Description

Graham Falkner delivers an authoritative deep dive into November 2025's Patch Tuesday updates, covering the most critical security vulnerabilities affecting businesses of all sizes. This month brings a perfect storm of actively exploited zero-days, critical Exchange Server flaws, and hundreds of patches across Microsoft, Adobe, Oracle, SAP, and third-party vendors. From Windows kernel exploits to e-commerce platform takeovers, November's vulnerability landscape demands immediate attention from IT teams.

Key Topics Covered
Microsoft Security Updates

• 89 total vulnerabilities patched (12 critical, 4 zero-days)
• CVE-2025-0445: Windows Kernel privilege escalation (actively exploited)
• CVE-2025-0334: Chrome V8/Edge JavaScript engine RCE (actively exploited)
• CVE-2025-0078: Exchange Server unauthenticated RCE (CRITICAL - affects Exchange 2016/2019/2022)
• CVE-2025-1789: MSHTML remote code execution via Office documents
• CVE-2025-59287: WSUS vulnerability (9.8 CVSS, actively exploited, required re-release)
• 23 remote code execution vulnerabilities across Windows, Office, and developer tools

Adobe Security Updates

• 35+ vulnerabilities patched across multiple products
• CVE-2025-54236: Adobe Commerce/Magento input validation flaw (9.1 CVSS, actively exploited, Priority 1)
• CVE-2025-49553: Adobe Connect XSS vulnerability (9.3 CVSS)
• Patches for Illustrator, FrameMaker, Photoshop, InDesign, Animate, Bridge, Substance 3D

Oracle Critical Patch Update (October 2025)

• 374 new security patches addressing ~260 unique CVEs
• CVE-2025-61882: Oracle E-Business Suite zero-day (exploited by ransomware groups)
• 73 patches for Oracle Communications (47 remotely exploitable without authentication)
• 20 patches for Fusion Middleware (17 remote unauthenticated)
• 18 fixes for MySQL
• Updates for PeopleSoft, JD Edwards, Siebel, Oracle Commerce, Database Server

SAP Security Updates

• 18 new security notes plus 1 updated note
• CVE-2025-42890: SQL Anywhere Monitor hardcoded credentials (10.0 CVSS - PERFECT SCORE)
• CVE-2025-42887: SAP Solution Manager code injection (9.9 CVSS)
• CVE-2025-42944: NetWeaver Java insecure deserialisation (updated patch)
• CVE-2025-42940: CommonCryptoLib memory corruption

Mozilla Firefox Updates

• Firefox 145.0 released November 11th
• 15 security vulnerabilities fixed (8 high impact)
• New anti-fingerprinting measures halving trackable users
• Memory safety and sandbox escape prevention

Apple Security Updates

• iOS/iPadOS 17.1 and macOS 14.1 released
• 100+ vulnerabilities patched across iPhones, iPads, Macs
• Critical kernel and WebKit bugs fixed
• Zero-click exploit prevention

Google Security Updates

• Chrome 142 with 5 security bug fixes
• Android November 2025 bulletin (patch level 2025-11-01)
• CVE-2025-48593 and CVE-2025-48581 affecting Android 13-16

Third-Party Critical Vulnerabilities

• WordPress Post SMTP plugin: CVE-2025-11833 (9.8 CVSS, actively exploited, 200,000+ sites affected)
• WatchGuard Firebox: CVE-2025-9242 (critical out-of-bounds write, 75,000 devices exposed)
• Cisco IOS/XE routers: CVE-2025-20352 (SNMP service, actively exploited for rootkit deployment)

Critical Action Items for Businesses
IMMEDIATE (Deploy Within 24-48 Hours)

1. Microsoft Exchange Server - Apply CVE-2025-0078 patch or isolate internet-facing servers
2. Adobe Commerce/Magento - Deploy CVE-2025-54236 hotfix immediately if running Magento
3. Windows Kernel - Patch CVE-2025-0445 zero-day exploit
4. Edge/Chrome - Update browsers to address CVE-2025-0334
5. Oracle E-Business Suite - Verify CVE-2025-61882 patch deployed
6. WordPress Post SMTP - Update to v3.6.1 or remove plugin
7. Cisco routers - Apply CVE-2025-20352 patches and check for compromise

HIGH PRIORITY (Deploy Within 1 Week)

1. SAP systems - Apply critical patches for CVE-2025-42890 and CVE-2025-42887
2. WSUS servers - Verify CVE-2025-59287 patch installed correctly
3. Adobe Connect - Update to version 12.10
4. Firefox, Chrome, Edge - Deploy browser updates organisation-wide
5. Android devices - Deploy November 2025 security bulletin
6. WatchGuard Firebox - Apply CVE-2025-9242 patch

STANDARD PRIORITY (Deploy Within 2-4 Weeks)

1. All other Microsoft patches - Complete Windows and Office updates
2. Adobe Creative Suite - Update Illustrator, Photoshop, InDesign, etc.
3. Oracle - Complete October CPU deployment across all Oracle products
4. SAP - Apply remaining security notes across SAP landscape

CVE Quick Reference

CVE ID
Vendor
Severity
Status
Product

CVE-2025-0445
Microsoft
Critical
Actively Exploited
Windows Kernel

CVE-2025-0334
Microsoft
Critical
Actively Exploited
Edge/Chrome V8

CVE-2025-0078
Microsoft
Critical
Not Exploited Yet
Exchange Server

CVE-2025-1789
Microsoft
Critical
Not Exploited Yet
MSHTML

CVE-2025-59287
Microsoft
Critical (9.8)
Actively Exploited
WSUS

CVE-2025-54236
Adobe
Critical (9.1)
Actively Exploited
Magento/Commerce

CVE-2025-49553
Adobe
Critical (9.3)
Not Exploited Yet
Adobe Connect

CVE-2025-61882
Oracle
Critical
Actively Exploited
E-Business Suite

CVE-2025-42890
SAP
Critical (10.0)
Not Exploited Yet
SQL Anywhere Monitor

CVE-2025-42887
SAP
Critical (9.9)
Not Exploited Yet
Solution Manager

CVE-2025-11833
WordPress
Critical (9.8)
Actively Exploited
Post SMTP Plugin

CVE-2025-20352
Cisco
High
Actively Exploited
IOS/XE SNMP

CVE-2025-9242
WatchGuard
Critical
Not Exploited Yet
Firebox Firewalls

Resources & Links
Vendor Security Bulletins

• Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide
• Adobe Security Bulletins: https://helpx.adobe.com/security.html
• Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/
• SAP Security Notes: https://support.sap.com/securitynotes
• Mozilla Security Advisories: https://www.mozilla.org/security/advisories/
• CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Patch Tuesday Resources

• Microsoft Tech Community: https://techcommunity.microsoft.com/
• Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/
• Security Week Patch Tuesday Coverage: https://www.securityweek.com/

Small Business Cybersecurity Resources

• Blog: https://thesmallbusinesscybersecurityguy.co.uk
• NCSC Small Business Guide: https://www.ncsc.gov.uk/smallbusiness
• Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials

Key Statistics

• 89 Microsoft vulnerabilities patched
• 4 actively exploited zero-days (Microsoft)
• 23 remote code execution flaws (Microsoft)
• 35+ Adobe vulnerabilities fixed
• 374 Oracle security patches
• 18 SAP security notes
• 200,000+ WordPress sites affected by Post SMTP bug
• 75,000 WatchGuard devices exposed online

Narrator

Graham Falkner brings his distinctive voice to The Small Business Cyber Security Guy Podcast's research segments. With a background as a former movie trailer narrator and Shakespearean actor, Graham delivers technical security information with gravitas and authority, providing the factual foundation for Noel and Mauven's practical discussions.

About The Small Business Cyber Security Guy Podcast

The Small Business Cyber Security Guy Podcast translates enterprise-grade cybersecurity into practical, affordable solutions for small and medium businesses. Hosted by Noel Bradford (40+ years IT/cybersecurity veteran) and Mauven MacLeod (ex-NCSC government analyst), the show combines deep technical expertise with authentic British humour to make cybersecurity accessible, actionable, and entertaining.

Target Audience: UK small businesses (5-50 employees) who need practical cybersecurity advice within real-world budget and resource constraints.

Connect With Us

• Website: https://thesmallbusinesscybersecurityguy.co.uk
• Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms
• Social Media: Follow us on LinkedIn for daily cybersecurity insights
• Contact: hello@thesmallbusinesscybersecurityguy.co.uk

 

Help us spread the word about practical cybersecurity for small businesses:

• ⭐ Subscribe to never miss an episode
• ⭐ Leave a review on Apple Podcasts or Spotify
• ⭐ Share this episode with other business owners who need to hear this
• ⭐ Comment below with topics you'd like us to cover next
• ⭐ Visit the blog at thesmallbusinesscybersecurityguy.co.uk for written guides and resources

Disclaimer

This podcast provides educational information about cybersecurity topics. While we strive for accuracy, the threat landscape changes rapidly. Information is current as of November 2025 but may become outdated. Always verify patch information with official vendor sources and test updates in your specific environment before deployment. The hosts are not liable for any actions taken based on this information. Always implement cybersecurity measures appropriate to your business needs and risk profile.

Next Episode

Stay tuned for our next episode where Noel and Mauven discuss practical patch management strategies for small businesses, including how to prioritise updates when you can't deploy everything immediately.

Episode Length: 10-11 minutes
Difficulty Level: Intermediate to Advanced
Best For: IT managers, business owners, MSP clients, anyone responsible for patching

The Small Business Cyber Security Guy Podcast - Making Enterprise Cybersecurity Practical for Small Businesses