November Security Roundup

From Kocho’s Security Operations Centre (SOC)

Published: 26 November 2025

Fresh zero-days in Windows and Chrome, critical flaws in Oracle and 7-Zip, and another high-impact Office vulnerability show how quickly core enterprise tools can become attack paths. Our SOC team break down what matters and the actions to take now.

Headlines:

Oracle Fusion middleware flaw exposes critical functions
7-Zip symbolic-link bug enables code execution
Chrome V8 zero-day exploited in the wild
Windows kernel zero-day grants SYSTEM access
Microsoft Office RCE via malicious documents

Oracle Fusion middleware flaw exposes critical functions (CVE-2025-61757)

A missing authentication check in Oracle Fusion middleware is being actively targeted. The vulnerability allows attackers to call critical functions without credentials, raising the risk of data exposure, system compromise, and lateral movement. CISA has added the issue to its Known Exploited Vulnerabilities (KEV) catalogue.

What’s the risk?

Unauthenticated access to sensitive middleware functions
Potential for full environment compromise if chained with other flaws
High risk of knock-on effects across integrated back-office systems

Recommended actions

Identify any Oracle Fusion middleware instances exposed to CVE-2025-61757.

Apply vendor patches and KEV-listed mitigations.

Strengthen authentication and access controls around middleware systems.

Action point

Prioritise patching Oracle middleware and block unauthenticated access paths immediately.

7-Zip vulnerability enables file-system escape and code execution (CVE-2025-11001)

A high-severity flaw in 7-Zip and p7zip allows malicious ZIP files to write files outside the intended directory structure. With a proof-of-concept publicly available and 7-Zip lacking auto-update, many systems remain exposed.

What’s the risk?

ZIP extraction can overwrite arbitrary files on the host
Malicious payloads may run with elevated privileges
High exploitation likelihood due to PoC availability and wide deployment

Recommended actions

Update all instances to 7-Zip 25.01 or later.

Train users to avoid extracting untrusted ZIP archives.

Use enterprise tools such as Microsoft Intune to push updates at scale.

Action point

Patch 7-Zip everywhere. Treat malicious archives as a popular entry point for lateral movement.

Chrome V8 zero-day exploited for remote code execution (CVE-2025-13223)

Google has issued an emergency Chrome update after confirming in-the-wild exploitation of a V8 type-confusion flaw. Attackers can compromise systems through crafted HTML pages, with evidence suggesting potential use by commercial spyware operators.

What’s the risk?

Remote code execution via drive-by browsing
High attack surface across enterprise fleets
Commercial spyware vendors likely leveraging the flaw

Recommended actions

Update Chrome to version 142.0.7444.175/.176 immediately.

Ensure auto-update is enabled across Windows, macOS, and Linux.

Reinforce web-filtering controls against suspicious links and HTML lure files.

Action point

Push the Chrome emergency update across your estate today. Assume active exploitation.

Windows kernel zero-day allows SYSTEM-level privilege escalation (CVE-2025-62215)

Microsoft has patched a Windows kernel race-condition flaw exploited in the wild. The issue allows local attackers with low privileges to elevate to SYSTEM, with all supported Windows versions impacted.

What’s the risk?

Local users or compromised accounts can escalate to full SYSTEM access
Attackers can disable security controls and deploy persistence
Kernel-level compromise undermines endpoint protections

Recommended actions

Deploy the latest Windows security updates across all devices.

Hunt for suspicious privilege-escalation attempts in EDR logs

Restrict local admin rights and harden workstation baselines.

Action point

Patch quickly and tighten local privilege controls. Kernel-level EoP turns minor breaches into major ones.

Microsoft Office RCE via malicious files (CVE-2025-62199)

A critical Office vulnerability allows remote code execution through malicious documents or Preview Pane rendering. All modern Office versions are affected, including Microsoft 365, LTSC editions, Office for Mac, and Office for Android.

What’s the risk?

Opening or previewing documents triggers code execution
Common phishing techniques can weaponise Office files easily
High relevance to UK organisations due to widespread Office usage

Recommended actions

Apply the latest Office security updates across all platforms.

Reinforce safe-handling guidance for email attachments.

Block or sandbox risky file types at the email gateway.

Action point

Patch Office and tighten attachment controls. Document-based RCE remains one of the most reliable phishing paths.

From our blog

The Microsoft Ignite updates set to shape your SOC strategy in 2026

Ignite 2025 delivered the clearest signal yet that AI is now part of the workforce. Microsoft’s new identity, access, endpoint and data controls are designed to secure the agents and automations already operating inside most organisations.

Kocho’s Technology Evangelist, David Guest, breaks down what SOC teams need to know, including governed AI identities, safer AI traffic, stronger authentication and Security Copilot now embedded in E5.