Published: November 21, 20254 min read

Secure: Threat Intelligence Weekly Roundup (November 17-21, 2025)

From a 'self-DDoS' at Cloudflare to hijacked ASUS routers lying in wait for 2122, this week proved that in cybersecurity, your biggest threat might just be yourself.

By Secure.com
Secure: Threat Intelligence Weekly Roundup (November 17-21, 2025)

Introduction

This week was defined by cybersecurity infrastructure and its ironic fragility. While the world feared a massive DDoS attack during Cloudflare's global outage, it was discovered to be a self-inflicted configuration error.

Simultaneously, major vendors faced their own security debts: Oracle was briefly listed on a ransomware leak site for a vulnerability in its own software, and Fortinet appliances came under active assault from a dual zero-day chain. Nation-state actors also made their move, hijacking 50,000 end-of-life routers to build a long-term espionage network.

Top Attacks and Breaches

Cloudflare Global Outage: The "Latent Bug" Crisis

On November 18, 2025, internet infrastructure services provider Cloudflare experienced its most serious outage since 2019. This disruption impacted thousands of websites globally for approximately six hours. 

While the timing and severity initially raised fears of a massive DDoS attack, concerns that undoubtedly were amplified by recent "Aisuru" botnet campaigns, the incident was ultimately traced back to an internal configuration error rather than malicious external activity.

How it happened?

Cloudflare’s failure chain was caused by a seemingly minor permission change applied to a ClickHouse database cluster. The alteration inadvertently caused their system to output duplicate rows into a "feature file" in use by the company's Bot Management module. When this file unexpectedly doubled in size, it hit a hard limit within Cloudflare's traffic distribution software, triggering a cascading failure that crippled core routing systems across the network.

Diagnosing the issue proved difficult because Cloudflare's external status page also briefly went offline, leading teams to initially suspect a coordinated multi-vector attack. Engineers eventually identified the corrupted file at 14:30 UTC. They were able to halt its propagation, achieving full service restoration by 17:06 UTC.

Google Chrome Zero-Day (CVE-2025-13223)

Google released emergency updates on November 18 for a critical "type confusion" vulnerability in the V8 JavaScript engine. This incident is the seventh time Chrome suffered a zero-day exploit in 2025.

  • Attack Chain: Remote attackers trick users into visiting a crafted HTML page. The vulnerability allows them to corrupt heap memory, execute arbitrary code, and potentially escape the browser sandbox.
  • Attribution: Discovered by Google's Threat Analysis Group (TAG), suggesting involvement by nation-state actors or commercial spyware vendors.

FortiWeb Under Assault: Dual Zero-Day Chain

Attackers are actively chaining two new vulnerabilities (CVE-2025-64446 and CVE-2025-58034) to compromise FortiWeb web application firewalls.

Attack Chain:

    1. Initial Access: Authentication bypass via path traversal (CVE-2025-64446).
    2. Execution: Authenticated command injection (CVE-2025-58034) allows arbitrary OS commands.
    3. Result: Full unauthenticated remote code execution (RCE) and system takeover.

Oracle Gets Listed on Ransomware Site

In a moment of "peak irony," Oracle Corporation briefly appeared on the Cl0p ransomware gang's leak site on November 20. The tech giant fell victim to the same E-Business Suite (EBS) zero-day campaign it had been warning its own customers about.

The listing was quickly removed, suggesting Oracle likely initiated contact/negotiations.

Confirmed Victims:

  • Oracle Corporation – Technology
  • The Washington Post – Media
  • Harvard University – Education
  • Schneider Electric – Industrial
  • Envoy Air (American Airlines) – Aviation

Operation WrtHug: The 100-Year Botnet

Operation WrtHug has been discovered and it involves a sophisticated campaign compromising over 50,000 end-of-life ASUS routers.

  • Targeting: Primarily Taiwan, U.S., and Russia.
  • The Marker: Infected devices are electronically fingerprinted by a unique self-signed TLS certificate set to expire in April 2122 (100 years), indicating long-term operational planning by the attackers.
  • Why This Matters: Compromised devices are being lying in wait for potential DDoS operations, surveillance, and as persistent infrastructure for future nation-state attacks.

Threat Landscape Analysis

  • Infrastructure Fragility vs. Malice: The Cloudflare incident serves as a wakeup call: we saw firsthand how internal configuration errors can mimic the impact of nation-state cyberattacks.
  • Vendor Accountability Crisis: Both Oracle and Fortinet became the faces of this week's crisis - not just as vendors, but as victims and vectors. Oracle appearing on a leak site for its own software vulnerability underscores that no entity is immune to the technical debt they ship.
  • The "Long Game" in IoT: Attackers are not just looking for quick DDoS cannons; they are building "forever infrastructure" on unpatchable, end-of-life devices that consumers rarely replace.

Recommendations

Critical Actions (Week of Nov 17-21)

  • Patch Immediately:
    • Chrome: Update to the latest version to mitigate CVE-2025-13223.
    • FortiWeb: Apply emergency patches for CVE-2025-64446 and CVE-2025-58034 immediately. If patching is impossible, pull appliances off the public internet.
  • Network Hygiene:
    • Audit your network for End-of-Life (EoL) ASUS routers. Replace any device that no longer receives firmware updates.
    • Block traffic from known "WrtHug" IPs if indicators are available (search for TLS certs expiring in 2122).

Strategic Priorities

  • Vendor Risk Management: Review the security disclosure processes of your critical vendors. The Oracle incident proves that even the largest providers can fail to patch their own systems in time.
  • Infrastructure Resilience: Review requirements for "kill-switch" controls and dependency maps to ensure that Cloudflare-like incidents don't happen again.

Protection Coverage

  • IPS/IDS Signatures:
    • For FortiWeb Exploitation: Path traversal patterns in HTTP requests and OS command strings should be monitored.
    • For Chrome Heap Corruption: Look out for anomalous heap activity or type confusion indicators in browser traffic (endpoint patching is essential).
  • Monitoring:
    • TLS Certificate Anomalies: Scan internal and edge networks for self-signed certificates with long expiration dates (>10 years).

Intelligence Summary

November 17-21, 2025 served as a harsh lesson in "physician, heal thyself.". The world noted how security vendors like Fortinet and tech giants like Oracle and Cloudflare stumble, and how this results in downstream effects that are immediate and global.

The Cloudflare outage demonstrated that a single configuration file can do as much damage as a botnet. Meanwhile, Operation WrtHug reveals that while we worry about zero-days, adversaries are quietly colonizing the "ghost gear" (EoL devices) that we've forgotten about.

Stay informed. Stay secure.

Similar Blogs

Understanding Cybersecurity Metrics and Analytics
Published: December 19, 2025

Understanding Cybersecurity Metrics and Analytics

Tracking the right cybersecurity metrics transforms security from "we think we're protected" to "we can prove we're reducing risk."

Read More →
How Can Automation Handle Tier 1 Security Investigations?
Published: December 18, 2025

How Can Automation Handle Tier 1 Security Investigations?

Discover how Digital Security Teammates automate Tier 1 investigations, cutting response times by 45-55% while keeping humans in control of every decision.

Read More →
Understanding SOAR and SIEM Differences in Cybersecurity
Published: December 18, 2025

Understanding SOAR and SIEM Differences in Cybersecurity

SIEM collects and correlates security data—SOAR automates the response, and together they transform reactive SOCs into proactive defense operations.

Read More →