Daily Briefing for 12.18.25

Top stories.

• French police arrest suspect who allegedly planted malware on a passenger ferry.
• HPE issues patch for maximum-severity OneView flaw.
• Chinese threat actor targets maximum-severity Cisco zero-day.

French police arrest suspect who allegedly planted malware on a passenger ferry.

French police have arrested a Latvian crew member of an Italian passenger ferry who's suspected of infecting the ship with malware on behalf of a foreign nation-state. The individual allegedly installed a remote access Trojan while the ferry was docked at the Mediterranean port of Sète. According to Marine Insight, France's domestic intelligence service, the General Directorate for Internal Security (DGSI), is leading the investigation.

France's Interior Minister Laurent Nuñez told French media, "This is a very serious matter... individuals tried to hack into a ship's data-processing system. Investigators are obviously looking into interference. Yes, foreign interference. These days, one country is very often behind foreign interference." France 24 quotes the suspect's lawyer as saying the "theory of Russian interference evoked in the press seems superfluous," and that the investigation "will demonstrate that this case is not as worrying as it may have initially seemed."

Separately, French authorities arrested a 22-year-old suspected of hacking the country's Interior Ministry last week, the Record reports.

HPE issues patch for maximum-severity OneView flaw.

Hewlett Packard Enterprise (HPE) has issued a patch for a maximum-severity remote code execution vulnerability (CVE-2025-37164) affecting its OneView IT infrastructure management software, BleepingComputer reports. The flaw affects all OneView versions prior to 11.00 and can be exploited through low-complexity code injection attacks. Administrators are urged to update or apply hotfixes as soon as possible. HPE hasn't confirmed whether the flaw is being exploited in attacks.

Chinese threat actor targets maximum-severity Cisco zero-day.

Cisco Talos says a Chinese APT tracked as "UAT-9686" has been exploiting a maximum-severity zero-day affecting Cisco products since at least late November. The vulnerability (CVE-2025-20393) affects appliances running Cisco AsyncOS software for Secure Email Gateway (formerly ESA) and Secure Email and Web Manager (formerly Content SMA). The threat actor is using the flaw to deploy a Python-based backdoor called "AquaShell," as well as "AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility)."

SecurityWeek notes that Cisco hasn't yet released patches, but has shared some mitigations. The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch (FCEB) agencies to apply the mitigations by December 24th.