Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 11-17 October
F5 issues patches following leak of BIG-IP vulnerabilities
F5 Networks has released security updates to mitigate 44 vulnerabilities in its BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM products, including flaws whose source code was stolen in an intrusion detected on August 9, 2025.
The incident, attributed to state actors, allowed the theft of information about undisclosed vulnerabilities, although F5 has not identified active exploitation or compromise of its supply chain. The October 2025 updates correct the impacts resulting from the attack and strengthen the security of its environments.
The company recommends that administrators enable event streaming to SIEM systems, configure remote syslog servers, and monitor authentication attempts and privilege changes. In parallel, CISA issued emergency directive ED 26-01, which requires U.S. federal agencies to patch by October 22 and remove F5 devices from support due to the risk of credential theft, lateral movement and persistence in compromised networks.
Operation Zero Disco exploits SNMP vulnerability in Cisco devices
Trend Research has identified the "Zero Disco" operation, an active campaign that exploits vulnerability CVE-2025-20352 (CVSSv3 7.5 depending on vendor) in Cisco's SNMP protocol to execute remote code and install rootkits on 9400, 9300 and 3750G devices.
The attack allows persistent access by creating a universal password and inserting hooks into the IOSd memory space, making detection and forensic analysis difficult. The actors employ spoofed IP addresses and emails, in addition to modifying a Telnet exploit derived from CVE-2017-3881 (CVSSv3 9.8) to enable memory reads and writes.
The implanted rootkits act as UDP listeners and can manipulate logs, AAA authentications and network configurations. Newer machines with ASLR are more resilient, but vulnerable after repeated attempts.
Trend Micro has confirmed detections in its telemetry and provides specific rules to mitigate this threat, recommending forensic review of firmware for suspected compromise.
Microsoft patches 172 vulnerabilities, including 6 Zero-day flaws
Microsoft's October 2025 Patch Tuesday addressed a total of 172 security flaws, including six Zero-day vulnerabilities that were being actively exploited.
- The exploited flaws include: CVE-2025-24990 and CVE-2025-24052, Elevation of Privilege (EoP) flaws in the Windows Agere modem driver, which allow administrative or SYSTEM privileges to be obtained; and CVE-2025-59230, another EoP in the Windows Remote Access Connection Manager.
- The Zero-days are: CVE-2025-47827, a Secure Boot bypass in IGEL OS prior to version 11 that allows a modified root filesystem to be mounted from an unverified image; CVE-2025-0033 (AMD), a critical race condition during Reverse Map Table (RMP) initialization in AMD EPYC processors with SEV-SNP that could impact the integrity of SEV-SNP host memory; and CVE-2025-2884, an out-of-bounds read in the TCG TPM 2.0 reference implementation that can cause information disclosure or TPM DoS.
All flaws have been mitigated through the corresponding updates.
Over 100 SonicWall SSL-VPN accounts compromised in large-scale campaign
Huntress researchers have warned of a widespread attack campaign compromising SonicWall SSL-VPN accounts using the technique of exploiting valid logins or credential hijacking.
This method works by leveraging stolen and valid credentials to authenticate quickly and on a large scale (not by brute force), resulting in the compromise of more than 100 accounts in 16 customer environments.
Once inside, the threat actors, whose identity is not specified but who operate from IP address 202.155.8[.]73, perform reconnaissance tasks and seek to move laterally by attempting to access local Windows accounts, with the potential impact of a total network compromise.
SonicWall also published an advisory warning of the campaign. It is recommended to apply multi-factor authentication (MFA) to all remote and administrative accounts, as well as to immediately reset and update all system passwords and secrets (including LDAP/RADIUS, IPSec, and API keys) and restrict remote management access (WAN, HTTP, SSH, SSL VPN) when not strictly necessary.
40% of devices globally still use Windows 10
According to SecurityWeek, Windows 10 is still installed on more than 40% of devices globally, which, given that official support ended on October 14, creates an attack surface of hundreds of millions of computers potentially exposed to uncorrected threats.
Microsoft offers a Security Extensions (ESU) program to receive patches for another year, at a cost for consumers and organizations, while in the European Union it has been announced that this service will be free.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
