Vulnerabilities & Exploits

This Week in Cybersecurity (TWiC): Source Code Thefts, Massive Credential Dumps & Emergency Patches

The past 2 weeks in cybersecurity delivered a series of critical developments that highlight persistent weaknesses across the software supply chain, identity management, and core infrastructure. From the continued fallout of a high-profile breach at F5 to conflicting reports about a massive Gmail password leak, security professionals are being tested across multiple fronts. Add to that a critical Windows server vulnerability prompting an emergency patch, and the picture becomes clear: attackers are exploiting cracks wherever they appear, be it in vendor ecosystems, identity systems, or update infrastructure. Here’s a quick rundown of what you need to know.

F5 Breach Deepens: Source Code and Undisclosed Vulnerabilities Exposed

In a follow-up to our earlier advisory on the F5 breach, new revelations confirm the situation is worse than initially understood. A sophisticated, likely nation-state threat actor infiltrated F5’s internal systems, stealing portions of the BIG-IP source code and accessing data on yet-to-be-disclosed vulnerabilities. F5 has stated that its build systems were not modified, but the theft of proprietary code and vulnerability research significantly raises the threat level for organizations relying on their products.

Given the exposure of over 266,000 BIG-IP instances to the internet, this development underscores the critical need for proactive patch management, device segmentation, and hardening of public-facing infrastructure. Ongoing threat-hunting efforts and vendor risk monitoring are essential here, especially as attackers may now have an edge in weaponizing these vulnerabilities.

Gmail Credentials in Massive 183 Million Account Leak — But Google Pushes Back

Reports emerged this week of a staggering 183 million compromised credentials hitting the dark web, with millions tied to Gmail accounts. According to researchers, the data likely comes from infostealer malware logs and reused credentials, not a direct breach of Google itself.

Google has strongly denied any compromise of its systems, attributing the leak to poor credential hygiene and third-party breaches. Regardless of the source, this incident reinforces the need for strong identity controls: unique passwords, multi-factor authentication, and regular credential exposure checks are now baseline expectations. Organizations should prioritize continuous identity monitoring and enforce secure credential policies to defend against the inevitable credential-stuffing attempts that follow such leaks.

Microsoft Pushes Emergency Patch for Critical WSUS Flaw

Microsoft issued an out-of-band patch for a critical remote code execution vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287. The original patch released during October’s Patch Tuesday was found to be incomplete, prompting this emergency update.

This vulnerability poses serious risks to organizations relying on WSUS for patch management, especially if default ports are exposed externally. Beyond just applying the patch, this incident is a reminder that attackers are targeting administrative infrastructure as much as user endpoints. Security teams should ensure that internal update mechanisms are locked down and monitored, as compromise of these systems can rapidly propagate malware or unauthorized updates across entire environments.

Wrap-Up

This week’s cybersecurity news highlights a sobering reality: no part of the modern IT stack is off-limits. Whether it’s vendor platforms like BIG-IP, user credentials floating on the dark web, or core infrastructure like WSUS, attackers are looking for any way in. It’s a critical time for organizations to re-evaluate their exposure across supply chains, authentication practices, and system update mechanisms. Proactive assessments, continuous monitoring, and incident response readiness are not just best practices, they’re survival strategies.

Nation-State Breach at F5 Exposes BIG-IP Source Code and Undisclosed Vulnerabilities

F5 Networks, a major provider of network traffic management and security solutions used by the vast majority of Fortune 500 organizations, confirmed that a sophisticated nation-state threat actor breached its internal systems this summer. The attackers gained long-term, persistent access to F5’s BIG-IP product development environment, exfiltrating source code and information about unpatched vulnerabilities.

The company disclosed the breach in an SEC filing and public advisory after receiving authorization from the U.S. Department of Justice to release details. According to F5, the intrusion impacted internal engineering and knowledge management systems but did not compromise customer-facing products, source code integrity, or cloud infrastructure. Investigations confirmed there was no evidence of tampering within F5’s build pipeline or software supply chain.

However, the attackers obtained highly sensitive data, including portions of BIG-IP source code and private vulnerability research, granting them a technical advantage to identify zero-days and develop targeted exploits against organizations that rely on F5 technology.

National and Global Impact
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by issuing Emergency Directive 26-01, ordering all Federal Civilian Executive Branch agencies to inventory every F5 BIG-IP system, verify exposure of management interfaces, and apply the latest updates by October 22, 2025.

CISA warned that the threat actor’s access to F5’s proprietary data poses “an imminent threat” to networks running F5 software and hardware. This includes the potential for lateral movement, credential theft, API key compromise, and persistent access. Agencies and private enterprises were further urged to harden configurations, disconnect end-of-life systems, and validate F5 software checksums before deploying updates. Organizations are encouraged to engage qualified incident response services to assist with detecting, containing, and remediating potential compromises related to this or similar breaches.

Bloomberg and other sources have attributed the campaign to UNC5221, a China-nexus cyber espionage group previously linked to BRICKSTORM malware. Reports suggest the group maintained access to F5’s environment for up to 12 months before detection.

Why This Matters
F5’s BIG-IP technology is deeply embedded in enterprise and government networks, often serving as a reverse proxy, load balancer, and SSL termination point. Its position at the edge of critical infrastructure makes it a high-value target for adversaries. With source code and vulnerability data now in foreign hands, attackers may attempt to weaponize this intelligence to compromise F5 customers through supply-chain or configuration-based attacks.

This breach emphasizes the ongoing challenge of defending against nation-state adversaries who exploit the global technology supply chain to gain access to downstream targets. Conducting ongoing vulnerability scanning and regular external penetration testing can help identify exposed services, misconfigurations, and unpatched systems before threat actors can exploit them, reducing the likelihood and impact of similar attacks.

As the scope of this attack unfolds, organizations using F5 BIG-IP, F5OS, BIG-IQ, or APM should immediately apply vendor updates, restrict public access to management interfaces, and validate configurations against best practice hardening guides.

Final Thoughts
The F5 breach represents another example of how deeply intertwined software supply-chain security has become with national security and enterprise defense. Even the most trusted infrastructure providers can be compromised, proving the need for layered defense strategies, continuous monitoring, and independent validation.

nGuard remains committed to helping organizations strengthen their defenses through penetration testing, vulnerability management, device configuration hardening and best practices, and incident response services designed to detect, prevent, and contain threats before they disrupt operations.

Cisco ASA & FTD Zero-Day Exploitation: CISA Emergency Directive

Cisco has confirmed two actively exploited zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms. One flaw (CVE-2025-20333, CVSS 9.9) allows remote code execution, while the other (CVE-2025-20362, CVSS 6.5) enables unauthenticated access to restricted URLs. Together, these issues provide attackers with a pathway from authentication bypass to full device compromise.

Cisco has published an event response to the continued attacks which includes detailed recommended actions. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded with Emergency Directive 25-03, giving federal agencies just 24 hours to identify and mitigate affected devices. The urgency reflects the severity: these vulnerabilities strike at the gateways to enterprise and government networks.

What’s at Risk

Cisco’s ASA and FTD appliances often serve as the first line of defense with handling VPN access, firewall rules, and traffic inspection. Compromise at this layer allows adversaries to:

Deploy custom malware and webshells.
Escalate privileges to root and persist across reboots by tampering with read-only memory (ROM).
Intercept or manipulate traffic flowing into the network.

Threat intelligence links this activity to ArcaneDoor, a sophisticated campaign previously observed targeting perimeter infrastructure. Recent reports confirm attackers chaining vulnerabilities, disabling logging, and even corrupting diagnostics to evade detection.

Penetration testing and Vulnerability Management services can help organizations proactively search for indicators of compromise (IoCs) within ASA/FTD appliances and ensure persistence mechanisms like ROM tampering are identified quickly.

Scale of Exposure

Despite repeated warnings, more than 48,000 internet-facing ASA/FTD instances remain unpatched, according to Shadowserver scans. The majority are located in the U.S., followed by the U.K., Japan, Germany, and Canada.

The delay in patching exposes organizations to real-time scanning campaigns already observed by the threat intel community. In many cases, scans preceded Cisco’s public disclosure, indicating adversaries had early knowledge of these flaws.

Required Actions & Mitigations

Cisco continues to release updates and detailed guidance. For organizations unable to patch immediately, temporary mitigations include restricting VPN web interface exposure and monitoring for crafted HTTP requests or suspicious logins.

Focus on these immediate steps:

Patch & Harden: Apply Cisco’s fixes where available; otherwise, restrict HTTP(S) access to the VPN component. Ensure devices are properly managed and hardened through a configuration audit.
Firmware Integrity: Verify ROM and firmware integrity, leveraging Secure Boot if supported.
Network Monitoring: Deploy anomaly detection and behavioral monitoring on VPN traffic. Managed SIEM with User Entity and Behavior Analytics (UEBA) can detect abnormal logins, unusual session activity, and persistence attempts in real-time on edge devices.
Credential Security: Replace local passwords, certificates, and keys on potentially impacted devices. A comprehensive risk assessment evaluates identity and access management controls against best practice frameworks like NIST and CIS.

Why This Matters

Zero-days in perimeter appliances are uniquely dangerous: they sit in trusted positions, often unmonitored, and provide attackers with deep footholds when compromised. For SMBs and enterprises alike, compromise of a firewall or VPN gateway can mean attackers control the gate into your environment.

As one analyst noted, “When a firewall is compromised at root level, defending becomes almost impossibly reactive. The best time to act is before compromise.”

Conclusion

The Cisco ASA and FTD vulnerabilities highlight a critical reality: perimeter devices are some of the most attractive targets for threat actors. A single exploited flaw in a firewall or VPN gateway can provide attackers with direct access to internal networks, persistence mechanisms, and even the ability to wipe forensic evidence.

Organizations cannot treat these devices as “set-and-forget” infrastructure. They demand continuous attention by patching on short timelines, hardening configurations, and validating controls against real-world attacks.

Entra ID Nightmare: Actor Tokens Exposed Global Admins

“This vulnerability could have allowed me to compromise every Entra ID tenant in the world.”
— Dirk-jan Mollema, Security Researcher

What Happened: A Silent Path to Global Admin in Any Tenant

In a high-stakes vulnerability disclosed by researcher Dirk-jan Mollema, attackers could impersonate any user in any Microsoft Entra ID tenant, including Global Admins, using a little-known and undocumented type of access called an actor token. This wasn’t a theoretical problem. It was a dangerous combo of:

Actor tokens, issued through a long-deprecated Microsoft legacy system (ACS), which allowed service-to-service impersonation.
A bug in the Azure AD Graph API (graph.windows.net), which failed to properly verify tenant boundaries when actor tokens were used.

By creating a valid actor token in their own tenant, an attacker could swap in a victim’s tenant ID and user identifier, then impersonate a Global Admin in the victim org with no MFA, no Conditional Access, and no logging on the victim side. It’s essentially like crafting a master key in your own house, then using it to unlock anyone else’s, while the alarm system remains silent.

Why This Was So Dangerous

Bypassed core defenses like MFA, Conditional Access, and device compliance checks.
No logs in the victim tenant, meaning most orgs wouldn’t even see the attack happening.
Used legacy APIs, which many orgs haven’t fully deprecated, even though Microsoft has warned about them for years.
Global Admin access, which opens up full control of users, apps, email, and cloud resources.

If exploited, this would have been a multi-tenant cloud compromise scenario, on par with some of the most severe identity-related vulnerabilities we’ve seen.

What Security Teams Should Do Right Now

Even though Microsoft has patched the issue (CVE-2025-55241), there are still critical steps every organization should take:

1. Audit API Usage

Identify and remove any use of the Azure AD Graph API (graph.windows.net).
Migrate to Microsoft Graph immediately.
Disable legacy auth protocols and deprecated token flows wherever possible.

2. Investigate for Signs of Abuse

Review privileged role assignments, especially any unusual changes to Global Admins or app role assignments.
Correlate logs across tenants, if applicable, attacker activity may only show up in non-obvious places.
Look for anomalous use of old service principals or unexpected API behavior.

3. Harden Identity Access

Reduce the number of permanent Global Admins; implement Just-in-Time (JIT) access and role-based delegation.
Enforce MFA, even on service accounts and break-glass accounts.
Use Conditional Access policies that include risk-based signals and device context.

4. Eliminate Legacy Dependencies

Scan for usage of legacy tokens, ACS integrations, or unmaintained identity flows in internal tools.
Kill off service-to-service connections that don’t use modern token validation and signing.

Final Thoughts

This vulnerability may be patched, but it reveals how much of your cloud identity security depends on what’s under the surface. If your monitoring, detection, or assessment strategy ignores identity and API-level threats, you’re not seeing the full picture.
You don’t need to wait for another “actor token” scenario to start addressing these risks. Focus now on:

Identity attack surface assessments
M365 Configuration Audits
Cloud penetration testing
Privilege escalation detection
Legacy API decommissioning
Logging & forensics visibility across Entra ID

And remember: it’s often the quiet, undocumented pieces of infrastructure, not the flashy zero-days, that give attackers the loudest victories.

Supply Chain Attack: Palo Alto, Zscaler, Salesforce & Cloudflare

What Happened
A widespread supply chain attack targeting Salesloft Drift has compromised data across hundreds of organizations, including major cybersecurity vendors such as Palo Alto Networks, Zscaler, and Cloudflare.

The threat actor, tracked as UNC6395, stole OAuth tokens from Drift’s Salesforce integrations between August 8 and August 18. These tokens allowed attackers to access Salesforce environments and exfiltrate data, including business contact information, sales account records, product licensing details, and in some cases, customer support case content. Cloudflare reported that API tokens and credentials shared in support tickets were among the compromised data.

Salesforce has since disabled all Salesloft Drift integrations, and Salesloft announced that the Drift platform will be taken offline while resiliency and security measures are rebuilt. Despite quick containment, the campaign has shown just how quickly a compromise of one SaaS platform can cascade across hundreds of organizations.

Indicators of Compromise (IOCs)
Cloudflare, among other victims, shared the following IOCs to aid detection and response efforts:

Suspicious IP Addresses:
- 208.68.36.90
- 44.215.108.109
- 154.41.95.2
- 176.65.149.100
- 179.43.159.198
- 185.130.47.58
- 185.207.107.130
- 185.220.101.133
- 185.220.101.185
- 185.220.101.33
- 192.42.116.179
- 192.42.116.20
- 194.15.36.117
- 195.47.238.178
- 195.47.238.83

Malicious User-Agent Signatures:
- Salesforce-Multi-Org-Fetcher/1.0
- Salesforce-CLI/1.0
- python-requests/2.32.4
- Python/3.11 aiohttp/3.12.15
- TruffleHog

These patterns should be queried within Salesforce logs, connected application logs, and identity provider (IdP) logs to identify potential exposure or abuse.

Why It Matters
Supply chain compromises have become a recurring theme in today’s interconnected enterprise environment. Even vendors dedicated to security found themselves at risk through integrations that extended their attack surface. By abusing OAuth tokens and Salesforce APIs, attackers were able to access data that could be used for highly targeted phishing, smishing, and impersonation campaigns.

Incidents like this show why organizations cannot rely solely on vendor assurances. Regular penetration testing can uncover weak integration points and help simulate how attackers might abuse connected applications. Vulnerability scanning programs provide ongoing checks for misconfigurations, insecure tokens, and unmonitored API endpoints. Managed SIEM services further strengthen defenses by detecting suspicious authentication activity and anomalous data queries across SaaS platforms.

In the aftermath of this attack, impacted organizations are being urged to rotate credentials, revoke unused OAuth tokens, and conduct thorough audits of Salesforce login histories, API access logs, and event monitoring data. These are standard best practices, but many companies do not have the internal resources to carry them out consistently. Partnering with a security provider for incident response and log review can make the difference between quickly detecting token misuse and letting an attacker operate undetected for weeks.

Takeaway
The Salesloft Drift incident reinforces a hard truth: SaaS platforms and third-party integrations are prime attack vectors. Threat actors understand that a single weak link in the supply chain can open doors to hundreds of organizations. By combining stolen tokens with social engineering, they increase the likelihood of success, using legitimate data to craft convincing lures.

Organizations need to adopt a zero trust mindset toward their SaaS ecosystem. Continuous assessment of vendor risk, proactive testing of integrations, and strong monitoring of authentication events are no longer optional. This is not just about one CRM tool being compromised, it’s about recognizing that every connection expands the attack surface.

FBI & CISA Sound Alarm: Cisco Actively Exploited

What Happened

The FBI and CISA have issued a joint advisory warning that attackers are actively exploiting a critical zero-day vulnerability in Cisco’s IOS and IOS XE software. The flaw, tracked as CVE-2018-0171, allows unauthenticated remote attackers to gain full administrative control of vulnerable Cisco devices.

Exploitation has already been observed in the wild, where adversaries are deploying webshells on compromised routers and switches to maintain persistence and issue arbitrary commands. Cisco Talos has confirmed hundreds of devices have been impacted globally.

Why It Matters

Both IOS and IOS XE software from Cisco powers core networking equipment for enterprises, service providers, government agencies, and critical infrastructure operators. These devices sit at the heart of IT environments, managing traffic flow, enforcing segmentation, and controlling access.

If attackers gain control of routers and switches, they gain control of the entire network’s trust foundation. This risk goes far beyond downtime, it directly impacts:

Confidentiality: Attackers can intercept or reroute sensitive data.
Integrity: Configuration changes allow malicious redirection, credential theft, or lateral movement.
Availability: Adversaries can disrupt routing and firewalling, leading to outages.

How the Exploit Works

Cisco has confirmed that attackers are:

Sending crafted HTTP requests to affected devices.
Creating unauthorized privileged admin accounts without authentication.
Deploying webshell backdoors, which allow persistent command execution even after device restarts.
Using these footholds to maintain covert long-term access.

In some cases, the attacker’s persistence has survived device reboots and firmware changes; making post-compromise cleanup extremely difficult without a full rebuild and credential reset.

Risks to Organizations

The implications of this vulnerability are severe:

Network compromise: complete control of edge devices, allowing attackers to monitor and manipulate traffic.
Credential theft: harvesting of administrator credentials, enabling deeper intrusions.
Espionage & data exfiltration: covert long-term access to sensitive information.
Ransomware staging: compromised routers provide a launchpad for broader attacks.

Organizations that rely heavily on Cisco for perimeter and core routing are particularly vulnerable. This incident highlights the need for a proactive defense strategy around network infrastructure, rather than just focusing on endpoints and applications.

Next Steps

Security agencies and Cisco strongly recommend treating this threat as high priority. To get ahead of similar exploits, defenders should:

Apply Cisco’s latest security updates and mitigations without delay.
Audit for unauthorized accounts and unusual configuration changes that may indicate persistence.
Include routers and firewalls in penetration testing to close high-impact gaps.
Review logs and continuously monitor for anomalous activity tied to webshells or credential use.
Tighten access controls by rotating network administrator credentials to reduce the impact of compromise.
Stay up to date on advisories and white papers to track early warnings and emerging risks.
Validate incident response readiness to ensure quick reactions to infrastructure-level compromises.

By addressing this Cisco IOS and IOS XE flaw swiftly and adopting a layered security approach, organizations can reduce the risk of long-term infiltration and ensure their network infrastructure remains trustworthy.