About Zero-Days & State Actors: Cisco, React2Shell, and Maritime Sabotage Hit Critical Infrastructure (OT Security Update Dec 2025)
About Zero-Days & State Actors: Cisco, React2Shell, and Maritime Sabotage Hit Critical Infrastructure (OT Security Update Dec 2025)
December 2025 has seen a massive escalation in threats to critical infrastructure, highlighted by a critical zero-day in Cisco appliances and the widespread "React2Shell" vulnerability.
Coinciding with these software flaws are active campaigns by Russian and Chinese state-sponsored actors targeting energy and network edge devices.
Furthermore, a rare physical-digital convergence threat emerged with a sabotage attempt on a European passenger ferry using a Raspberry Pi with a cellular modem, underscoring the expanding attack surface of operational technology.
Get in Touch with our Security Team!
Main section
Quick facts
/
Cisco Zero-Day: Chinese-linked group UAT-9686 is exploiting CVE-2025-20393 in Cisco Secure Email gateways to gain root access.
/
React2Shell Crisis: A severity 10/10 flaw (CVE-2025-55182) in React is being weaponized by multiple espionage groups to target cloud and industrial management interfaces.
/
Maritime Threat: A crew member was arrested in France for planting a Remote Access Trojan (RAT) on a GNV ferry, aiming to sabotage ship systems.
/
Patch Tuesday: Major industrial vendors including Siemens, Schneider Electric, and Mitsubishi Electric released critical updates for ICS products this month.
A Perfect Storm of Exploits and Espionage
Leading the headlines is a severe zero-day vulnerability, CVE-2025-20393, affecting Cisco AsyncOS Secure Email Gateway (SEG) and Web Manager (SEWM) appliances. Cisco has attributed the exploitation of this flaw to a China-linked threat actor tracked as UAT-9686. The attackers are using this vulnerability to execute arbitrary commands with root privileges, effectively bypassing traditional defenses to plant backdoors and persistence mechanisms deep within corporate and industrial networks. This serves as a critical entry point for lateral movement into more sensitive OT segments.
For Belgians, the advisory page of the Centre for CyberSecurity Belgium (CCB) about this Cisco AsyncOS vulnerabilty is very important. This is part of their advisories offering that is a must-follow for cybersecurity professionals in Belgium, and yes, there is an RSS feed for these advisories. Each advisory contains a description, plus information on the risks, pointers to the specific Cisco advisory, and more on recommended actions like patches and workarounds. Very important are also the Indicators of Compromise (IoCs).
Simultaneously, the cybersecurity community is grappling with "React2Shell" (CVE-2025-55182), a maximum-severity vulnerability (CVSS 10.0) in the React library. While often seen as an IT issue, the prevalence of modern web-based HMIs (Human-Machine Interfaces) and cloud-connected industrial dashboards means this flaw poses a direct risk to OT visibility and control. Multiple espionage groups, including those with ties to China and Iran, have been observed weaponizing this flaw to deploy tunnelers and remote access tools. Read more on the CCB React2Shell Advisory page.
The threat landscape is further complicated by persistent activity from the Russian GRU. New analysis indicates a sustained campaign targeting edge devices (routers and firewalls) specifically within the energy and critical infrastructure sectors. By compromising these perimeter devices, attackers can harvest credentials and replay them to access internal control systems, often bypassing detection by "living off the land" (LOTL) attacks.
Perhaps the most alarming development, however, occurred in the maritime domain. French authorities arrested a crew member aboard a GNV (part of the MSC Group) ferry for attempting to deploy a Remote Access Trojan (RAT) on the ship's navigation and control systems. This incident highlights the growing "insider threat" in OT and the specific vulnerability of the maritime transport sector, which acts as a crucial logistical backbone for global trade. More technical reports on this "attack" like this CSO Online article, mention the use of a Raspberry Pi class device with a cellular modem. As the article concludes: "You might not catch the person planting the device, but you should instantly catch the device when it connects to the internetβ. On the other hand, physical security remains crucial, blocking access to computer rooms, USB ports, wired/wireless equipment, and doing background checks for staff with critical system access.
Finally, industrial giants including Siemens, Rockwell Automation, and Schneider Electric have released their monthly security advisories. Notably, Mitsubishi Electric addressed a high-severity OS command injection flaw (CVE-2025-11774) in its ICONICS suite. Operators are urged to prioritize these patches, as reverse-engineering of these fixes by threat actors often begins immediately upon release. More info about these ICS systems vulnerabilities can be found in this article on the always interesting Industrial Cyber website.
Bottom section
Strengthening the Industrial Edge
The events of December 2025 illustrate that the convergence of IT and OT is no longer a future trend but a present vulnerability. The exploitation of edge devices and web frameworks to reach industrial cores requires a defense-in-depth strategy that goes beyond simple air-gapping. Organizations must rigorously patch edge appliances, monitor for credential misuse, and, as the maritime incident proves, scrutinize personnel with physical access to critical control systems.
Learn more:
- Palo Alto has a great detailed overview of IT/OT convergence concerns
- Industrial Cyber (again) has a great IT/OT convergence guide with reference to the Purdue model, IEC 62443 and the NIST SP800-82 guide to OT, essential knowledge for OT security professionals
- IoT Analytics even identified 27 themes that define the future of industrial integration
- NIS2 brings IT and OT security closer together. Danny Zeegers wrote a blog (in Dutch) about "NIS2 Certificatie met een Extra Dimensie: Waarom OT géén IT is"
For organizations looking to harden their defenses against these evolving threats or build more awareness and knowledge about IT/OT security, Howest Cyber3Lab offers specialized awareness sessions and even vulnerability assessments tailored for industrial/OT/ICT/Maritime environments. Get more info about this via our reply form.
The very best way to defend your industrial security environment is by learning what can go wrong in your company, and checking it with the eyes of a hacker.
A stalled production line costs far more than training. Now that hackers are actively targeting PLCs and edge devices in industrial sectors, ignorance is your biggest business risk.
Ensure your team has the skills to stay ahead of the attack. Attend our Industrial Security Masterclass, an intensive practical 8-day in-person training about systems, protocols, assessment methods, defensive and offensive industrial security methods, regulation and implementing robust segmentation and hacker-proof remote access.
π« Start: February 12 (runs until April 2)
π Location: Howest (Bruges, Belgium)
π For: IT & OT professionals who want to specialize in Industrial Security
What will you take home? β Hands-on skills in PLC & SCADA hardening. β Deep insight into industrial protocols. β Practical application of NIS2 & IEC 62443. β Certification and a strong network of peers.
πΆ Subsidies Available:
- KMO Portefeuille: Up to 45% support for SMEs.
- Vlaams Opleidingsverlof: Eligible for Flemish Educational Leave.
π Info & Program: https://howest.be/ISM β Register Directly:
https://forms.office.com/e/ecTFVBA7Xd
Don't wait until your production line or supply chain stops. Secure your future today!
Contributors
Authors
/
Patrick Van Renterghem, AI, CyberSecurity, Web3, Immersive Tech, Quantum, ... Community Builder
Want to know more about our team?
Visit the team page
Last updated on: 12/22/2025
/
More stuff to read
