Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities

On Oct. 15, 2025, F5 disclosed a long-term compromise of their corporate networks in which a nation-state actor exfiltrated files from BIG-IP product development and engineering knowledge platforms, including some source code and information about undisclosed vulnerabilities. F5 stated it has no evidence of active exploitation of undisclosed critical or remote code vulnerabilities and found no indication of access to CRM, financial, support case management, or iHealth systems; some exfiltrated files contained configuration or implementation information for a small percentage of customers.

Source: Unit42 (Palo Alto Networks)

—

Over 266,000 F5 BIG-IP Instances Exposed to Remote Attacks

Shadowserver Foundation found more than 266,000 F5 BIG-IP instances exposed online following F5’s disclosure of a network breach and stolen source code. F5 released patches addressing 44 vulnerabilities (including ones referenced in the incident) and urged customers to update BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients immediately, while noting there is no current knowledge of undisclosed critical remote code execution vulnerabilities being exploited.

Source: BleepingComputer

—

Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

Microsoft revoked more than 200 certificates used by an actor tracked as Vanilla Tempest to fraudulently sign malicious binaries distributed in fake Teams setup files that delivered the Oyster backdoor and deployed Rhysida ransomware. The activity was detected in late September 2025 and disrupted earlier in October; Microsoft updated security solutions to flag signatures associated with the fake setup files, the Oyster backdoor, and Rhysida ransomware.

Source: TheHackerNews

—

Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices

A critical out-of-bounds write vulnerability in WatchGuard Fireware, tracked as CVE-2025-9242 (CVSS 9.3), affects multiple Fireware OS versions and may allow unauthenticated remote attackers to execute arbitrary code on perimeter appliances. WatchTowr Labs notes the flaw has characteristics attractive to ransomware groups—affecting an internet-exposed service and being exploitable without authentication—prompting advisories and patches from WatchGuard.

Source: TheHackerNews

—

‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability

Microsoft assigned a CVSS score of 9.9 to an HTTP request smuggling vulnerability in Kestrel (ASP.NET Core’s web server), tracked as CVE-2025-55315—the highest severity score assigned by Microsoft to date. The flaw could allow an attacker to smuggle an HTTP request inside another request to bypass front-end security controls or hijack user credentials, prompting urgent mitigation and updates.

Source: SecurityWeek