Week that Was for 12.20.25

By the CyberWire staff

President Trump signs the 2026 National Defense Authorization Act.

President Trump on Thursday signed the $901 billion 2026 National Defense Authorization Act (NDAA), which authorizes record spending for national security programs, the Record reports. The bill passed with bipartisan support and contains major cybersecurity provisions. Notably, the bill preserves the long-debated dual-hat leadership of US Cyber Command and the National Security Agency by barring Pentagon funds from weakening the Cyber Command commander’s authority. Trump also nominated Army Lt. Gen. Joshua Rudd to lead both organizations.

The NDAA allocates approximately $417 million to Cyber Command: $73 million for digital operations, $30 million for unspecified activities, and $314 million for operations and maintenance at its Fort Meade headquarters. The Act also mandates secure, encrypted mobile devices for senior Defense Department leaders, following criticism by the Pentagon’s inspector general regarding insecure communications.

Inside the Q3 2025 Threat Landscape: The Trends Every Defender Must Know

Discover the key insights shaping today’s cybersecurity reality in Rapid7’s Q3 2025 Threat Landscape Report. Explore the surge in AI-driven attacks, faster vulnerability exploitation, and the expanding impact of ransomware groups across critical industries. This data-rich analysis highlights the most urgent risks and the steps defenders can take to stay ahead. Get the intelligence your team needs to prepare for what’s coming next.

Chinese threat actor targets maximum-severity Cisco zero-day.

Cisco Talos says a Chinese APT tracked as "UAT-9686" has been exploiting a maximum-severity zero-day affecting Cisco products since at least late November. The vulnerability (CVE-2025-20393) affects appliances running Cisco AsyncOS software for Secure Email Gateway (formerly ESA) and Secure Email and Web Manager (formerly Content SMA). The threat actor is using the flaw to deploy a Python-based backdoor called "AquaShell," as well as "AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility)."

SecurityWeek notes that Cisco hasn't yet released patches, but has shared some mitigations. The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch (FCEB) agencies to apply the mitigations by December 24th.

HPE issues patch for maximum-severity OneView flaw.

Hewlett Packard Enterprise (HPE) has issued a patch for a maximum-severity remote code execution vulnerability (CVE-2025-37164) affecting its OneView IT infrastructure management software, BleepingComputer reports. The flaw affects all OneView versions prior to 11.00 and can be exploited through low-complexity code injection attacks. Administrators are urged to update or apply hotfixes as soon as possible. HPE hasn't confirmed whether the flaw is being exploited in attacks.

Humans Are Not the Weakest Link. Guess who FAIls?

Humans have been labeled the weakest link for ages. But this year showed how easily both humans and AI can be manipulated. In this session, Cato CTRL experts reveal real attacks from the wild where adversaries steered people and AI systems into harmful actions using simple prompts and inputs. The session reframes how you should think about AI risk and what to do when machines start making the mistakes, so register to join us.

Venezuela blames the US for disruptive cyberattack on state-owned oil company.

Venezuela's state-owned oil company, Petróleos de Venezuela (PDVSA), sustained a ransomware attack over the weekend that shut down systems and caused the company to suspend oil cargo deliveries, Reuters reports. PDVSA and Venezuela's oil ministry blamed the United States for the incident, saying the attack was launched by "foreign interests in complicity with domestic entities who are seeking to destroy the country's right to sovereign energy development."

The US State Department hasn't responded to Reuters' request for comment. Venezuela frequently blames domestic issues such as blackouts on US sabotage; however, the latest incident comes amid rising US-Venezuela tensions, including last week's US seizure of a Venezuelan crude oil tanker.

French police arrest suspect who allegedly planted malware on a passenger ferry.

French police have arrested a Latvian crew member of an Italian passenger ferry who's suspected of infecting the ship with malware on behalf of a foreign nation-state. The individual allegedly installed a remote access Trojan while the ferry was docked at the Mediterranean port of Sète. According to Marine Insight, France's domestic intelligence service, the General Directorate for Internal Security (DGSI), is leading the investigation.

France's Interior Minister Laurent Nuñez told French media, "This is a very serious matter... individuals tried to hack into a ship's data-processing system. Investigators are obviously looking into interference. Yes, foreign interference. These days, one country is very often behind foreign interference." France 24 quotes the suspect's lawyer as saying the "theory of Russian interference evoked in the press seems superfluous," and that the investigation "will demonstrate that this case is not as worrying as it may have initially seemed."

Separately, French authorities arrested a 22-year-old suspected of hacking the country's Interior Ministry last week, the Record reports.