Cybersecurity Today: "On the Zero Day of Christmas – Cisco Devices Under Attack"

Host: David Shipley (substituting for Jim Love)
Date: December 19, 2025

Episode Overview

In this timely episode, David Shipley reports on a surge of critical cybersecurity incidents impacting business and government networks globally, just in time for the holiday season. The show covers an active zero day vulnerability affecting Cisco Secure Email Gateways, a dramatic cyber-attack on a passenger ferry in France, and the latest data theft campaign by the notorious CLOP ransomware group. The focus is on practical mitigation advice, emerging threats, and their real-world consequences.

Key Discussion Points and Insights

1. Zero-Day Flaw in Cisco Email Gateways Under Active Attack

Segment: [00:20–04:50]

Cisco has disclosed a severe zero day (CVE-2025-2393, CVSS 10) in its AsyncOS – the operating system for Cisco Secure Email Gateway and Secure Email and Web Manager Appliances.
- The flaw allows attackers to execute arbitrary commands as root.
- The attacks are linked to a China-nexus APT (UAT9686).
Exploitation requires the "Spam Quarantine" feature to be enabled and accessible from the Internet.
- "While this feature is not enabled by default, Cisco has identified already a limited number of exposed appliances that were accessible externally." [02:05]
Attackers are using:
- Tunneling tools (Reverse SSH, Chisel)
- A Python backdoor (“AquaShell”) that listens for special HTTP requests to issue shell commands.
Patching:
- No patch yet. Cisco advises immediately limiting Internet exposure, fire-walling devices, shutting unnecessary services, and separating mail/management network interfaces.
- If you are compromised: Rebuilding the appliance is the only way to remove the attackers.
Regulatory impact:
- CISA has added the vulnerability to its known exploited list and mandated mitigation for U.S. federal agencies by Dec 24.
Notable Quote:
- "I guess that's a Merry Christmas from China this year for a lot of tired government workers." [04:36]
Implication:
- The campaign's timing and scale underscore the persistent threat from state actors, especially around periods of organizational vulnerability like holidays.

2. Hollywood-Style RAT Attack on Passenger Ferry in France

Segment: [04:51–07:24]

French security services are probing suspected foreign interference in a malware incident aboard a passenger ferry (the "Fantastic" operated by GNV) in southern France.
- The ship, with capacity for 2,000+ passengers, was found with remote access trojan (“RAT”) capable of system control.
Incident overview:
- Italian authorities warned France, prompting emergency inspection in port.
- A Latvian crew member was arrested; possible crew complicity is being investigated.
- Infiltration likely required physical access (USB, Raspberry Pi, etc.).
National security implications:
- France’s DGSI leads the investigation; organized foreign group (possibly Russian-backed) suspected.
- “Cybersecurity failures in transportation systems aren't just IT incidents. They can become safety issues, national security issues and increasingly potentially geopolitical ones.” [06:52]
The issue was neutralized with no impact to passengers; the ship was cleared to sail.
Notable Quotes:
- “When software controls physical systems, the consequences of compromise extend far beyond the screen.” [07:13]
Implication:
- Maritime cyber incidents now cross with geopolitical risk and could lead to catastrophic outcomes if not managed.

3. CLOP Ransomware Targets File Sharing Platforms, Including CenterStack

Segment: [07:25–09:40]

CLOP is running a global campaign targeting internet-exposed Gladinet CenterStack file servers.
- CenterStack enables secure access to on-premises file servers via web, mobile, and mapped drives.
- Thousands of businesses in 49+ countries potentially at risk.
Current state:
- Attackers scan for and breach vulnerable servers; ransom notes left on compromised systems.
- The exploit pathway is unclear – may involve new or unpatched vulnerabilities.
Context:
- CLOP’s history of exploiting major file transfer platforms (Acceleon, GoAnywhere, MOVEit, Oracle eBusiness Suite).
- Recent victims include Harvard, the Washington Post, Logitech, American Airlines subsidiary Envoy Air.
Notable Quotes:
- “In these attacks, CLOP typically focuses on data exfiltration rather than file encryption, publishing stolen documents on its Dark Web leak site to pressure victims into paying.” [09:25]
Implication:
- Persistent attacker focus on file transfer platforms reflects the continuing risk from external exposure, especially during holiday staffing lulls.

Notable Quotes & Memorable Moments

On the Cisco Zero-Day:
- “Cisco has confirmed that attackers are not just gaining access, but also deploying persistence mechanisms allowing them to maintain long term control of compromised systems.” [01:25]
On Maritime Cyber Risks:
- “Any attempt to interfere with ship control systems represents a critical risk with potentially severe physical consequences for passengers and crew.” [06:30]
On CLOP's Ransomware Evolution:
- “That’s a lot. Heading into the holidays, I've been your host David Shipley… Holiday 2025 looks sadly to be just as busy for security teams as past years.” [09:33]

Timestamps for Key Segments

Cisco Zero Day Flaw: [00:20–04:50]
Ferry Malware/Physical Safety: [04:51–07:24]
CLOP Ransomware & File Servers: [07:25–09:40]

Takeaways

Unpatched vulnerabilities are magnets for state-backed attackers—segmentation and rapid lockdown procedures are vital in the absence of patches.
Cyber incidents in critical infrastructure, particularly transport, blur the line between IT and physical safety, making cross-industry collaboration vital.
The threat from sophisticated ransomware groups continues to morph, exploiting both technical vulnerabilities and seasonal organizational weaknesses.

This episode is notable for its urgency and practical focus, blending fresh threat intelligence with memorable commentary, ideal for security professionals bracing for a tense holiday season.

Cybersecurity Today: "On the Zero Day of Christmas – Cisco Devices Under Attack"

Host: David Shipley (substituting for Jim Love)
Date: December 19, 2025

Episode Overview

Key Discussion Points and Insights

1. Zero-Day Flaw in Cisco Email Gateways Under Active Attack

Segment: [00:20–04:50]

Cisco has disclosed a severe zero day (CVE-2025-2393, CVSS 10) in its AsyncOS – the operating system for Cisco Secure Email Gateway and Secure Email and Web Manager Appliances.
- The flaw allows attackers to execute arbitrary commands as root.
- The attacks are linked to a China-nexus APT (UAT9686).
Exploitation requires the "Spam Quarantine" feature to be enabled and accessible from the Internet.
- "While this feature is not enabled by default, Cisco has identified already a limited number of exposed appliances that were accessible externally." [02:05]
Attackers are using:
- Tunneling tools (Reverse SSH, Chisel)
- A Python backdoor (“AquaShell”) that listens for special HTTP requests to issue shell commands.
Patching:
- No patch yet. Cisco advises immediately limiting Internet exposure, fire-walling devices, shutting unnecessary services, and separating mail/management network interfaces.
- If you are compromised: Rebuilding the appliance is the only way to remove the attackers.
Regulatory impact:
- CISA has added the vulnerability to its known exploited list and mandated mitigation for U.S. federal agencies by Dec 24.
Notable Quote:
- "I guess that's a Merry Christmas from China this year for a lot of tired government workers." [04:36]
Implication:
- The campaign's timing and scale underscore the persistent threat from state actors, especially around periods of organizational vulnerability like holidays.

2. Hollywood-Style RAT Attack on Passenger Ferry in France

Segment: [04:51–07:24]

French security services are probing suspected foreign interference in a malware incident aboard a passenger ferry (the "Fantastic" operated by GNV) in southern France.
- The ship, with capacity for 2,000+ passengers, was found with remote access trojan (“RAT”) capable of system control.
Incident overview:
- Italian authorities warned France, prompting emergency inspection in port.
- A Latvian crew member was arrested; possible crew complicity is being investigated.
- Infiltration likely required physical access (USB, Raspberry Pi, etc.).
National security implications:
- France’s DGSI leads the investigation; organized foreign group (possibly Russian-backed) suspected.
- “Cybersecurity failures in transportation systems aren't just IT incidents. They can become safety issues, national security issues and increasingly potentially geopolitical ones.” [06:52]
The issue was neutralized with no impact to passengers; the ship was cleared to sail.
Notable Quotes:
- “When software controls physical systems, the consequences of compromise extend far beyond the screen.” [07:13]
Implication:
- Maritime cyber incidents now cross with geopolitical risk and could lead to catastrophic outcomes if not managed.

3. CLOP Ransomware Targets File Sharing Platforms, Including CenterStack

Segment: [07:25–09:40]

CLOP is running a global campaign targeting internet-exposed Gladinet CenterStack file servers.
- CenterStack enables secure access to on-premises file servers via web, mobile, and mapped drives.
- Thousands of businesses in 49+ countries potentially at risk.
Current state:
- Attackers scan for and breach vulnerable servers; ransom notes left on compromised systems.
- The exploit pathway is unclear – may involve new or unpatched vulnerabilities.
Context:
- CLOP’s history of exploiting major file transfer platforms (Acceleon, GoAnywhere, MOVEit, Oracle eBusiness Suite).
- Recent victims include Harvard, the Washington Post, Logitech, American Airlines subsidiary Envoy Air.
Notable Quotes:
- “In these attacks, CLOP typically focuses on data exfiltration rather than file encryption, publishing stolen documents on its Dark Web leak site to pressure victims into paying.” [09:25]
Implication:
- Persistent attacker focus on file transfer platforms reflects the continuing risk from external exposure, especially during holiday staffing lulls.

Notable Quotes & Memorable Moments

On the Cisco Zero-Day:
- “Cisco has confirmed that attackers are not just gaining access, but also deploying persistence mechanisms allowing them to maintain long term control of compromised systems.” [01:25]
On Maritime Cyber Risks:
- “Any attempt to interfere with ship control systems represents a critical risk with potentially severe physical consequences for passengers and crew.” [06:30]
On CLOP's Ransomware Evolution:
- “That’s a lot. Heading into the holidays, I've been your host David Shipley… Holiday 2025 looks sadly to be just as busy for security teams as past years.” [09:33]

Timestamps for Key Segments

Cisco Zero Day Flaw: [00:20–04:50]
Ferry Malware/Physical Safety: [04:51–07:24]
CLOP Ransomware & File Servers: [07:25–09:40]

Takeaways

Unpatched vulnerabilities are magnets for state-backed attackers—segmentation and rapid lockdown procedures are vital in the absence of patches.
Cyber incidents in critical infrastructure, particularly transport, blur the line between IT and physical safety, making cross-industry collaboration vital.
The threat from sophisticated ransomware groups continues to morph, exploiting both technical vulnerabilities and seasonal organizational weaknesses.

This episode is notable for its urgency and practical focus, blending fresh threat intelligence with memorable commentary, ideal for security professionals bracing for a tense holiday season.

wavePod

On the Zero Day of Christmas - Cisco Devices Under Attack

Powered by Wave AI

Summary

Cybersecurity Today: "On the Zero Day of Christmas – Cisco Devices Under Attack"

Episode Overview

Key Discussion Points and Insights

1. Zero-Day Flaw in Cisco Email Gateways Under Active Attack

2. Hollywood-Style RAT Attack on Passenger Ferry in France

3. CLOP Ransomware Targets File Sharing Platforms, Including CenterStack

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Takeaways

Summary

Cybersecurity Today: "On the Zero Day of Christmas – Cisco Devices Under Attack"

Episode Overview

Key Discussion Points and Insights

1. Zero-Day Flaw in Cisco Email Gateways Under Active Attack

2. Hollywood-Style RAT Attack on Passenger Ferry in France

3. CLOP Ransomware Targets File Sharing Platforms, Including CenterStack

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Takeaways