VPN vulnerabilities and router exploits are actively targeting small businesses right now, with half of ransomware attacks now starting from compromised VPN credentials. CISA has ordered government agencies to patch a critical Fortinet FortiWeb flaw within seven days, signaling urgent risk for any business using this software.
A.I. Ron delivers urgent cybersecurity updates for November 19th, 2025, focusing on critical threats affecting small businesses. CISA has mandated government agencies patch a critical Fortinet FortiWeb vulnerability within seven days, emphasizing the urgency for all users. Operation WrtHug has compromised thousands of ASUS routers worldwide, turning them into espionage tools through exploitation of outdated firmware. The China-aligned PlushDaemon group is using EdgeStepper malware to hijack software updates through DNS redirection. Yesterday's Cloudflare outage, while not malicious, may have exposed organizations that temporarily disabled protection. A WhatsApp vulnerability has exposed 3.5 billion phone numbers, highlighting persistent security flaws. Ransomware continues to threaten businesses, with half of attacks now originating from compromised VPN credentials. A malicious Chrome VPN extension infected 9 million users over six years. Key recommendations include keeping network equipment updated, securing VPN access with multi-factor authentication, verifying software sources, and maintaining offline backups.
Sources: https://www.bleepingcomputer.com/news/security/cisa-gives-govt-agencies-7-days-to-patch-new-fortinet-flaw/, https://cybersecuritynews.com/wrthug-asus-routers/, https://cybersecuritynews.com/chinese-plushdaemon-hackers-use-edgestepper-tool/, https://krebsonsecurity.com/2025/11/the-cloudflare-outage-may-be-a-security-roadmap/, https://cybersecuritynews.com/whatsapp-vulnerability-exposes-3-5-billion-users/, https://www.ransomware.live/id/VGhlIEludGVyVGVjaCBHcm91cEBha2lyYQ==, https://www.infosecurity-magazine.com/news/half-ransomware-access-hijacked/, https://cybersecuritynews.com/malicious-free-vpn-extension-with-9-million-installs/
Why are VPN vulnerabilities hitting small businesses harder than enterprise?
Small businesses lack the IT staffing to monitor firmware updates and VPN security. Operation WrtHug has already compromised thousands of ASUS routers by exploiting outdated firmware, while malicious VPN extensions (one infected 9 million Chrome users) slip past detection. PlushDaemon's EdgeStepper malware hijacks software updates through DNS redirection, meaning your update process itself becomes the attack vector. The single most important action: enable multi-factor authentication on all VPN access immediately, keep network equipment updated automatically, and verify software sources before installation. CISA's 7-day patch mandate for Fortinet applies to you too.
Key takeaways
- Enable multi-factor authentication on VPN access now (half of ransomware starts from stolen VPN credentials)
- Update ASUS routers and Fortinet FortiWeb immediately (Operation WrtHug and CISA both confirming active exploitation)
- Stop using free VPN extensions (Chrome extension with 9 million installs delivered malware for six years)
- Maintain offline backups (ransomware remains a threat even with VPN security in place)
Frequently asked questions
Do I need to worry if we use Fortinet FortiWeb?
Yes. CISA mandated all government agencies patch this vulnerability within seven days, which signals critical severity. Apply the patch immediately regardless of your industry.
We use a free VPN extension for remote work. Is it safe?
No. A malicious Chrome VPN extension infected 9 million users over six years without detection. Replace it with a paid, reputable VPN service your company controls, and require multi-factor authentication.
What does 'compromised VPN credentials' actually mean for ransomware?
Attackers steal employee login credentials (password plus username) for your VPN and use them to access your network after hours. Once inside, they deploy ransomware. Multi-factor authentication blocks this attack path even if credentials are stolen.