(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – November 20, 2025

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Fortinet FortiWeb OS Command Code Injection Vulnerability
CVE: CVE-2025-58034
Description: An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
Source: https://fortiguard.fortinet.com/psirt/FG-IR-25-513

Fortinet FortiWeb Path Traversal Vulnerability 
CVE: CVE-2025-64446
Description: A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Source: https://fortiguard.fortinet.com/psirt/FG-IR-25-910

SolarWinds Serv-U Path Restriction Bypass Vulnerability
CVE: CVE-2025-40549
Description: A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled.
Source: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549

SolarWinds Serv-U Logic Abuse – Remote Code Execution Vulnerability
CVE: CVE-2025-40547
Description: A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40547

SolarWinds Serv-U Broken Access Control – Remote Code Execution Vulnerability
CVE: CVE-2025-40548
Description: A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40548

Google Chromium V8 Type Confusion Vulnerability
CVE: CVE-2025-13223
Description: Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Source: https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html

7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability
CVE: CVE-2025-11001
Description: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
Source: https://www.zerodayinitiative.com/advisories/ZDI-25-949/