Executive Summary
Week 51 of 2025 brought a major joint CISA/FBI/NSA advisory warning of pro-Russia hacktivist groups (NoName, Z-Pentest, CARR) actively targeting water, energy, and agriculture infrastructure via unsecured VNC connections. Critical ICS vulnerabilities were disclosed affecting Advantech WebAccess/SCADA (CVSS 8.8), Rockwell Micro controllers, and Mitsubishi/ICONICS systems. The automotive sector saw concerning research on Unisoc modem vulnerabilities in vehicle head units enabling remote code execution, plus five zero-days in CarlinKit and 70mai aftermarket devices.
This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.
Week of December 15-20, 2025
🚨 Critical Alerts & Advisories
CISA: Pro-Russia Hacktivists Targeting Critical Infrastructure
On December 9, 2025, CISA issued a joint advisory (AA25-343A) with FBI, NSA, EPA, and international partners warning that pro-Russia hacktivist groups are actively targeting critical infrastructure:
- Groups identified: NoName, Z-Pentest, Sector16, CARR (Cyber Army of Russia Reborn)
- Targets: Water/Wastewater, Food & Agriculture, Energy sectors
- Attack vector: Unsecured internet-facing VNC connections to access OT control devices
- Impact: While less sophisticated than APT attacks, these groups can cause operational disruptions
CISA ICS Vulnerability Advisories (December 2025)
CISA flagged critical ICS vulnerabilities in major industrial equipment:
| Vendor | Product | CVEs | CVSS | Issue |
|---|---|---|---|---|
| Advantech | WebAccess/SCADA | CVE-2025-14848/49/50, CVE-2025-46268 | 8.8 | SQL injection, unrestricted uploads |
| Rockwell | Micro820/850/870 | CVE-2025-13823/24 | 7.5 | Controller vulnerabilities |
| Mitsubishi/ICONICS | GENESIS64, MC Works64 | CVE-2025-11774 | 8.2 | OS command injection |
🚗 Automotive CPS Security
Critical Vulnerabilities in Vehicle Systems
Modem Vulnerabilities in Vehicle Head Units (December 17, 2025)
Researchers investigating the Unisoc UIS7862A SoC, commonly found in modern Chinese vehicle head units, discovered multiple critical vulnerabilities across the modem’s cellular protocol stack:
- CVE-2024-39432: Stack-based buffer overflow in 3G RLC protocol
- Impact: Remote code execution during early cellular connection stages
- Risk: Full system compromise enabling manipulation of vehicle controls, navigation data modification, communication interception
Zero-Day Vulnerabilities in Aftermarket Devices
VicOne researchers uncovered five zero-day vulnerabilities in widely used aftermarket peripherals (CarlinKit CPC200-CCPA wireless CarPlay/Android Auto dongle and 70mai A510 dashcam):
| CVE | Vulnerability | Impact |
|---|---|---|
| CVE-2025-2765 | Hard-coded weak Wi-Fi credentials | Authentication bypass |
| CVE-2025-2763 | Web upload vulnerability | Remote code execution |
| CVE-2025-2764 | External USB drive exploitation | Arbitrary code execution |
Linux Privilege Escalation Affecting Automotive Systems
CVE-2025-6019, a newly disclosed Linux privilege escalation vulnerability in the libblockdev library, affects connected vehicles and Automotive Grade Linux (AGL) platforms. Exploitation could interfere with critical vehicle operations.
Connected Car Telematics Vulnerabilities
Subaru STARLINK Vulnerability (January 2025)
Security researchers Sam Curry and Shubham Shah revealed a now-patched flaw in Subaru’s STARLINK connected vehicle service:
- Scope: Millions of Subaru vehicles in US, Canada, and Japan
- Access method: License plate number or owner’s email/zip code/phone
- Capabilities achieved:
- Remotely start, stop, lock, unlock vehicles
- Retrieve current location (accurate to 5 meters)
- Access complete location history from past year
Kia Remote Access Flaw
A September 2024 discovery affected Kia model years 2013-2025:
- Attack vector: License plate info only
- Time to exploit: 30 seconds to execute remote commands
- Impact: Personal information theft and vehicle control
Automotive Attack Trends (2025)
According to Upstream Security’s 2025 Global Automotive Cybersecurity Report:
- Security incidents up ~50% in Q1 2025
- Incidents affecting millions of vehicles tripled (5% → 19%)
- Documented incidents: 295 (2023) → 409 (2024) = 39% increase
- Pwn2Own Automotive 2025: 49 zero-day vulnerabilities discovered over 3 days
Regulatory developments:
- U.S. Commerce Dept. proposed ban on Chinese/Russian connected vehicle software (MY 2027) and hardware (MY 2030)
- OEMs prioritizing compliance with UNECE WP.29 R155/R156 and China’s GB/T automotive cybersecurity guidelines
🏥 Medical Device CPS Security
FDA Cybersecurity Recalls and Warnings
Impella Heart Pump Recall (October 2025)
The FDA issued a correction notice on October 10, 2025 warning that certain Automated Impella Controllers (Johnson & Johnson’s Abiomed) contain network-accessible cybersecurity vulnerabilities:
- Risk: Unauthorized users could interfere with pump’s essential functions
- Access vectors: Hospital network systems or direct physical access
- Recommendation: Disconnect device from network until security fix available
Updated FDA Guidance (June 2025)
The FDA issued final guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”:
- Updates 2023 guidance with compliance recommendations for “cyber devices” under Section 524B of the FFDCA
- Key change: It is now a prohibited act under Section 301(q) to fail to maintain cybersecurity processes and procedures
Medical Device Vulnerability Landscape
Critical Statistics (2025 Medical Device Cybersecurity Index)
| Metric | Value |
|---|---|
| Hospitals managing IoMT devices with known exploited vulnerabilities (KEVs) | 99% |
| Healthcare organizations suffering device-targeted attacks | 22% |
| Cyberattacks causing patient care disruptions | 72% (up from 69%) |
| Healthcare ransomware attacks increase (2025) | 30% |
Patient Impact (Healthcare IT News)
Among organizations experiencing medical device security incidents:
- 46% required manual processes to maintain operations
- 44% reported delayed diagnoses or procedures
- 44% had extended patient stays
Historical Context: Life-Critical Device Vulnerabilities
Research demonstrations have shown critical vulnerabilities in life-sustaining devices (AAMC, CBS News):
Insulin Pumps:
- Black Hat 2011: Demonstrated taking control of insulin pump to deliver lethal dose
- Medtronic recalled MiniMed 508 and Paradigm series after FDA warning about wireless hacking vulnerabilities
- IBM security research found vulnerabilities allowing remote alteration of patient dosing
Pacemakers/Cardiac Devices:
- 2017: Nearly 500,000 wireless pacemakers recalled due to vulnerabilities allowing remote manipulation
- 2019: Medtronic warned about hundreds of thousands of implantable cardiac defibrillators (ICDs) vulnerable to hacking
- Black Hat demonstrations showed lethal electric shock delivery via laptop
Drug Infusion Pumps:
- Medtronic Medfusion 4000 pumps identified with security vulnerabilities
- Researchers demonstrated ability to remotely disable implantable insulin pumps
FDA Position: Dr. Suzanne Schwartz (FDA): “Any device can be hacked and that’s often not understood.”
💧 Water & Wastewater Sector
Denmark Attributes 2024 Water Utility Attack to Russia
Danish authorities reported (December 19, 2025) that Russia was responsible for “destructive and disruptive” cyberattacks:
- Attacker: Russian-linked group Z-Pentest
- Target: Water utility near Køge (~35km south of Copenhagen)
- Impact: Manipulated water pressure, caused pipes to burst, customers left without water
EPA Compliance Warning
Over 70% of water systems inspected since September 2023 violate basic cybersecurity requirements:
- Failed to change default passwords
- Use single logins for all staff
- Failed to curtail access by former employees
⚡ Energy & Power Grid
Key Statistics
- Cyberattacks on energy/utilities up ~40% YoY (CLUSIT 2025)
- Ransomware attacks in energy sector up 80% YoY
- NERC warns: Grid vulnerable points growing by ~60/day
- Smart grid security becoming critical as renewable integration expands attack surface
🏭 Manufacturing & Industrial
December 2025 Sophos Report
State of Ransomware in Manufacturing and Production 2025:
- Manufacturing remains #1 targeted industry (4th consecutive year)
- Attacks surged 61% YoY
- 32% of attacks via exploited vulnerabilities
- Average downtime: 12 days
Notable 2025 Incidents
| Date | Target | Impact |
|---|---|---|
| September 2025 | Jaguar Land Rover | Production stalled for months; suppliers affected |
| May 2025 | Nucor (largest NA steel producer) | Multi-site production halted |
| April 2025 | Masimo medical devices | Manufacturing capacity crippled |
📊 Threat Intelligence Highlights
Nozomi Networks Recognized for AI in CPS Security
December 17, 2025: Gartner recognized Nozomi Networks as “company to beat” for AI in CPS security, citing early ML integration (2013) for CPS discovery, analysis, and alerting.
Dragos 2025 OT/ICS Report Key Findings
From the 8th Annual OT Cybersecurity Year in Review:
- New threat groups: GRAPHITE and BAUXITE (now tracking 23 total, 9 active)
- BAUXITE: Linked to Iranian IRGC-CEC, targets US/EU/AU/ME energy, water, food, chemical sectors
- Ransomware: 87% increase, ~1,700 attacks on industrial orgs in 2024
- Vulnerabilities: 70% deep in ICS networks; 22% network-exploitable (up from 16%)
- Visibility gap: 45% of engagements lack OT network visibility
Kaspersky ICS CERT Q3 2025
APT and financial attacks on industrial organizations report released December 1, 2025.
🔒 Defensive Recommendations
Immediate Actions
For Automotive CPS:
- Review connected vehicle telematics security configurations
- Disable unnecessary remote access features
- Monitor for unauthorized access attempts
- Apply manufacturer security patches promptly
For Medical Devices:
- Inventory all IoMT devices and check for KEVs
- Implement network segmentation for medical devices
- Follow FDA guidance on cybersecurity maintenance
- Disconnect vulnerable devices (e.g., Impella controllers) until patched
For Industrial/OT Systems:
- Apply CISA ICS advisory patches for Advantech, Rockwell, Mitsubishi products
- Implement network segmentation between IT and OT
- Audit VNC and remote access configurations
- Monitor for pro-Russia hacktivist activity patterns
Medium-Term Actions
- Develop systematic approach to legacy/EOL device management
- Implement behavioral analytics for CPS environments
- Establish incident response procedures specific to CPS
- Conduct vendor security assessments before procurement
📖 Sources Referenced
RSS-Curated Sources:
- CISA ICS Advisories
- CISA Pro-Russia Hacktivists Advisory (AA25-343A)
- Industrial Cyber
- BleepingComputer
- SecurityWeek
- Dark Reading
- Dragos Blog
- Sophos News
Web Search Sources (Not in Curated RSS):
- VicOne Automotive Security Blog
- Upstream Security Reports
- GBHackers - Modem Vulnerabilities
- Security Ledger - Subaru STARLINK
- FDA Cybersecurity
- AboutLawsuits - Impella Recall
- Healthcare IT News
- AAMC - Medical Device Vulnerabilities
- TechCrunch - 2025 Breaches
- Nozomi Networks - Gartner Recognition
- Kaspersky ICS CERT
- Tripwire - Critical Infrastructure
Note: Week 51 summary is complete. This week featured significant CPS activity across automotive, medical devices, and critical infrastructure sectors. The convergence of IT/OT systems continues to expand attack surfaces, with state-sponsored actors and hacktivists increasingly targeting cyber-physical systems.