Daily Briefing for 11.12.25

Top stories.

• Patch Tuesday notes.
• Google files lawsuit against alleged China-based phishing operation.
• Synnovis begins notifying healthcare providers of data breach following June 2024 ransomware attack.

Patch Tuesday notes.

November's Patch Tuesday saw more than 60 fixes from Microsoft, including an actively exploited zero-day (CVE-2025-62215) affecting the Windows kernel. The vulnerability can allow a local attacker to escalate privileges. Microsoft also patched a critical remote code execution bug (CVE-2025-60724) in the Windows GDI+ graphics library with a CVSS score of 9.8. The flaw can be exploited by uploading a maliciously crafted image file.

Infosecurity Magazine notes that this update cycle is the first since Windows 10 reached its end-of-life. Individuals or organizations that are still using Windows 10 can enroll in Microsoft's Extended Security Updates (ESU) to continue receiving patches. Users can enroll in ESU for free if they register their PCs, or they can pay a one-time fee of $30.

Ivanti, Zoom, and Adobe also issued patches yesterday, SecurityWeek reports. Ivanti patched two flaws (CVE-2025-9713 and CVE-2025-11622) that were disclosed last month, while Zoom fixed three high-severity privilege escalation bugs. Adobe issued fixes for 29 flaws across InDesign, InCopy, Photoshop, Illustrator, Pass, Substance 3D Stager, and Format Plugins.

SecurityWeek also has a round-up of patches from ICS vendors, including Siemens, Schneider Electric, Rockwell Automation, and Aveva.

Google files lawsuit against alleged China-based phishing operation.

Google has file a lawsuit against an organization based in China that allegedly runs a phishing-as-a-service operation, NPR reports. The organization, dubbed "Lighthouse," is accused of providing a phishing kit that spoofs hundreds of organizations, and has been used to create more than 32,000 phishing sites.

The lawsuit likely won't result in anyone being brought to trial, but Google's general counsel, Halimah DeLaine Prado, told NPR that the goal of the suit is deterrence. DeLaine Prado said, "It allows us a legal basis on which to go to other platforms and services and ask for their assistance in taking down different components of this particular illegal infrastructure. Even if we can't get to the individuals, the idea is to deter the overall infrastructure in some cases."

Synnovis begins notifying healthcare providers of data breach following June 2024 ransomware attack.

UK pathology laboratory services provider Synnovis is informing healthcare providers of a data breach following a ransomware attack the company sustained in June 2024, BleepingComputer reports. The affected providers will notify impacted individuals directly.

The HIPAA Journal reported in June of last year that the Qilin ransomware group had posted the alleged stolen data to its leak site, and that the data appeared to affect up to 300 million patients. Synnovis says the length of the investigation was due to the fragmented nature of the data. The company said in a press release, "We have now begun notifying the organisations whose data was affected and expect to conclude this process by 21 November 2025. This marks the latest stage of investigation that has taken a large team of forensic experts and data specialists over a year to complete. The stolen data was unstructured, incomplete and fragmented, requiring the use of highly specialised platforms and bespoke processes to piece it together – factors which heavily influenced the duration of the investigation."