Security briefing: November 2025

Look back and stay ahead

November is a month for reminiscing — looking back over the last 11 months to take stock of what’s been done in anticipation of what’s to come. This month, we’re reminded that “new” threats are not always novel; sometimes they emerge from the past, repurposed by threat actors who never stop innovating.

Nov. 5: Three container escape vulnerabilities

• CVE-2025-3113, CVE-2025-52565, and CVE-2025-52881 affect runc, the container runtime used by many platforms like Docker and Kubernetes.
• These vulnerabilities could allow root access to the host system after bypassing container isolation, if exploited.
• Organizations are encouraged to update immediately, as all known versions of runc are affected by two of the vulnerabilities.
• Sysdig’s response: A detailed blog was published on November 6 with recommended mitigations if immediate updating is not possible, and detections for Sysdig Secure customers and Falco users. A threat bulletin was also emailed to customers.

Nov. 20: Linux kernel exploitation CVE-2024-1086

• A vulnerability present in the Linux kernel for over 10 years was discovered in January 2024 and patched the following month.
• On October 31, 2025, CISA confirmed that it was being actively exploited in ransomware campaigns.
• The vulnerability provides attackers with root privileges that grant them full admin control, allowing them to disable security tools and compromise additional systems.
• Organizations are encouraged to prioritize patching their Linux infrastructure, taking care to check legacy and rarely used systems that may still be exposed.
• Sysdig’s response: We published a technical analysis of CVE-2024-1086 and released detection rules for Sysdig Secure customers.

Nov. 24: The Shai-Hulud worm returns

• Shai-Hulud is a worm (self-propagating malware) that was first launched on September 15, infecting approximately 200 packages and publishing victim data on GitHub.
• A modified version of the worm quickly compromised nearly 1,000 packages, leaking tens of thousands of credentials on GitHub at the end of November.
• Organizations are encouraged to immediately remove and replace compromised packages with clean versions, clear their NPM cache, and rotate credentials. In addition, they should conduct a threat hunt to search for newly created repositories and unauthorized changes to workflow and commit history.
• Sysdig’s response: A public blog and threat bulletin were released the same day with detections for both versions of the worm for Sysdig Secure customers.

Additional educational resources

If there’s one thing the cybersecurity community excels at, it’s persistent improvement. The Sysdig Threat Research Team (TRT) is dedicated to the idea of a more secure world for everyone and encourages collaboration. On November 13, we published a new educational blog titled Hunting Reverse Shells: How the Sysdig Threat Research Team builds smarter detection rules.

This blog provides a glimpse into Sysdig threat research and writes new detections to help others in the industry improve their detection capabilities. With three types of reverse shells commonly used by attackers as examples, readers will learn how to continuously evolve precise and adaptable rules.

Also in the news

• Financial sector supply chain breach: Real estate financial firm SitusAMC publicly disclosed a material incident on November 22, 10 days after the breach was identified. Financial giants like Morgan Stanley, JPMorgan Chase, and Citi were informed that real estate loan and mortgage-related data was stolen. With an investigation fully underway, the full scope of victim impact is yet to come.
• Personal information of 33.7 million accounts stolen: South Korea’s largest online retailer, Coupang, announced the unauthorized data access on November 30. This access is believed to have started in late June and was discovered on November 18. The South Korean government is investigating what a few sources say may have been an insider threat.
• Microsoft zero-day dropped on Patch Tuesday: While the CVSS score may be low for CVE-2025-62215 due to exploitation complexity, this Windows Kernel vulnerability is being actively exploited, so it needs to be patched immediately. Upon winning a race condition, an attacker can elevate local privileges.
• The Cyber Security and Resilience (CS&R) Bill: Introduced to the UK Parliament on November 12, the bill expands upon and modernizes the country’s existing NIS Regulations 2018. Similar to the EU’s NIS2 Directive, it’s meant to impose stronger cybersecurity requirements across a wider range of organizations.

Closing thoughts

As we head toward the end of the year, it remains clear that security never takes a holiday. Beyond all that was discussed here, there were several other breaches in November and a surge in botnet loaders and info-stealers.

Take a moment to be thankful for the resilience and vigilance of our security community — those who choose to defend every day.

Sysdig is thankful that our collective efforts can be so powerful. Old threats may persist, but so do the teammates who jump on incidents without hesitation, the researchers who publish their findings openly, and the engineers who patch through the night. Let’s carry that momentum forward into the new year.

Don’t wait for next month’s wrap-up! To stay ahead of emerging threats, keep a close eye on the latest insights from the Sysdig Threat Research Team.