Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.

Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 

Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.

Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.

“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop.

“Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added.

GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur. 

The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities.

“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said.

“It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.”

GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others.

“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”

GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report.

“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said. 

“When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added. 

The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.”

This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris.

“People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.”

The post Network ‘background noise’ may predict the next big edge-device vulnerability appeared first on CyberScoop.

Initially disclosed as a high-severity denial-of-service (DoS), the bug was reclassified as a critical RCE issue.

The post F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild appeared first on SecurityWeek.

Researchers aren’t very concerned about the dozens of undisclosed F5 vulnerabilities a nation-state attacker stole during a prolonged attack on F5’s internal systems. Yet, the heist of sensitive intelligence from a widely used vendor’s internal network resembles previous espionage-driven attacks that could pose long-term consequences downstream.

F5, which became aware of the attack Aug. 9 and disclosed Oct. 15, said “a highly sophisticated nation-state threat actor” stole segments of BIG-IP source code and details on 44 vulnerabilities the company was addressing internally at the time. 

F5 maintains it’s not aware of any undisclosed or remote code vulnerabilities, nor is it aware of active exploitation of any vulnerabilities accessed during the attack.

“I don’t want to jinx myself here, but I’m not terribly concerned about any of these as is,” Caitlin Condon, vice president of research at VulnCheck, told CyberScoop. “We may see exploitation of one of the medium vulnerabilities, for instance, in a chain or from an adversary who got credentials or access some other way, but I’m not super concerned about mass exploitation of any of these, especially remotely.”

Himaja Motheram, security researcher at Censys, agrees with that assessment, adding that none of the undisclosed vulnerabilities accessed during the attack are critical, necessitating an immediate emergency response.

The researchers noted that most of the F5 defects, especially those marked as high-severity, are denial-of-service vulnerabilities. More broadly, the majority of the vulnerabilities affect protocols, which are not easy to reach without internal system access. 

Flashpoint analysts identified four vulnerabilities with CVSS ratings of 8.5 as the most potentially impactful, including CVE-2025-59483, CVE-2025-61958, CVE-2025-59481 and CVE-2025-59868. All four of the defects require authentication, so an attacker would need an existing foothold to achieve exploitation.

External risk assessments would benefit from additional information, including details about potential proof-of-concept exploit code or methods that could allow attackers to evade detection, particularly if that information was also stolen from F5’s systems, Condon said. 

F5 said indicators of compromise and a general threat hunting guide prepared by CrowdStrike are available to customers upon request.

Nearly a month after F5 first reported the attack, fallout appears to be contained but concerns linger, in part, because of the significant role the vendor plays across enterprise and government. 

“In general, F5 systems are business critical — they do get targeted by attackers, and F5 hasn’t had a major critical vulnerability that got hit really hard in a while,” Condon said. “They do a good job of keeping up with vulnerabilities” and maintain a “very robust vulnerability disclosure and response program.”

Source code theft could cause more problems

Customers and defenders might be relatively unconcerned about the undisclosed vulnerabilities the nation-state attacker nabbed, but theft of BIG-IP source code could create substantially more serious problems. 

The source code theft is most concerning because attackers can comb through it to identify or develop zero-day exploits, Motheram said. 

“This aspect of the breach is a longer term and more significant supply chain risk that we might only understand the consequences of further down the line,” she added. “Proactively securing the most publicly discoverable assets will be important.”

Authorities described the attack’s potential impact in similar terms, framing it as part of a broader campaign targeting key elements of technology supply chains. Cyber espionage attacks on vendors extend the potential downstream effect to federal agencies, critical infrastructure providers and government officials, Nick Andersen, executive assistant director for cybersecurity at Cybersecurity and Infrastructure Security Agency, said during a media briefing last month.

Nation-state attackers primarily seek to maintain persistent access within the targeted victim’s network to hold those systems hostage, launch a future attack, or gather sensitive information, Andersen said.

Threat groups can weaponize source code in many ways, but at a high level it also helps them understand how a particular piece of software is built and how it works, according to Condon.

“This wasn’t a smash-and-grab type attack. I don’t think we necessarily know what their motivation is in doing that, but certainly having access to the source code would help them develop attacks better,” Condon added.

F5 said it’s continuing to work with NCC Group and IOActive to investigate potential misuse of the stolen BIG-IP source code, but insists it hasn’t found anything of concern thus far.

“We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines,” Christopher Burger, chief information security officer at F5, said in a blog post.

Persistent, deep-rooted attacks on vendors’ systems are a long play with consequences often lasting years. This makes it a challenge to know what customers should worry about, and requires some imagination to fully grasp the repercussions. 

“At this stage we don’t know how the F5 breach will pan out or stack up to prior incidents,” Motheram said. “It’s not paranoid to anticipate that the stolen code will be leveraged in some sort of strategic exploitation that we must proactively monitor for.”

The post What’s left to worry (and not worry) about in the F5 breach aftermath appeared first on CyberScoop.