CISA: Ensure Complete Patching of Exploited Cisco Flaws; UK Cyber Security and Resilience Bill; Google Sues Phishing-as-a-Service "Lighthouse"

On Wednesday, November 12, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an update to a September emergency directive, to warn that federal agencies have incorrectly reported Cisco Secure Adaptive Security Appliance (ASA) and Firepower devices as patched against two actively exploited flaws. "CISA has identified devices marked as “patched” in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in the ED." CISA mandates that agencies address the flaws immediately and implement additional temporary risk mitigation instructions if still in the process of complying. The update emphasizes that "agencies [must] update ALL ASA and Firepower devices, not just public-facing devices, to the latest patch immediately to avoid exploitation," and provides tables showing appropriate fixed software versions to ensure patches for both flaws — CVE-2025-20333 (remote code execution, CVSS 9.9) and CVE-2025-20362 (privilege escalation, CVSS 6.5) — are installed. Cisco published new advisories for the flaws on November 6 due to a newly observed attack, noting that the flaws had been exploited since May 2025.

The UK Cybersecurity and Resilience Bill was introduced in Parliament earlier this week. The legislation "will reform and add to the existing Network and Information Systems (NIS) Regulations 2018, to increase UK defences against cyber attacks." The NIS Regulations apply to certain sectors of the UK economy, such as energy transportation, healthcare, drinking water, and digital infrastructure, as well as online marketplaces, search engines, and cloud computing services. The Cybersecurity and Resilience Bill is intended to expand the scope of the NIS Regulations to include data centers, managed service providers, large load controllers, and designated critical suppliers. It will require critical infrastructure operators to report "harmful cyber breaches ... to regulators, where they have the potential to cause significant impacts, with initial notification within 24 hours and a fuller report within 72 hours." Additionally, “if a data centre, or digital and managed service providers face a significant or potentially significant attack, they will have to notify customers which are likely to be impacted promptly so organisations can act fast to protect their business, people and services.”

Google LLC has filed a complaint in a New York district court seeking injunctive relief and damages against 25 unnamed defendants believed to be based in China, who allegedly manage "a powerful phishing software kit" known as "Lighthouse." Offered by subscription in both SMS and e-commerce versions, Lighthouse includes hundreds of templates for fraudulent websites mimicking legitimate pages. The filing notes a focus on US targets, including a number of spoofed websites for US institutions such as "toll collection agencies, financial institutions, shipping companies, retail companies, and even state and local governments." The SMS version "enables scammers to distribute mass text messages to thousands of targets." The e-commerce version distributes lures primarily via ads and social media, and includes spoofed site templates aimed at stealing financial information, as well as a tool for creating new fraudulent sites or malicious storefronts on legitimate platforms. Lighthouse notifies its users if sites are flagged by Google or by browsers, and mimics MFA protection to deceive the target into confirming their payment card being added to a threat actor's digital wallet. Google alleges that a network of threat actor groups "connected to one another through historical and current business ties" collaborates to generate revenue using Lighthouse; various branches focus on development, data brokering, spamming, theft, money laundering, and administration, coordinating through Telegram. The complaint describes known phishing schemes spoofing sites for parcel delivery, road tolls and tickets, financial institutions, and e-commerce sites. The legal basis of the complaint is harm done to Google's customer trust and goodwill, because "at least 116 spoofed website templates featur[e] Google’s branding or logos (YouTube, Gmail, Google, or Google Play) on the sign-in screen in an attempt to make the fake websites appear legitimate." The filing alleges violation of the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act, calling for judgment including injunctions, relief, and damages.

On Tuesday, November 11, Microsoft released updates to address more than 60 vulnerabilities, including a high-severity Windows kernel flaw (CVE-2025-62215) that is being actively exploited. The US Cybersecurity and Infrastructure Security (CISA) has added this CVE to the Known Exploited Vulnerabilities (KEV) catalog. The batch of Microsoft updates also includes fixes for several critical vulnerabilities, including a heap-based buffer overflow flaw in Microsoft Graphics Component (CVE-2025-60724) and a use-after-free issue in Windows DirectX (CVE-2025-60716). Other vendors have also published security updates this week: Adobe released fixes to address vulnerabilities in InDesign, InCopy, Photoshop, Illustrator, and other products; Cisco released seven security advisories, including one to address critical remote code execution vulnerabilities in Cisco Unified Contact Center Express; and Ivanti released updates for Ivanti Endpoint Manager to address three high-severity vulnerabilities.

SAP has published 26 new or updated security notes, including one for a critical (CVSS 10.0) hard-coded credentials issue in the non-GUI variant of SQL Anywhere Monitor (CVE-2025-42890). "A successful exploit poses the system’s confidentiality, integrity, and availability at high risk. The patch removes the SQL Anywhere Monitor completely. As a temporary workaround, SAP recommends to stop using SQL Anywhere Monitor and to delete any instances of SQL Anywhere Monitor database." Another security note addresses a critical (CVSS 9.9) code injection vulnerability in SAP Solution Manager (CVE-2025-42887); the fix "add[s] an input check that rejects most of the non-alphanumeric characters." SAP has also updated a security note that addresses a critical (10.0) deserialization vulnerability in SAP NetWeaver that was disclosed in October.

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added four CVEs to the Known Exploited Vulnerabilities (KEV) catalog. In addition to the high-severity heap-based buffer overflow flaw in Microsoft Graphics Component (CVE-2025-60724), CISA added a critical out-of-bounds write vulnerability in WatchGuard Fireware OS (CVE-2025-9242); a critical improper access control flaw in Gladinet Triofox (CVE-2025-12480); and a critical out-of-bounds write in the libimagecodec.quram.so library in Samsung mobile devices (CVE-2025-21042). The vulnerabilities have mitigation due dates of between December 1 and December 3 for Federal Civilian Executive Branch (FCEB) agencies.

Researchers from Quokka have published a report detailing serious security issues in Android-based network-connected digital picture frame devices running the Uhale app, including Amazon's bestselling digital frame as of March 2025. Quokka determined that many Uhale devices download and execute malware on boot, and possess "relaxed security controls and inadequate server identity verification" allowing local or remote takeover with little or no user interaction, as well as weaknesses that can be chained "to gain initial access, escalate privileges, and maintain persistence." The devices are at risk of malware delivery, remote code execution, unauthorized access to private files and photos, compromise for lateral movement on a network, data exfiltration from networked devices, botnet recruitment, and attempts at phishing, social engineering, and harassment. The researchers note that the studied devices, which all had an estimated sale of "over 30,000 units in recent months," all run EOL Android 6, which "remains prevalent in many budget and kiosk devices," especially in cases where "hardware longevity often outweighs software currency." However, the security issues in the report do not stem from known Android 6 vulnerabilities, but rather from "flawed app implementations and security oversights introduced by OEMs" such as Uhale, and therefore "could just as easily affect devices running newer Android versions if the same insecure practices are followed." In May 2025 Quokka contacted Uhale's parent company ZEASN through multiple channels to attempt responsible disclosure, but received no response. Quokka contends this is "a broader systemic problem in the software development and supply chain processes within this ecosystem of budget-friendly custom-purpose devices," emphasizing "the critical need for rigorous and continuous security assessments in the face of deep fragmentation."

Synnovis, a company that provides pathology services to UK healthcare organizations, has completed a forensic investigation of the 2024 ransomware attack that resulted in the theft of patient data. Synnovis did not pay the demanded ransom, and has "begun notifying the organisations whose data was affected and expect[s] to conclude this process by 21 November 2025." The company does not plan to contact affected individuals directly; instead, the affected healthcare organizations are expected to notify affected patients. There has been no formal estimate of the number of people affected by the incident. The ransomware attack disrupted patient care at numerous NHS healthcare facilities and led to blood shortages; earlier this year, "King's College Hospital NHS Trust confirmed that the disruption caused by Synnovis's supplier breach contributed to the death of a patient."

Between November 10 and 13, law enforcement authorities dismantled infrastructure that was being used to support the Rhadamanthys infostealer, the VenomRAT (Remote Access Trojan), and the Elysium botnet. Europol and Eurojust coordinated Operation Endgame with the help of law enforcement authorities in 11 countries and more than a dozen private organizations. In all, one person was arrested, 11 locations were searched, 20 domains were seized, and more than 1,000 servers were taken down or disrupted. The malware operations had infected hundreds of thousands of computers and stolen millions of account credentials. The operations involved authorities in Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States, with support from Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, Trellix and Bitdefender.