This week saw a lot of new cyber trouble. Hackers hit Fortinet and Chrome with new 0-day bugs. They also broke into supply chains and SaaS tools. Many hid inside trusted apps, browser alerts, and software updates.
Big firms like Microsoft, Salesforce, and Google had to react fast — stopping DDoS attacks, blocking bad links, and fixing live flaws. Reports also showed how fast fake news, AI risks, and attacks on developers are growing.
Here’s what mattered most in security this week.
âš¡ Threat of the Week
Fortinet Warns of Another Silently Patched and Actively Exploited FortiWeb Flaw — Fortinet has warned that a new security flaw in FortiWeb has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0. It has been addressed in version 8.0.2. “An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands,” the company said. The development came days after Fortinet confirmed that it silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in version 8.0.2. Although the company has not clarified if the exploitation activity is linked, Orange Cyberdefense said it observed “several exploitation campaigns” chaining CVE-2025-58034 with CVE-2025-64446 to facilitate authentication bypass and command injection. Fortinet’s handling of the issue has come in for heavy criticism. It’s possible that the company was aware but chose not to disclose them to avoid alerting other threat actors to their existence until a majority of its customers had applied the patch. But what’s difficult to explain at this stage is why Fortinet opted to disclose the flaws four days apart.
🔔 Top News
- Google Patches New Actively Exploited Chrome 0-Day — Google released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on November 12, 2025. Google has not shared any details on who is behind the attacks, who may have been targeted, or the scale of such efforts. However, the tech giant acknowledged that an “exploit for CVE-2025-13223 exists in the wild.” With the latest update, Google has addressed seven zero-day flaws in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year.
- Matrix Push C2 Uses Browser…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
