Top 5 Cybersecurity News Stories November 21, 2025

Cybersecurity threats are constantly evolving as threat actors seek access to your data and money. To help you stay secure, we have searched the internet for the top five cybersecurity news stories of the week that we think you should be aware of.  No story is too big or small as we look at threats from espionage to security flaws in everyday devices:

1. Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)

The popular archiving tool 7‑Zip has been identified as under active attack due to vulnerability (CVE-2025-11001) that allows remote arbitrary code execution by exploiting symbolic links in ZIP files.

The issue, which affects Windows systems in particular, enables attackers to traverse to unintended directories and execute code in the context of a service account. The flaw was addressed in version 25.00 of 7-Zip released in July 2025. Security researchers urge all users to update immediately.
Read more on The Hacker News

2. W3 Total Cache WordPress plugin vulnerable to PHP command injection

A critical flaw in the widely used W3 Total Cache (W3TC) plugin for WordPress allows unauthenticated attackers to execute arbitrary PHP commands on affected servers via a manipulated comment submission. The vulnerability, tracked as CVE‑2025‑9501, affects all W3TC versions prior to 2.8.13 and stems from misuse of the plugin’s _parse_dynamic_mfunc() function.

With over one million active installations and hundreds of thousands of downloads taking place after the patch’s release, many sites remain exposed. Administrators are strongly advised to update immediately or disable relevant comment features.
Read more on Bleeping Computer.

3. Coudflare restores services after outage impacts thousands of internet users

On 18 November 2025, a significant outage at Cloudflare disrupted access to major platforms including X (formerly Twitter) and ChatGPT for thousands of users worldwide. The incident began around 6:40 a.m. ET, when Cloudflare detected internal service degradation.

Reports to outage tracker Downdetector peaked at nearly 5,000 before dropping to about 600 by 8 a.m. ET. Cloudflare attributed the disruption to an “unusual traffic spike” to one of its services causing network errors, while assuring clients that a fix had been deployed and there were no signs of malicious intent.
Read more on Reuters

4. Microsoft Mitigates Record 15.72 Tbps DDoS Attack Driven by AISURU Botnet

The Microsoft Azure network protection service successfully mitigated an unprecedented Distributed Denial of Service (DDoS) attack that peaked at 15.72 Tbps and nearly 3.64 billion packets per second. The assault was launched by the IoT-based AISURU botnet from over 500,000 source IP addresses, targeting a single Azure endpoint in Australia.

 

Microsoft described it as the largest known DDoS event in the cloud and said its global infrastructure and automated filters prevented impact to customers. The company warned that IoT-enabled volumetric attacks are rapidly escalating in scale and sophistication.
Read more on The Hacker News.

5. Google patches new Chrome zero-day bug exploited in attacks

Google has issued an emergency fix for a critical zero-day vulnerability (CVE-2025-5419) in its Chrome browser’s V8 JavaScript engine, which was being actively exploited in the wild. The flaw allows out-of-bounds read/write operations via a malicious HTML page, potentially enabling attackers to trigger heap corruption and arbitrary code execution.

The bug was reported on May 27 by Google’s Threat Analysis Group and mitigated the following day via a configuration update before rolling out version 137.0.7151.68/.69 (or 68 for Linux) to the Stable channel.
Read more on Bleeping Computer.

At DIESEC, our experts are ready to assist with all your cybersecurity needs. We ensure your system is safe and secure and provide training for your employees to avoid falling victim to social engineering tactics.

For more information, please contact us now!