido Security).
• Harvard University Vishing Attack: Harvard University disclosed an incident where a phone-based phishing, or vishing, attack successfully compromised several systems used by the Alumni Affairs and Development Office. The attackers tricked staff into granting them access, exposing donor and alumni contact information (Harvard HUIT).
• CISA Warns of Commercial Messaging App Spyware: On November 25th, CISA issued an urgent alert regarding commercial spyware campaigns targeting high-value users of Signal and WhatsApp. The agency highlighted specific campaigns like “ProSpy” and “ClayRat”; they also noted that attackers are using sophisticated social engineering and zero-click exploits to hijack accounts. This warning closely follows the discovery of the Samsung “LANDFALL” campaign (The Hacker News, CISA). 
• WhatsApp Privacy Loophole Closed: Researchers discovered a loophole in WhatsApps’s contact discovery API that allowed them to enumerate over 3.5 billion active accounts. While WhatsApp has since implemented fixes to rate-limit these checks, the incident raised concerns about mass data collection and user privacy (Malwarebytes).

‍

Policy and Framework Updates

• FCC Rolls Back Telecom Cybersecurity Rule: The FCC has rescinded a January 2025 ruling that mandated stricter cybersecurity measures for U.S. telecom carriers, citing legal inflexibility and industry pushback despite the recent “Salt Typhoon” espionage campaign. This rollback replaces mandatory risk management plans with voluntary industry coordinated efforts, drawing sharp criticism from officials who warn it leaves national networks vulnerable to ongoing foreign threats (BleepingComputer)  

‍

November Patches and Vulnerabilities

• Microsoft's November 2025 Patch Tuesday: Microsoft addressed 63 vulnerabilities this month.
  
  • Beyond the kernel zero-day, a critical Microsoft Graphics Component (GDI+) tracked as CVE-2025-60724, with a CVSS of 9.8, was also patched this month. It allows remote code execution via specially crafted metafiles.
  • Office RCE CVE-2025-62199 is another remote code execution flaw introduced if a user opens a malicious file (Qualys). 

‍

Key Takeaways for Staying Secure

• Prioritize Window Kernel Patch: With active exploitation confirmed CVE-2025-62215 should be expedited. 
• Update Mobile Devices: The Samsung “LANDFALL” zero-click exploit is particularly dangerous. Ensure all mobile fleets are running the latest security updates and consider a mobile threat defense solution. 
• Review Your Security Posture: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. 

‍

About the Author

Jordan Darrah is a Security Consultant at Cloud Security Partners. Jordan's interest in IT started when she was working as a menswear fashion designer and bridal seamstress. Since then, she has built a diverse technical background spanning hardware repair, systems administration, regulatory compliance, and penetration testing.

‍

Currently, Jordan specializes in application and cloud security assessments, where she evaluates system vulnerabilities and conducts penetration tests. Jordan holds multiple industry certifications, including CISSP, eJPT, and CompTIA PenTest+. She also runs an OSCP study group and maintains a blog where she breaks down concepts and tools for new security professionals.

‍