Vulnerabilities & Exploits

Nation-State Breach at F5 Exposes BIG-IP Source Code and Undisclosed Vulnerabilities

F5 Networks, a major provider of network traffic management and security solutions used by the vast majority of Fortune 500 organizations, confirmed that a sophisticated nation-state threat actor breached its internal systems this summer. The attackers gained long-term, persistent access to F5’s BIG-IP product development environment, exfiltrating source code and information about unpatched vulnerabilities.

The company disclosed the breach in an SEC filing and public advisory after receiving authorization from the U.S. Department of Justice to release details. According to F5, the intrusion impacted internal engineering and knowledge management systems but did not compromise customer-facing products, source code integrity, or cloud infrastructure. Investigations confirmed there was no evidence of tampering within F5’s build pipeline or software supply chain.

However, the attackers obtained highly sensitive data, including portions of BIG-IP source code and private vulnerability research, granting them a technical advantage to identify zero-days and develop targeted exploits against organizations that rely on F5 technology.

National and Global Impact
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by issuing Emergency Directive 26-01, ordering all Federal Civilian Executive Branch agencies to inventory every F5 BIG-IP system, verify exposure of management interfaces, and apply the latest updates by October 22, 2025.

CISA warned that the threat actor’s access to F5’s proprietary data poses “an imminent threat” to networks running F5 software and hardware. This includes the potential for lateral movement, credential theft, API key compromise, and persistent access. Agencies and private enterprises were further urged to harden configurations, disconnect end-of-life systems, and validate F5 software checksums before deploying updates. Organizations are encouraged to engage qualified incident response services to assist with detecting, containing, and remediating potential compromises related to this or similar breaches.

Bloomberg and other sources have attributed the campaign to UNC5221, a China-nexus cyber espionage group previously linked to BRICKSTORM malware. Reports suggest the group maintained access to F5’s environment for up to 12 months before detection.

Why This Matters
F5’s BIG-IP technology is deeply embedded in enterprise and government networks, often serving as a reverse proxy, load balancer, and SSL termination point. Its position at the edge of critical infrastructure makes it a high-value target for adversaries. With source code and vulnerability data now in foreign hands, attackers may attempt to weaponize this intelligence to compromise F5 customers through supply-chain or configuration-based attacks.

This breach emphasizes the ongoing challenge of defending against nation-state adversaries who exploit the global technology supply chain to gain access to downstream targets. Conducting ongoing vulnerability scanning and regular external penetration testing can help identify exposed services, misconfigurations, and unpatched systems before threat actors can exploit them, reducing the likelihood and impact of similar attacks.

As the scope of this attack unfolds, organizations using F5 BIG-IP, F5OS, BIG-IQ, or APM should immediately apply vendor updates, restrict public access to management interfaces, and validate configurations against best practice hardening guides.

Final Thoughts
The F5 breach represents another example of how deeply intertwined software supply-chain security has become with national security and enterprise defense. Even the most trusted infrastructure providers can be compromised, proving the need for layered defense strategies, continuous monitoring, and independent validation.

nGuard remains committed to helping organizations strengthen their defenses through penetration testing, vulnerability management, device configuration hardening and best practices, and incident response services designed to detect, prevent, and contain threats before they disrupt operations.

Cisco ASA & FTD Zero-Day Exploitation: CISA Emergency Directive

Cisco has confirmed two actively exploited zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms. One flaw (CVE-2025-20333, CVSS 9.9) allows remote code execution, while the other (CVE-2025-20362, CVSS 6.5) enables unauthenticated access to restricted URLs. Together, these issues provide attackers with a pathway from authentication bypass to full device compromise.

Cisco has published an event response to the continued attacks which includes detailed recommended actions. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded with Emergency Directive 25-03, giving federal agencies just 24 hours to identify and mitigate affected devices. The urgency reflects the severity: these vulnerabilities strike at the gateways to enterprise and government networks.

What’s at Risk

Cisco’s ASA and FTD appliances often serve as the first line of defense with handling VPN access, firewall rules, and traffic inspection. Compromise at this layer allows adversaries to:

Deploy custom malware and webshells.
Escalate privileges to root and persist across reboots by tampering with read-only memory (ROM).
Intercept or manipulate traffic flowing into the network.

Threat intelligence links this activity to ArcaneDoor, a sophisticated campaign previously observed targeting perimeter infrastructure. Recent reports confirm attackers chaining vulnerabilities, disabling logging, and even corrupting diagnostics to evade detection.

Penetration testing and Vulnerability Management services can help organizations proactively search for indicators of compromise (IoCs) within ASA/FTD appliances and ensure persistence mechanisms like ROM tampering are identified quickly.

Scale of Exposure

Despite repeated warnings, more than 48,000 internet-facing ASA/FTD instances remain unpatched, according to Shadowserver scans. The majority are located in the U.S., followed by the U.K., Japan, Germany, and Canada.

The delay in patching exposes organizations to real-time scanning campaigns already observed by the threat intel community. In many cases, scans preceded Cisco’s public disclosure, indicating adversaries had early knowledge of these flaws.

Required Actions & Mitigations

Cisco continues to release updates and detailed guidance. For organizations unable to patch immediately, temporary mitigations include restricting VPN web interface exposure and monitoring for crafted HTTP requests or suspicious logins.

Focus on these immediate steps:

Patch & Harden: Apply Cisco’s fixes where available; otherwise, restrict HTTP(S) access to the VPN component. Ensure devices are properly managed and hardened through a configuration audit.
Firmware Integrity: Verify ROM and firmware integrity, leveraging Secure Boot if supported.
Network Monitoring: Deploy anomaly detection and behavioral monitoring on VPN traffic. Managed SIEM with User Entity and Behavior Analytics (UEBA) can detect abnormal logins, unusual session activity, and persistence attempts in real-time on edge devices.
Credential Security: Replace local passwords, certificates, and keys on potentially impacted devices. A comprehensive risk assessment evaluates identity and access management controls against best practice frameworks like NIST and CIS.

Why This Matters

Zero-days in perimeter appliances are uniquely dangerous: they sit in trusted positions, often unmonitored, and provide attackers with deep footholds when compromised. For SMBs and enterprises alike, compromise of a firewall or VPN gateway can mean attackers control the gate into your environment.

As one analyst noted, “When a firewall is compromised at root level, defending becomes almost impossibly reactive. The best time to act is before compromise.”

Conclusion

The Cisco ASA and FTD vulnerabilities highlight a critical reality: perimeter devices are some of the most attractive targets for threat actors. A single exploited flaw in a firewall or VPN gateway can provide attackers with direct access to internal networks, persistence mechanisms, and even the ability to wipe forensic evidence.

Organizations cannot treat these devices as “set-and-forget” infrastructure. They demand continuous attention by patching on short timelines, hardening configurations, and validating controls against real-world attacks.

Entra ID Nightmare: Actor Tokens Exposed Global Admins

“This vulnerability could have allowed me to compromise every Entra ID tenant in the world.”
— Dirk-jan Mollema, Security Researcher

What Happened: A Silent Path to Global Admin in Any Tenant

In a high-stakes vulnerability disclosed by researcher Dirk-jan Mollema, attackers could impersonate any user in any Microsoft Entra ID tenant, including Global Admins, using a little-known and undocumented type of access called an actor token. This wasn’t a theoretical problem. It was a dangerous combo of:

Actor tokens, issued through a long-deprecated Microsoft legacy system (ACS), which allowed service-to-service impersonation.
A bug in the Azure AD Graph API (graph.windows.net), which failed to properly verify tenant boundaries when actor tokens were used.

By creating a valid actor token in their own tenant, an attacker could swap in a victim’s tenant ID and user identifier, then impersonate a Global Admin in the victim org with no MFA, no Conditional Access, and no logging on the victim side. It’s essentially like crafting a master key in your own house, then using it to unlock anyone else’s, while the alarm system remains silent.

Why This Was So Dangerous

Bypassed core defenses like MFA, Conditional Access, and device compliance checks.
No logs in the victim tenant, meaning most orgs wouldn’t even see the attack happening.
Used legacy APIs, which many orgs haven’t fully deprecated, even though Microsoft has warned about them for years.
Global Admin access, which opens up full control of users, apps, email, and cloud resources.

If exploited, this would have been a multi-tenant cloud compromise scenario, on par with some of the most severe identity-related vulnerabilities we’ve seen.

What Security Teams Should Do Right Now

Even though Microsoft has patched the issue (CVE-2025-55241), there are still critical steps every organization should take:

1. Audit API Usage

Identify and remove any use of the Azure AD Graph API (graph.windows.net).
Migrate to Microsoft Graph immediately.
Disable legacy auth protocols and deprecated token flows wherever possible.

2. Investigate for Signs of Abuse

Review privileged role assignments, especially any unusual changes to Global Admins or app role assignments.
Correlate logs across tenants, if applicable, attacker activity may only show up in non-obvious places.
Look for anomalous use of old service principals or unexpected API behavior.

3. Harden Identity Access

Reduce the number of permanent Global Admins; implement Just-in-Time (JIT) access and role-based delegation.
Enforce MFA, even on service accounts and break-glass accounts.
Use Conditional Access policies that include risk-based signals and device context.

4. Eliminate Legacy Dependencies

Scan for usage of legacy tokens, ACS integrations, or unmaintained identity flows in internal tools.
Kill off service-to-service connections that don’t use modern token validation and signing.

Final Thoughts

This vulnerability may be patched, but it reveals how much of your cloud identity security depends on what’s under the surface. If your monitoring, detection, or assessment strategy ignores identity and API-level threats, you’re not seeing the full picture.
You don’t need to wait for another “actor token” scenario to start addressing these risks. Focus now on:

Identity attack surface assessments
M365 Configuration Audits
Cloud penetration testing
Privilege escalation detection
Legacy API decommissioning
Logging & forensics visibility across Entra ID

And remember: it’s often the quiet, undocumented pieces of infrastructure, not the flashy zero-days, that give attackers the loudest victories.

Supply Chain Attack: Palo Alto, Zscaler, Salesforce & Cloudflare

What Happened
A widespread supply chain attack targeting Salesloft Drift has compromised data across hundreds of organizations, including major cybersecurity vendors such as Palo Alto Networks, Zscaler, and Cloudflare.

The threat actor, tracked as UNC6395, stole OAuth tokens from Drift’s Salesforce integrations between August 8 and August 18. These tokens allowed attackers to access Salesforce environments and exfiltrate data, including business contact information, sales account records, product licensing details, and in some cases, customer support case content. Cloudflare reported that API tokens and credentials shared in support tickets were among the compromised data.

Salesforce has since disabled all Salesloft Drift integrations, and Salesloft announced that the Drift platform will be taken offline while resiliency and security measures are rebuilt. Despite quick containment, the campaign has shown just how quickly a compromise of one SaaS platform can cascade across hundreds of organizations.

Indicators of Compromise (IOCs)
Cloudflare, among other victims, shared the following IOCs to aid detection and response efforts:

Suspicious IP Addresses:
- 208.68.36.90
- 44.215.108.109
- 154.41.95.2
- 176.65.149.100
- 179.43.159.198
- 185.130.47.58
- 185.207.107.130
- 185.220.101.133
- 185.220.101.185
- 185.220.101.33
- 192.42.116.179
- 192.42.116.20
- 194.15.36.117
- 195.47.238.178
- 195.47.238.83

Malicious User-Agent Signatures:
- Salesforce-Multi-Org-Fetcher/1.0
- Salesforce-CLI/1.0
- python-requests/2.32.4
- Python/3.11 aiohttp/3.12.15
- TruffleHog

These patterns should be queried within Salesforce logs, connected application logs, and identity provider (IdP) logs to identify potential exposure or abuse.

Why It Matters
Supply chain compromises have become a recurring theme in today’s interconnected enterprise environment. Even vendors dedicated to security found themselves at risk through integrations that extended their attack surface. By abusing OAuth tokens and Salesforce APIs, attackers were able to access data that could be used for highly targeted phishing, smishing, and impersonation campaigns.

Incidents like this show why organizations cannot rely solely on vendor assurances. Regular penetration testing can uncover weak integration points and help simulate how attackers might abuse connected applications. Vulnerability scanning programs provide ongoing checks for misconfigurations, insecure tokens, and unmonitored API endpoints. Managed SIEM services further strengthen defenses by detecting suspicious authentication activity and anomalous data queries across SaaS platforms.

In the aftermath of this attack, impacted organizations are being urged to rotate credentials, revoke unused OAuth tokens, and conduct thorough audits of Salesforce login histories, API access logs, and event monitoring data. These are standard best practices, but many companies do not have the internal resources to carry them out consistently. Partnering with a security provider for incident response and log review can make the difference between quickly detecting token misuse and letting an attacker operate undetected for weeks.

Takeaway
The Salesloft Drift incident reinforces a hard truth: SaaS platforms and third-party integrations are prime attack vectors. Threat actors understand that a single weak link in the supply chain can open doors to hundreds of organizations. By combining stolen tokens with social engineering, they increase the likelihood of success, using legitimate data to craft convincing lures.

Organizations need to adopt a zero trust mindset toward their SaaS ecosystem. Continuous assessment of vendor risk, proactive testing of integrations, and strong monitoring of authentication events are no longer optional. This is not just about one CRM tool being compromised, it’s about recognizing that every connection expands the attack surface.

FBI & CISA Sound Alarm: Cisco Actively Exploited

What Happened

The FBI and CISA have issued a joint advisory warning that attackers are actively exploiting a critical zero-day vulnerability in Cisco’s IOS and IOS XE software. The flaw, tracked as CVE-2018-0171, allows unauthenticated remote attackers to gain full administrative control of vulnerable Cisco devices.

Exploitation has already been observed in the wild, where adversaries are deploying webshells on compromised routers and switches to maintain persistence and issue arbitrary commands. Cisco Talos has confirmed hundreds of devices have been impacted globally.

Why It Matters

Both IOS and IOS XE software from Cisco powers core networking equipment for enterprises, service providers, government agencies, and critical infrastructure operators. These devices sit at the heart of IT environments, managing traffic flow, enforcing segmentation, and controlling access.

If attackers gain control of routers and switches, they gain control of the entire network’s trust foundation. This risk goes far beyond downtime, it directly impacts:

Confidentiality: Attackers can intercept or reroute sensitive data.
Integrity: Configuration changes allow malicious redirection, credential theft, or lateral movement.
Availability: Adversaries can disrupt routing and firewalling, leading to outages.

How the Exploit Works

Cisco has confirmed that attackers are:

Sending crafted HTTP requests to affected devices.
Creating unauthorized privileged admin accounts without authentication.
Deploying webshell backdoors, which allow persistent command execution even after device restarts.
Using these footholds to maintain covert long-term access.

In some cases, the attacker’s persistence has survived device reboots and firmware changes; making post-compromise cleanup extremely difficult without a full rebuild and credential reset.

Risks to Organizations

The implications of this vulnerability are severe:

Network compromise: complete control of edge devices, allowing attackers to monitor and manipulate traffic.
Credential theft: harvesting of administrator credentials, enabling deeper intrusions.
Espionage & data exfiltration: covert long-term access to sensitive information.
Ransomware staging: compromised routers provide a launchpad for broader attacks.

Organizations that rely heavily on Cisco for perimeter and core routing are particularly vulnerable. This incident highlights the need for a proactive defense strategy around network infrastructure, rather than just focusing on endpoints and applications.

Next Steps

Security agencies and Cisco strongly recommend treating this threat as high priority. To get ahead of similar exploits, defenders should:

Apply Cisco’s latest security updates and mitigations without delay.
Audit for unauthorized accounts and unusual configuration changes that may indicate persistence.
Include routers and firewalls in penetration testing to close high-impact gaps.
Review logs and continuously monitor for anomalous activity tied to webshells or credential use.
Tighten access controls by rotating network administrator credentials to reduce the impact of compromise.
Stay up to date on advisories and white papers to track early warnings and emerging risks.
Validate incident response readiness to ensure quick reactions to infrastructure-level compromises.

By addressing this Cisco IOS and IOS XE flaw swiftly and adopting a layered security approach, organizations can reduce the risk of long-term infiltration and ensure their network infrastructure remains trustworthy.

Microsoft Project Ire: AI Agent Capable of Reverse Engineering Malware

What happened
Microsoft has announced a prototype AI agent, called Project Ire, that can autonomously detect, classify, and reverse engineer malware without human assistance. Designed to operate at scale, Project Ire dissects suspicious files, analyzes their code, and determines if they are hostile, even when encountering them for the first time. Microsoft says the tool has already been accurate enough in one case to justify an automatic block of an advanced persistent threat sample, a first for any AI system at the company.

Why it matters
Reverse engineering malware is considered the gold standard for threat classification. It requires highly skilled analysts and can take hours for a single file. Project Ire can perform this work autonomously, reducing analyst fatigue and allowing defenders to respond faster. By integrating into Microsoft Defender, the AI agent could help protect billions of devices, though Microsoft notes it still requires human oversight to mitigate errors and missed threats.

For organizations, this development is a reminder that advanced detection tools work best when combined with a broader security strategy. Even if Project Ire is eventually integrated into your environment, regular penetration testing remains critical for uncovering vulnerabilities that malware could exploit before it reaches detection.

How it works
Project Ire approaches malware analysis in layers, breaking down the process into stages rather than trying to do everything at once. It uses an arsenal of forensic tools, from sandboxes and Microsoft memory analysis to multiple decompilers and open-source utilities, to strip away obfuscation techniques and examine code for malicious behavior.

In testing, the results were strong:

In a controlled dataset of Windows drivers, Project Ire achieved 98% precision and 83% recall.
In a real-world run on 4,000 “hard target” files awaiting human review, it achieved 89% precision, 26% recall, and only a 4% false positive rate.

These capabilities could help organizations detect advanced threats earlier, but gaps will remain. Managed SIEM platforms can complement AI-driven tools by correlating alerts from multiple sources and flagging anomalies that a single detection engine might miss.

Risks and limitations
While highly accurate when it flags a file as malicious, Project Ire’s 26% recall in real-world conditions shows it can still miss the majority of threats. As with any AI model, there is also the potential for “hallucinations,” where the system misinterprets code and produces incorrect results. That is why a multi-layered defense is essential. Ongoing vulnerability management programs can continuously identify and remediate weaknesses in servers, applications, and endpoints, lowering the chance that undetected malware can gain a foothold.

The bigger picture
Cybercriminals are also using AI to develop stealthier malware. This arms race makes it essential to combine automated detection with human-led security exercises. For example, social engineering campaigns can reveal weaknesses in user awareness that malware authors often exploit. Similarly, incident response tabletop exercises ensure leadership and technical teams know how to act immediately when a threat is discovered whether by AI or human analysts.

Final thoughts
Project Ire represents a significant leap forward in AI-driven threat detection. When deployed alongside proactive measures such as penetration testing, managed SIEM, vulnerability management, and employee awareness training, it can be part of a formidable security posture. As Microsoft refines this technology, organizations that pair advanced detection with comprehensive, layered defenses will be best positioned to counter the next generation of cyber threats.