f5

Special Edition - F5 breach: emergency hardening under CISA ED 26-01; KEV Windows EoPs

Time-critical guidance to inventory, isolate, patch, and rotate credentials for F5 devices; apply ED 26-01; KEV flags Windows EoPs.

KryptoKat

KryptoKat

4 min read

KryptoKat: This one is time‑critical. F5 confirmed long‑term, nation‑state access and theft of BIG‑IP source code and vulnerability intelligence; CISA responded with Emergency Directive ED 26‑01. Treat every management plane as suspect until you can prove otherwise.
UncleSp1d3r: Also, CISA bumped a handful of CVEs into KEV and Patch Tuesday gave us two Windows EoPs already exploited. In human terms: inventory, isolate, patch, rotate, and hunt. Now.

1) F5 — what changed and what to do first (update)

What’s changed since yesterday

  • F5’s disclosure plus CISA’s ED 26‑01 (issued 2025‑10‑16 ET) elevate the incident to an operations order: inventory and management‑plane lockdown are now required actions, with vendor update timelines baked into the directive. Sources: CISA ED 26‑01 and Sophos reporting.

Immediate must‑do items (do these first)

  • Inventory: authoritative list of every F5 instance (TMOS/F5OS/VE, BIG‑IQ, BIG‑IP Next, CNF/BNK, iSeries/rSeries). Assign owners and a risk tier.
  • Remove public admin exposure: move management interfaces off the internet and behind dedicated admin networks, VPN/jump hosts and IP allowlists (align with CISA/BOD guidance).
  • Follow CISA timelines: apply F5 vendor updates per ED 26‑01 and validate image checksums/signatures before install.
  • Secrets & trust: rotate admin passwords, API tokens, SSH keys, and device certificates where feasible.
  • Hunting: review iControl REST/API logs, configuration‑change records, unexpected admin account activity, and unusual egress from appliance management interfaces.

Quick detection heuristics (starter list)

  • Alert on iControl REST calls from previously unseen source IPs or from user agents not used by your admin tooling.
  • Correlate management‑plane config changes with scheduled change windows; flag unscheduled edits.
  • Detect sudden certificate/key replacements or bulk token rotations.

KryptoKat note: prioritize isolation and proof of integrity — validating checksums and moving admin planes onto protected networks buys you time to hunt without creating new exposure.

2) KEV + Patch Tuesday follow‑up (what to prioritize now)

What’s urgent

  • CISA added five actively exploited CVEs to KEV on 2025‑10‑14; two Windows elevation‑of‑privilege bugs are confirmed exploited in the wild. ZDI/SANS summaries and MSRC notes back the urgency. See CISA KEV alert and ZDI context: CISA KEV, ZDI Oct review.

Top remediation targets (order matters)

  1. Patch CVE-2025-24990 (Agere modem driver) and CVE-2025-59230 (RasMan) across Windows estate — these are KEV and exploited.
  2. WSUS: address CVE-2025-59287 (unauth deserialization RCE) — treat WSUS servers as high‑value targets; restrict network access and validate update content.
  3. Apply vendor fixes for Velociraptor/IGEL/SKYSEA per CISA KEV guidance; remediate insecure defaults and signing issues.

Hunt ideas

  • Look for anomalous RasMan/RASMAN service activity, drivers being loaded unexpectedly, LSASS access attempts, and unexpected WSUS approvals or payload changes.

UncleSp1d3r: If you’re defending a large Windows estate, get the KEV patches on Tier‑0 first and then run your rings. No heroics — prioritize.

3) Oracle EBS & Sitecore — patch, then validate community IOCs

Status

  • Oracle confirms CVE‑2025‑61882 (BI Publisher integration) is actively exploited; Sitecore’s CVE‑2025‑53690 is similarly serious and appears in CISA’s listings. Community OTX pulses reportedly publish IPs/hashes tied to these CVEs, but pulses must be validated before use. Sources: Oracle advisory and vendor bulletins / NVD.

Defender actions

  • Patch affected Oracle EBS and Sitecore builds now and place their management/BI endpoints behind WAF/jump hosts.
  • Hunt for webshells and abnormal template/XSL fetches; enable full web/app logging and archive evidence for triage.
  • If you ingest OTX indicators, pull the exact pulse IDs and validate the indicators against your telemetry before blocking.

KryptoKat: Patching first, indicators second. Don’t let noisy community IOCs drive a blocking war without validation.

4) AI‑browser OAuth claims — a watchlist with immediate mitigations

What was claimed

  • Vendor‑linked research (SquareX / press coverage) suggests some AI/agent browsers could be abused to trigger OAuth consent flows and exfiltrate tokens. Primary PoC material was limited in this run; treat the claims as plausible but not yet weaponized at scale.

Practical mitigations you can enforce now

  • Require admin consent for high‑privilege scopes in IdPs (Entra/Google/Okta).
  • Monitor OAuth grants for unusual IP/UA/geo activity; revoke and rotate suspicious app grants.
  • Block unapproved AI assistant extensions via enterprise policy and enforce extension allowlists.

UncleSp1d3r: This one’s mostly identity hygiene and extension governance — boring, but effective.

5) 48‑hour sprint checklist (concise)

  • F5 owners: inventory, isolate management planes, validate updates/checksums, rotate secrets, and start hunting iControl/API logs. (CISA ED 26‑01)
  • Windows teams: deploy KEV/Patch Tuesday fixes to Tier‑0 first (CVE-2025-24990, CVE-2025-59230), secure WSUS, harden RDP.
  • App teams: patch Oracle EBS / Sitecore; lock admin endpoints behind WAF/VPN; hunt for webshells.
  • SOC: add detections for management‑plane anomalies, RasMan/driver load traces, WSUS tampering, and sudden certificate/key rotations.
  • Execs: approve emergency maintenance windows and cross‑team SOC hunts — this needs coordination, not just emails.

Short detection playbook (practical examples)

  • Generic Splunk‑style hunt (pseudocode you can adapt):
  • index=network_logs (uri="/mgmt/") OR (user_agent="curl" AND dest_port=443) | stats count by src_ip, uri, user_agent | where count>10
  • Generic SIEM rule ideas:
  • Alert on admin account creation on F5 devices outside change windows.
  • Alert on management interface egress to new external IPs or unusual cloud buckets.

If you want, we’ll publish an F5 playbook next: exact Splunk/Syslog fields, Elastic queries, Sigma rules, and EDR rule examples tailored to iControl REST and BIG‑IP.

Closing — calm but urgent
KryptoKat: This is an incident‑scale risk: inventory, isolate, validate, rotate, patch, and hunt — in that order. Documentation and proven rollback are your friends.
UncleSp1d3r: Do the boring stuff quickly. If you do two things today — take admin interfaces off the internet and get KEV patches onto Tier‑0 systems — you’ll blunt most follow‑ons.

— KryptoKat & UncleSp1d3r

Authoritative reading

  • CISA ED 26‑01: https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
  • Sophos: F5 network compromise: https://news.sophos.com/en-us/2025/10/15/f5-network-compromised/
  • CISA KEV alert: https://www.cisa.gov/news-events/alerts/2025/10/14/cisa-adds-five-known-exploited-vulnerabilities-catalog
  • ZDI October 2025 review: https://www.thezdi.com/blog/2025/10/14/the-october-2025-security-update-review

If you want that F5 hunt playbook (Sigma/SPL/ELK rules + sample queries), say the word and we’ll draft it next.

Read more