Suspected Foreign Interference via Maritime Remote Access Malware
French authorities have detained a Latvian crew member of the Italian-owned passenger ferry Fantastic after discovering malware capable of enabling remote access to the vessel’s computer systems while it was docked in Sète. A second crew member, a Bulgarian national, was released without charge. According to the Paris prosecutor’s office, the Latvian suspect, who had recently joined the crew, is charged with conspiring to infiltrate an automated data-processing system on behalf of a foreign power following the identification of a remote access tool aboard the ship. The malware was initially detected by Grandi Navi Veloci (GNV), which alerted Italian authorities and France’s General Directorate for Internal Security (DGSI), prompting a joint counterintelligence investigation and the seizure of multiple digital items for forensic analysis. While GNV stated the malware was neutralized without operational impact and has not disclosed which shipboard systems were targeted, French officials have characterized the incident as a serious national security matter involving suspected foreign interference. Interior Minister Laurent Nuñez confirmed the foreign interference angle, stopping short of attribution but noting the broader European context of state-linked sabotage and cyber operations. The investigation is being led by the DGSI, in coordination with Italian and Latvian authorities, and highlights concerns about insider access, maritime cyber risk, and the potential convergence of cyber intrusions with physical safety threats. The case reinforces the growing strategic importance of maritime cyber defense, particularly against insider-enabled compromises that could enable remote manipulation of critical transportation systems.
Clop Expands Data Theft Extortion to Internet-Exposed CentreStack Servers
The Clop ransomware group is actively targeting Internet-facing Gladinet CentreStack file servers in a new data-theft extortion campaign, continuing its long-standing focus on enterprise file-sharing and managed file-transfer technologies. CentreStack is commonly used to provide remote access to on-premises file servers through web portals, mobile clients, and mapped drives, making externally exposed deployments particularly attractive targets. Incident responders report that Clop is scanning for publicly accessible CentreStack instances and leaving ransom notes on compromised systems, confirming active exploitation rather than reconnaissance alone. The specific access method remains unknown, raising concerns that attackers may be abusing either an undisclosed weakness or unpatched systems. This activity closely follows Clop’s established operational pattern of mass exploitation against centralized file-sharing platforms, enabling the exfiltration of large volumes of sensitive data quickly. In prior campaigns, Clop has focused on stealing data at scale and leveraging public leak sites to pressure victims into payment rather than relying on traditional ransomware encryption. With hundreds of CentreStack instances potentially exposed online, this campaign poses a significant risk to organizations that have not restricted external access or hardened these services. Defenders should prioritize reducing Internet exposure, validating patch posture, and monitoring for signs of unauthorized access, as data theft remains the primary impact associated with Clop operations.
Chrome Stable Channel Update Mitigates High-Risk Browser Exploitation Vectors
Google has released a Stable Channel update for Chrome that addresses two high-severity memory safety vulnerabilities with a credible remote code execution risk. The update, now rolling out to Windows, macOS, and Linux systems, resolves a use-after-free condition in the WebGPU component (CVE-2025-14765) and an out-of-bounds read and write flaw in the V8 JavaScript engine (CVE-2025-14766). Both issues were reported by external security researchers and represent well-known exploitation primitives frequently abused in browser-based attack chains, particularly for initial access and sandbox escape attempts. Due to the severity and exploit potential, Google has restricted access to detailed bug information until patch adoption reaches a sufficient threshold, reducing the likelihood of rapid weaponization. These fixes are especially significant given Chromium’s role as a shared codebase across multiple browsers, including Microsoft Edge, which means downstream platforms inherit the same exposure until they are updated. Memory corruption vulnerabilities in WebGPU and V8 are attractive to both financially motivated and advanced threat actors, as they can be triggered through malicious web content with minimal user interaction. Organizations should prioritize rapid browser updates across managed endpoints and treat this release as high urgency, particularly in environments where web browsing intersects with sensitive workflows. Monitoring for browser instability, unexpected child processes, or anomalous JavaScript execution remains a critical defensive measure while updates propagate across fleets.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
