CyberWire Daily - OneView gives attackers the full tour.
Episode Date: December 18, 2025Hewlett Packard Enterprise patches a maximum-severity vulnerability in its OneView infrastructure management software. Cisco warns a critical zero-day is under active exploitation. An emergency Chrome... update fixes two high-severity vulnerabilities. French authorities make multiple arrests. US authorities dismantle an unlicensed crypto exchange accused of money laundering. SonicWall highlights an exploited zero-day. Researchers earn $320,000 for demonstrating critical remote code execution flaws in cloud infrastructure components. A U.S. Senator urges electronic health record vendors to give patients greater control over who can access their medical data. Our guest is Larry Zorio, CISO from Mark43, discussing first responders and insider cyber risks. A right-to-repair group puts cash on the table. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Larry Zorio, CISO from Mark43, to discuss first responders sounding the alarm on insider cyber risks. To see the full report, check it out here. Selected Reading HPE warns of maximum severity RCE flaw in OneView software (Bleeping Computer) China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear (SecurityWeek) Google Chrome patches two high severity vulnerabilities in emergency update (Beyond Machines) France arrests 22-year-old over Interior Ministry hack (The Record) France arrests Latvian for installing malware on Italian ferry (Bleeping Computer) FBI dismantles alleged $70M crypto laundering operation (The Register) SonicWall Patches Exploited SMA 1000 Zero-Day (SecurityWeek) Zeroday Cloud hacking event awards $320,0000 for 11 zero days (Bleeping Computer) Senator Presses EHR Vendors on Patient Privacy Controls (Govinfosecurity) A nonprofit is paying hackers to unlock devices companies have abandoned (TechSpot) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result, fast, reliable, and secure connectivity
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
Hulet Packard patches a maximum severity vulnerability in its one-view infrastructure management software.
Cisco warns a critical zero-day is under active exploitation.
An emergency Chrome update fixes two high-severity vulnerabilities.
French authorities make multiple arrests.
U.S. authorities dismantle an unlicensed crypto exchange.
Sonic Wall highlights an exploited zero-day.
Researchers earn $320,000 for demonstrating critical remote code execution flaws in cloud infrastructure.
A U.S. Senator urges electronic health record vendors to give patients greater control over who can access their medical data.
Our guest is Larry Zorio, Sissau from Mark 43, discussing first responders and insider cyber risks.
And a right-to-repair group puts cash on the table.
It's Thursday, December 18, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great to have you with us.
Hewlett-Packard Enterprise has released patches for a maximum severity vulnerability
in its One View infrastructure management software that allows remote code execution by
unauthenticated attackers. The flaw affects all One-View versions prior to version 11
and can be exploited through low-complexity code injection attacks. The issue was reported
by a Vietnamese security researcher
and disclosed in an
HPE advisory warning that
no mitigations or workarounds
are available. Organizations
are urged to patch immediately.
HPE says
customers can remediate the issue by
upgrading to 1-View 11
or later, or by
applying specific security hot
fixes for other versions.
HPE has not confirmed
any active exploitation of the vulnerability.
Cisco has warned that a China-linked threat group is actively exploiting a critical zero-day,
affecting Cisco AsyncOS-based secure email gateway and secure email and web manager appliances.
The flaw allows unauthenticated attackers to execute commands with root privileges.
Cisco Talos discovered the activity and attributed it,
with moderate confidence to a Chinese state-sponsored actor tracked as UAT,
9686. The campaign uses multiple backdoors and tunneling tools. No patch or workaround is currently
available, and SISA has added the flaw to its known exploited vulnerabilities catalog.
Google has released an emergency Chrome update fixing two high severity vulnerabilities
that could allow remote code execution. The flaws include a use-after free bug in the web
GPU component and an out-of-bounds read-and-write issue in the V8 JavaScript engine.
Google has patched the issues, and users are strongly urged to update immediately,
including those running chromium-based browsers such as Edge, Brave, Opera, and Vivaldi.
French authorities have been busy.
They arrested a 22-year-old suspect in connection with a cyber attack on France's interior ministry
that compromised multiple email accounts and confidential documents.
Officials say the breach, claimed on breach forums,
exposed files related to judicial records and wanted persons
with attackers inside the network for several days.
No ransom demand was made, and authorities say public safety was not endangered.
Prosecutors allege the suspect acted as part of an organized group
and note prior convictions for similar offenses.
French authorities have arrested two crew members of an Italian passenger ferry
after malware capable of remote access was found aboard the vessel.
A Bulgarian national was released without charge,
while a Latvian crew member remains detained
and faces charges of conspiring to infiltrate computer systems
on behalf of a foreign power.
The malware was discovered while the ferry was docked
and was neutralized without impact.
Officials say the investigation
involves suspected foreign interference
and is ongoing in coordination
with Italian authorities.
U.S. authorities have dismantled E-Note
an unlicensed cryptocurrency exchange
accused of laundering more than $70 million
in illicit proceeds for cybercriminals.
The FBI, working with European and U.S. partners,
seized servers, domains, and apps used by the service,
which allegedly helped ransomware groups
and other criminals convert stolen cryptocurrency into harder to trace assets.
Prosecutors unsealed charges against 39-year-old Russian national Mikhailio Petrovich Chudnovetz
accused of operating e-notes and offering laundering services for over a decade.
He faces up to 20 years in prison if convicted and remains at large.
Officials say the takedown targets the financial infrastructure that enables cybercrime,
not just individual attackers.
Sonic Wall has warned that attackers are exploiting a zero-day vulnerability in the
secure mobile access 1,000 appliance management console.
The medium severity flaw allows local privilege escalation and has been used alongside
a previously disclosed bug to achieve unauthenticated remote code execution with root
privileges.
The issue has been patched in recent hot fixes, and SISA has asked.
added it to the known exploited vulnerabilities catalog, urging rapid remediation and mitigations where
patching is delayed.
The inaugural Zero Day Cloud Hacking Competition in London awarded researchers $320,000
for demonstrating critical remote code execution flaws in cloud infrastructure components.
Hosted by Wiz Research with Amazon Web Services, Microsoft, and Google Cloud, the event-focused
exclusively on cloud systems.
Across 13 sessions, researchers succeeded in 85% of attempts, uncovering 11-0-day vulnerabilities.
Day 1 awards totaled $200,000 for exploits targeting Redis, Post-GresQL, Grafana, and the Linux kernel,
including a container escape flaw that broke cloud-tenant isolation.
Day 2 added $120,000 for database exploits involving Redis, Post-GreSQL.
RescueL and Maria D.B. Team Excent Code won the competition with three successful exploits
earning $90,000. Despite the results, most of the $4.5 million prize pool went unclaimed,
with no successful exploits against Kubernetes, Docker, major web servers, or AI targets.
Senator Ron Wyden of Oregon is urging U.S. electronic health record vendors to give
patients greater control over who can access their medical data, framing the issue as both a
privacy and national security concern. His push comes as regulators more aggressively enforce
data interoperability rules under the 21st century Cures Act, which aimed to improve data
sharing while allowing exceptions for privacy and cybersecurity. Widen contacted 10 major
EHR vendors calling for direct control features for patients. He warned that widespread data sharing
increases risks of misuse, citing past Defense Department findings. Epic responded that it is developing
new MyChart features to let patients opt out of sharing, hide records, track access, and manage
preferences for sensitive care.
Coming up after the break, Larry Zorio from Mark 43 discusses first responders and insider cyber threats and a right-to-repair group puts cash on the table.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your data, and simplifies.
your security at scale, and it fits right into your workflows, using AI to streamline evidence
collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything
you need to move faster, scale confidently, and finally get back to sleep. Get started at vanta.com
slash cyber. That's V-A-N-T-A-com slash cyber.
Larry Zorio is CISO from Mark 43.
We're discussing first responders sounding the alarm on insider cyber risks.
Well, we put it out every year, and every year it has different themes.
Every year we typically focus on different cybersecurity trends.
We actually do a lot of tracking ourselves with different trends we see in the industry,
especially breaches and attacks on guns.
government agencies. So this year was definitely focused. They were definitely focused on
AI, which I'm sure you definitely know that. Also access management. So this was, yeah,
this is something we do every year, Dave. Well, I mean, let's dig in here. The focus is public
safety. What are some of the specific issues that folks in that part of the world have to deal
with. I would like to just start, especially for your listeners, just to kind of level set with
them. There are a lot of things that public safety agencies struggle with with cybersecurity.
I think we're all used to seeing movies and TV shows with very advanced technology,
following the dot around the screen, sitting in different security operations centers.
But that is really only for the top, top, top tier of public.
safety agencies. Many of these agencies are struggling with similar things that small
businesses are struggling with. They're struggling with technology, budgets, a lot of old legacy
systems. They're struggling with people trying to recruit and retain talent in the cybersecurity
industry. So many challenges in this space, and some of them have come out in our
trends report this year. Well, let's dig into the report. What were some of the key findings
that caught your eye? A near total majority, 98% of law enforcement believe that cybersecurity is an
important part of evaluating technology. I thought that was interesting because if you were to ask
that question five years ago, I think you would get a totally different answer because five years
ago, public safety was very much, they wanted things on-prem. They wanted to be in charge of their
systems. They knew how to protect their systems in their data centers. I think what this stat is
telling us is they understand that they need to level up. They understand that they need to
start leveraging modern technology, and they know that cybersecurity needs to be a piece of that.
So that was, the near majority was an interesting one for me.
one of the things that caught my eye was the concerns about insider threats can you dig into that a little bit for us
it's the the public safety we're talking police we're talking fire we're talking EMTs we're talking even like the federal agencies
they're dealing with such sensitive information we're talking FBI data we're talking warrants arrest records
you know in these records there is the potential
for very private information.
There is even some cases
there's medical information in there.
So agencies understand that this is so, so sensitive,
and they have a lot of legacy systems, Dave,
that just don't give them what we would consider
and your audience would consider just like it's table stakes, right?
Like the role-based access control.
A lot of them are struggling with that.
They're struggling even with like zero-trans.
trust, this thing that's been around for many years. So it was interesting to see, you know,
the responders come back that way with, you know, a good majority of them are worried about it
and they know that it needs to be something they got to focus on. Well, you mentioned access control.
What did you learn when it comes to that? There's a couple of things that that we've learned actually
from that. I mean, it's definitely, we're seeing, we're seeing them respond, you know, with the 65%
We're seeing, we've seen in past trends reports, them respond to how much they're struggling
even with just, again, for your listeners, Dave, they're struggling with multi-factor authentication.
These are old legacy systems and they're finally starting to modernize and they're now being pushed
and required through different compliance standards that they have to follow to roll out MFA.
And it's either a technology struggle, which I spoke to earlier, or it's a people struggle.
Like, we would love to roll out MFA, but we don't have the personnel to do it.
So I think it's just important for folks like myself that are in this industry that can help to educate and be there to help them in that space.
The other thing I'll mention to, Dave, outside of MFA, you know, we've learned that even these legacy systems, they don't even have the granularity that you're looking forward like in an activity report, right, to be able to see what people are doing.
doing in the systems themselves.
So it's another reason why modernization is so important.
Can you give us an idea of the range of systems that we're talking about and the functions?
I guess top of mind for me is something like a 911 call center, you know, where obviously
downtime is the last thing you want.
But I'm sure there's a lot more to it than most of us think about.
You hit the nail in the head with the 911 system, right?
that is one of the absolute core critical infrastructures
that public safety is using.
So those systems.
There's the 911 call-taking system.
There's also what's called a computer-aided dispatch system.
That's kind of, if you ever see a picture of a 911 environment,
a dispatch center, you see all these screens.
And typically, they're the call-taking systems.
They're the computer-a-dispatch systems.
So there's that piece of it.
But then there's also what's called records management systems, RMS.
And that is basically where they live and breathe for 80, 90% of the day.
It's where they're writing up all their arrests.
They're filling out forms for warrants.
They're doing all their research.
Detectives are going in there, looking at different evidence.
This all happens in an RMS.
So those are kind of the big core ones.
Then you have things like license plate reader systems that have been making the headlines recently and some analytics software as well that's very, very important to these public safety officials.
You know, we were talking about insider threats and also AI, and I know that's a big concern for a lot of organizations that employees may be using AI, we refer to it as Shadow AI.
And when you're talking about this sort of sensitive information, that could be a real big problem.
It is a real big problem.
It's something that I talk to a lot of public safety agencies about for many different reasons.
In some cases, they're just looking for guidance.
They're looking from guidance.
It could be from the state or even the city level.
What are we allowed and not allowed to do?
So there's definitely that side of it.
I know that a lot of states are starting to make.
make progress. The federal government's starting to make progress in that area to give them
the frameworks. Many of them are aware that they are using these shadow IT, these shadow AI tools,
and they are concerned about it. We're talking to them about how they can lock it down,
certainly try to keep it within the boundaries of those RMS systems and those CAD systems.
and some of those providers are starting to now offer AI technologies that can really kind of bring everything back into the core systems and give these leaders a bit more control over where the data is going to go.
Is there a big gap between the haves and the have-nots when it comes to communities that are able to fund these sorts of efforts?
There definitely is.
your big cities are thankfully they're going to be able to have big cybersecurity teams and that's great
but it's also shocking in some cases that big cities that were we're all aware of that they're still
struggling they are still struggling Dave so with with kind of your bigger agencies they might have
a team they could have a team of a hundred cybersecurity professionals which is wonderful and
that's great but if you're you're in your local town agency you're lucky
if they even have an IT manager, and that's it.
So it very much is a have-and-a-have-and-a-have-nots in this space.
We do talk around, especially with those smaller agencies,
a lot of states are actually offering these smaller agency services.
So we're talking to them about, hey, go talk to your state officials.
There are some tooling and some services that you can get out of the state as well.
Well, based on the information that you all gather,
in the report here. What are your recommendations? How should these organizations go about best
protecting themselves? I think it really all comes down to, and I talk about this a lot, David,
and for your listeners, this is going to sound very obvious, but I talk to a lot of agencies about
just settling on a framework that you want to follow. Like, whether it's NIST or ISO or CIS,
just find one that works for your agency. We put out a lot of
documentation around this for them. And what that can then do is it gives them a comfort level
that they can build a roadmap. They can build a plan over the next two, three, even five
years of some of the things that they need to work on, some of the controls they need to put in
place. Funding is a really big issue. Budgets, funding, finding dollars. But having that
framework then allows them to go to town leadership, city leadership, state leadership,
and say, hey, we do have a plan.
And the great thing about it is this plan actually maps to some of the state regulations we have,
some of the federal regulations we have.
And then the other great thing about that, Dave, is once they have that,
they can actually then go for grants because there are a lot of great grant programs out there for these agencies.
They just don't necessarily know how to go grab that money.
And having a framework, having a plan can really help with that.
That's Larry Zorio from Mark 43.
When you're flying Emirates business class, relaxing in an exclusive airport lounge,
you'll see that your vacation isn't really over until your flight is over.
Fly Emirates, fly better.
And finally, a small non-profit with a long memory and a short tolerance for corporate lock-ins
is paying people to answer an awkward question.
When you buy a device, how much of it is actually yours?
Freedom from unethical limitations on users, or Fulu, runs bounties not for security bugs,
but for proof that abandoned or restricted hardware can still be made to work.
The effort gained momentum after Google retired support for early nest thermostats,
leaving owners with expensive wall ornaments that still worked locally,
but had quietly lost their smart.
Fulu now offers cash rewards for fixes that bypass DRM,
expired software support, or parts pairing schemes.
Targets include filter-locked appliance,
devices, disk drive encryption and game consoles, and other features that seem designed to outlive
warranties, not usefulness.
The irony is that fixing these devices can violate U.S. copyright law.
Fulu pays anyway.
The group's point is not just to revive gadgets, but to highlight how a decade's old law now stands
between ownership and permission.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.