Mastodawn

For F5 BIG-IP APM customers, CVE-2025-53521 is being exploited in the wild by a nation state threat actor

It allows unauth RCE and applies to the data plane (not the management interface) - the one available over the internet.

https://my.f5.com/manage/s/article/K000156741

Attackers have been deploying webshells, so boxes are still vuln post patching if already exploited prior.

myF5

Becky Pinkard 3d ago

Show thread

Kevin Beaumont 3d ago

Really good research from Rapid7 here, where they’ve found multiple new versions of BPFdoor which do things like listen and backdoor on extremely uncommon 4G and 5G signaling protocols - it strongly suggests BPFDoor has been placed far inside telcos for surveillance.

They provide a tool to check for the new implant - I would strongly suggest telcos look for this on their Linux systems, including call infrastructure.

https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/

BPFdoor in Telecom Networks: Sleeper Cells in the backbone

A months-long investigation by Rapid7 Labs has uncovered evidence of an advanced China-nexus threat actor placing stealthy digital sleeper cells in telecommunications networks, in order to carry out high-level espionage – including against government networks. Read more in a new blog.

Rapid7

Show thread

Becky Pinkard Feb 4

@GossiTheDog Oh mate - you’re an amazing human being, a wonderful friend and have a heart much, much bigger than that Omaze house. Being introverted or even awkward doesn’t take away from any of that. Just like your brother did, you make the world a better place - and certainly a more secure one for literally millions!!! I’m sending massive virtual hugs your way.

Becky Pinkard Sep 25, 2025

Show thread

Kevin Beaumont Sep 25, 2025

To find your org on .@shodan search for:

"acSamlv2Error=" "webvpnc=" "Cache-Control: no-store"

Then add org:YourOrg or ssl:YourOrg

#CyberWillyWave

Show thread

Becky Pinkard Sep 20, 2025

@GossiTheDog Seeing any crossover to the ATC issues in Texas yesterday?

Becky Pinkard Sep 20, 2025

Show thread

Kevin Beaumont Sep 20, 2025

RTX is Raytheon btw, a large cybersecurity provider. Looking into it.. but so far, looks like e-crime.

Becky Pinkard Sep 20, 2025

Kevin Beaumont Sep 20, 2025

ARINC SelfServ vMUSE devices are down in airports in EU, they do self service check in. They’re connected to navAviNet aka ARINC Ground Network, managed by Collins Aerospace, who are owned by RTX.

An attacker got onto to the shared network.

Becky Pinkard Sep 3, 2025

Show thread

Kevin Beaumont Sep 3, 2025

To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.

Becky Pinkard Aug 28, 2025

Kevin Beaumont Aug 28, 2025

New by me: Citrix forgot to tell you there was a zero day RCE vulnerability used widely since at least May in Netscaler.

Nobody released any technical information until now.

It has been used to pop "critical" organisations in the Netherlands and worldwide.

What to do:

https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-used-as-a-zero-day-since-may-2025-d76574e2dd2c

Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025

A look into what action Netscaler customers need to take ASAP.

Medium

Becky Pinkard Jun 29, 2025

Kevin Beaumont Jun 26, 2025

Help request. My brother has Stage 4 colorectal cancer.

His life insurance has refused to pay out on a technicality, meaning he and his loved ones cannot afford the mortgage on their home.

I've never asked for anything in return for infosec stuff, but if you have anything spare, please chuck it this direction instead:

https://gofund.me/b9a0d8f4