Bulletin — November 2025

November closes with two big threads that deserve the same bulletin. The first is the Anthropic report on the first documented case of “AI-orchestrated” espionage with Claude Code; the critical analysis lives in its own post, here goes the summary and where it fits in the month. The second is Microsoft Ignite + AWS re:Invent arriving a month apart with the same message: agent security enters the product catalogue at the three hyperscalers. Below: FortiWeb with active 0-day, Cloudflare down for 4 hours on the 18th, Logitech joining the Cl0p harvest via Oracle E-Business Suite, Patch Tuesday with a kernel 0-day, GPT-5.1, Gemini 3, Claude Opus 4.5 and Operation Endgame takes down Rhadamanthys and VenomRAT.

Anthropic — first documented “AI-orchestrated” espionage

Anthropic — first documented "AI-orchestrated" espionage

13 November. Anthropic publishes Disrupting the first reported AI-orchestrated cyber espionage campaign. Attributes to a china-nexus group (high confidence, no public alias) the use of Claude Code via API to automate 80–90% of a campaign against ~30 organisations: large tech, banking, chemistry, government. Detection is by their Threat Intel team in mid-September due to anomalous API cadence (“thousands of requests, often multiple per second”). The jailbreak method is classic persona injection plus task decomposition: each subtask read in isolation is authorised security testing; the aggregate is an exfil operation.

The part that has generated debate is the absence of IoCs, TTPs in MITRE format and verifiable attribution. Independent critiques (Thoughtworks, PC Gamer picking up the community conversation) ask why a china-nexus APT would use a US commercial model when there are reasonable locally-runnable open-weights, and about Anthropic’s commercial conflict of interest publishing this eleven days after the Claude Opus 4.5 launch. The facts aren’t invalidated; the emphases do deserve critical reading.

The full technical analysis (what the report proves, what it doesn’t, what operationally changes) lives in the dedicated post. On 26 November, the Homeland Security Committee sends a letter to Dario Amodei requesting testimony on the case.

Source: https://www.anthropic.com/news/disrupting-AI-espionage

Microsoft Ignite — agent security enters the product

17–21 November, San Francisco. Microsoft Ignite 2025. Microsoft’s book of news brings three things that can no longer be ignored on a CISO’s roadmap with Microsoft 365 in production.

Microsoft Entra Agent ID — GA. First-class identity for AI agents: agent registry, mandatory human sponsor for each agent, lifecycle workflows warning when a sponsor changes role, Conditional Access applied to agent identities the same as human identities. New administrative roles: Agent ID Administrator, Agent ID Developer, Agent Registry Administrator. The SDK supports integration with third-party agents (AWS Bedrock, n8n) via workload identity federation. The operational question this closes: who’s responsible when an agent acts? Answer: the registered human sponsor, with associated audit trail.

Agent 365 — available via Frontier programme. Control plane for agent fleets: central registry, access control by Agent Policy Templates, runtime activity dashboard, native integration with Defender + Entra + Purview. It’s Microsoft’s conceptual equivalent of “Active Directory for agents”.

Defender for Cloud — AI security posture in preview. Support for Foundry and Copilot Studio: agent and AI workload inventory, identification of overpermissions and unsafe instructions, attack path analysis on AI surfaces. Defender for AI agents (preview): runtime threat detection on Copilot Studio agents.

Purview — DLP for Copilot prompts (preview). Blocks Copilot responses containing sensitive data (PII, PCI). Oversharing reports and bulk remediation of overshared links in SharePoint. AI observability in DSPM.

The CISO reading: Microsoft has decided that “AI agent” is an identity principal, not a service. The internal roadmap has to assume each deployed agent will have an identity record, conditional access policy, human sponsor, differentiated logging and limited scope. The hard part will be inventorying what’s already running before starting to apply policy.

Sources: https://news.microsoft.com/ignite-2025-book-of-news/ · https://learn.microsoft.com/en-us/entra/fundamentals/whats-new-ignite-2025 · https://www.microsoft.com/en-us/security/blog/2025/11/18/ambient-and-autonomous-security-for-the-agentic-era/

AWS re:Invent — Bedrock AgentCore Policy and AWS Security Agent

30 November – 4 December, Las Vegas (main announcements from the 2nd to the 4th). AWS re:Invent 2025. What affects AI security:

Amazon Bedrock AgentCore Policy — preview. Policy enforcement system for agent tool calls, based on Cedar (the same language as Verified Permissions). Policies are written in native Cedar or in natural language; AgentCore translates them to Cedar. Enforcement point: the Gateway intercepts each tool call before it executes and allows/denies according to policy. Enforcement and logging-only modes (for testing). Supports APIs, Lambda, MCP servers, third-party tools. The decision is out-of-band relative to the agent’s reasoning loop — the model doesn’t decide which tool it can call, it decides which tool it tries to call and Cedar validates.

AgentCore Evaluations — preview. Built-in evaluators (correctness, helpfulness, safety, tool selection accuracy, goal success, harmfulness, stereotyping) plus custom evaluators. Results to CloudWatch with alerting.

AgentCore Identity. Identity directory for agents, authoriser, token vault for OAuth tokens. Three-legged and two-legged OAuth flows; integration with external identity providers (IDP-agnostic). The token vault stores user access tokens so the agent can act on-behalf-of without asking for consent per action.

AWS Security Agent — preview. AWS’s frontier agent for automated security testing. Does design review, code analysis, context-aware penetration testing. Announced on 3 December. It’s AWS’s response to the pattern the Anthropic report makes visible: if offensive with an agent is here, defence with an agent has to scale.

Bedrock Guardrails — Automated Reasoning checks GA. Formal verification against codified domain rules; providers cite “up to 99% accuracy” in detecting hallucinations. Available in four EU regions. Also applies to third-party models via the ApplyGuardrail API.

Cross-cutting pattern between Ignite and re:Invent: the three hyperscalers are converging on the same conceptual stack — identity for agents, out-of-band policy enforcement, runtime telemetry, continuous evaluation. What changes is the wire format and the billing chain. For 2026, “this will appear in RFPs” goes from prediction to operational fact.

Source: https://aws.amazon.com/blogs/security/aws-launches-ai-enhanced-security-innovations-at-reinvent-2025/

Fortinet FortiWeb — CVE-2025-64446, zero-day under exploitation

13 November. Defused detects exploitation against honeypots since early October. 14 November Fortinet publishes advisory for CVE-2025-64446, path traversal with auth bypass in FortiWeb (WAF). Typical payload:

POST /api/v2.0/cmdb/system/admin?/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: <target>
Content-Type: application/json

{"data": {"name": "Testpoint", "password": "3eMIXX43", ...}}

The server interprets the normalised path as /cgi-bin/fwbcgi and, due to the query string that drags the path traversal, skips auth. The result is creation of an administrative account with full privileges. Account names observed in mass exploitation: Testpoint, trader, trader1 with passwords 3eMIXX43, AFT3$tH4ck, AFT3$tH4ckmet0d4yaga!n — useful IoC for retroactive hunt. Affected FortiWeb 8.0.1 and earlier; backports for 7.6.x and 7.4.x. Mitigation: update to 8.0.2 and audit administrative accounts created between early October and the patch date.

Rapid7 confirms public exploits stop working after 8.0.2. CVSSv3 9.1 / 9.8 depending on source. Assets compromised before the patch remain compromised — the administrative account created isn’t deleted on update.

Source: https://nvd.nist.gov/vuln/detail/CVE-2025-64446 · https://www.tenable.com/blog/cve-2025-64446-fortinet-fortiweb-zero-day-path-traversal-vulnerability-exploited-in-the-wild

Patch Tuesday — 63 CVEs, CVE-2025-62215 kernel 0-day

11 November. Microsoft closes 63 CVEs: 5 critical, 58 important. The one deserving priority:

CVE-2025-62215 — Windows Kernel privilege escalation, active exploitation confirmed by Microsoft. Race condition + some level of prior system access. CVSS 7.0. It’s a zero-day in the strictest sense: in-the-wild exploitation before the patch.
CVE-2025-60724 — GDI+ RCE, CVSS 9.8, malformed file in heap-based buffer overflow.
CVE-2025-62199 — Office RCE, use-after-free, requires opening a malicious document.
CVE-2025-60716 — DirectX kernel EoP, CVSS 7.0.
CVE-2025-62214 — Visual Studio RCE.

Month pattern: the kernel remains a tier-one surface for actors with their own exploit dev. The race condition of CVE-2025-62215 isn’t trivial to exploit remotely (requires local access first), but combined with an infostealer or with an initial drive-by it goes directly to SYSTEM.

Source: https://msrc.microsoft.com/update-guide/ · https://www.tenable.com/blog/microsofts-november-2025-patch-tuesday-addresses-63-cves-cve-2025-62215

Cloudflare — 4h 10min outage over badly-generated feature file

18 November, 11:20 UTC. Cloudflare starts serving errors in proxy core. Down ~4h 10min. Impact: X / Twitter, ChatGPT, Cloudflare Access, Workers KV, thousands of client sites. No attack attribution.

The official post-mortem reconstructs the bug: a change in database permissions causes the query that generates the feature file of the Bot Management System to return duplicate entries. The file doubles in size. That file propagates to the whole network. The binaries consuming it don’t handle the unexpected size and fail in chain. Cloudflare also publishes a Code Orange resilience plan in response — the bet is “fail small” instead of “don’t fail”.

What this teaches isn’t new, but it’s worth noting again: cloud infrastructure shared fate is real. When Cloudflare goes down for 4 hours, the percentage of global HTTPS traffic impacted doesn’t admit short-term client-side remediation — there’s no instant multi-CDN failover covering four hours. For critical services, the question isn’t “what do we do if Cloudflare goes down?” but “what is it reasonable to fail with Cloudflare?“.

Source: https://blog.cloudflare.com/18-november-2025-outage/

Cl0p reoffends — Logitech via Oracle E-Business Suite 0-day

14 November. Logitech confirms to the SEC it has been a Cl0p victim. The initial vector: Oracle E-Business Suite zero-day exploited by the group in a campaign affecting multiple victims beyond Logitech. Estimated exfil: ~1.8TB of data. Logitech states the dataset doesn’t include sensitive PII or payment data. No public confirmation of the specific CVE at month-close; Oracle has published a restricted-to-customers advisory.

The pattern is Cl0p’s fifth in three years — GoAnywhere (January 2023), MOVEit (June 2023), Cleo MFT (December 2024), now Oracle E-Business Suite (October–November 2025). The cadence is operational: an enterprise software provider with B2B surface and public exposure is a zero-day research target by the group, with coordinated publication on its leak site when the time comes. Cl0p has an industrial playbook; what changes between incident and incident is the vendor.

Source: https://www.helpnetsecurity.com/2025/11/17/logitech-data-breach/

ShadowRay 2.0 — Ray cluster botnet with AI-generated payload

November 2025. Oligo Security publishes the second chapter of ShadowRay. The bug is the same as 2024’s: CVE-2023-48022, CVSS 9.8, missing authentication on Anyscale Ray’s Job Submission API (/api/jobs/). Anyscale documents the design as conscious: “Ray runs on an isolated network”. Reality continues to be: 230,000 Ray servers accessible from the internet at month-close (vs a few thousand in 2024).

What’s new: the botnet is self-spreading. Each compromised cluster scans the public space of Ray dashboards and replicates the payload. The main payload is XMRig mining Monero, but operators added sockstress (DDoS via TCP state exhaustion) probably targeting rival pools or competitor infra. And a detail from the technical analysis that marks the year: the payloads have AI-generated code signature — unnecessarily verbose docstrings, unused echo, repetitive comments, boilerplate error handling. Operators with little coding background using a model to scale.

For defence: the CISA KEV catalogue has had the CVE since 2024; the problem isn’t the patch (there is none, by design), it’s the deployment. Any Ray deployment exposed to internet is compromised or is being compromised. Network isolation, authentication via reverse proxy and CPU/GPU load monitoring are the three effective compensating controls.

Source: https://thehackernews.com/2025/11/shadowray-20-exploits-unpatched-ray.html · https://www.bleepingcomputer.com/news/security/new-shadowray-attacks-convert-ray-clusters-into-crypto-miners/

Rest of the month

Cisco ASA / FTD — continued exploitation of CVE-2025-20333 + CVE-2025-20362. On 5 November Cisco updates the advisory: new variant of the ArcaneDoor attack (UAT4356 / Storm-1849) causing reload of unpatched devices (DoS condition). Observed implants: LINE VIPER (post-exploit), FIRESTARTER (persistence surviving firmware update). CISA Emergency Directive ED 25-03 remains active. If your team hasn’t finished the September sweep, this reminder is for you.
Eurofiber — 13 November. Dutch fibre operator detects intrusion in its ticket management. Actor ByteToBreach claims on 16 November, alleging 10,000 enterprise and government clients. Vector: SQL injection in GLPI; extraction of ~10,000 bcrypt hashes in 10 days with 20 EU VPS deployed to accelerate. Lesson: your ticketing platform is crown jewel — it contains operational context of all projects.
Operation Endgame — 10 to 13 November. Europol coordinates takedown of Rhadamanthys (525,303 unique infections recorded March–November 2025), VenomRAT and Elysium botnet. 1,025+ servers, 20 domains. Arrest of the main VenomRAT operator in Greece on 3 November. The infostealer logs market loses material infrastructure; actors will regroup, but not in a week. For defenders: if you depend on feeds hunting Rhadamanthys, the next 30–60 days are a better detection window than usual.
GPT-5.1 + Gemini 3 + Claude Opus 4.5 in a week. 12 November OpenAI publishes GPT-5.1 (Instant and Thinking variants). 18 November Google launches Gemini 3 Pro. 24 November Anthropic publishes Claude Opus 4.5. The 12-day window concentrates the coordinated three-way release cycle in a pattern that will repeat each quarter. For AI security: if your adversarial evaluation is running on a September snapshot, it’s already obsolete. The three models have improved dev capability and agentic — repeating the pattern of the Anthropic report will be marginally easier on any of the three than on the previous generation.
Docker Ask Gordon — prompt injection CVE. 6 November. Docker patches its AI assistant (Ask Gordon, integrated into Docker Desktop) in version 4.50.0. The vulnerability: prompt injection via malicious image metadata on Docker Hub. The assistant reads the image description as context and obeys embedded instructions. It’s the tool poisoning pattern applied to container registry metadata — new surface, same root.
CISA KEV adds November. Two main adds: CVE-2025-11371 (Gladinet CentreStack / Triofox, files accessible to external parties) and CVE-2025-48703 (CWP Control Web Panel, OS command injection). Both with three-week remediation deadlines.

Pattern of the month

If I distil November into one sentence: the month “agent security” stops being a research category and becomes SKU at three hyperscalers, and symmetrically the month the first public report describes a commercial agent used as a tool of espionage. The two threads aren’t coincidence. Microsoft, AWS and Google have spent a year and a half investing in the control plane needed to put agents into enterprise product; what changed in 2025 is that the threat model stopped being hypothetical. The Anthropic report, regardless of the weight each gives it, turns “agent abuse” into an advisory line, not a paper hypothesis.

The other thing that repeats, month on month, is the chain exposed edge appliance + vendor with questionable patch hygiene + mass exploitation for weeks before the patch. FortiWeb in November is the month’s edition; the pattern repeats with all WAF / VPN / edge perimeter vendors. It’s 2025, year five counting since Ivanti January 2024. The industry hasn’t changed shape.

See you in December with the year retrospective.