News

September 9, 2021

BIG-IP Integrity Vulnerability Threat Report

CVE-2025-58424

I. Introduction

Application Delivery Controllers (ADCs) are essential to modern networks because they optimize, secure, and manage client-server traffic. F5’s BIG-IP, a critical Application Delivery Controller used across enterprises and government networks, plays a key role in traffic management, SSL/TLS termination, and application delivery. [1]

On October 15, 2025, CVE-2025-58424 was discovered, describing a vulnerability affecting F5’s BIG-IP systems where undisclosed traffic can cause data corruption and unauthorized data modification in protocols that lack message integrity protection. The vulnerability currently affects several versions and configurations of BIG-IP products [2] and has been linked to the BRICKSTORM malware, which is used by state-sponsored actors. Although rated Medium (CVSS v3.1 score 4.5) by the National Vulnerability Database (NVD) [6], the potential for exploitation across critical infrastructure makes immediate patching a priority.

No public reports of active in-the-wild exploitation as of October 28, 2025. However, it is part of a broader set of F5 BIG-IP vulnerabilities disclosed amid a nation-state breach of F5’s internal networks (detected on August 9, 2025) [6], where source code and undisclosed vulnerable details were stolen. This raises concerns for potential zero-day exploits by the threat actor.

Following the public disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive (ED 26-01) for federal agencies. [8] The directive required agencies to apply F5 patches, inventory F5 products, and restrict management interface access. CISA warned that the breach presents an “imminent threat” to federal networks.

This advisory provides a consolidated overview of what CVE-2025-58424 is, where it is targeted towards, affected BIG-IP modules, associated MITRE ATT&CK techniques, as well as recommended mitigations. It serves to help readers understand the technical scope and protections to maintain data integrity and network resilience.

II. Target

CVE-2025-58424 affects the BIG-IP data plane, which is responsible for nearly all runtime network traffic processing, including load balanced traffic by Traffic Management Microkernel (TMM). As a result, any organization running affected F5 BIG-IP products or services that rely on TMM is potentially vulnerable to CVE-2025-58424. These products and services sit at the network edge and handle large volumes of client-server traffic, making successful exploitation extremely dangerous and affecting a wide range of industries [4], including:

  • Enterprise & Cloud Service Providers
  • Financial Services
  • Government & Public Sectors
  • Healthcare
  • Telecommunications
  • Retail & E-commerce

Affected BIG-IP Modules:

The following table lists the BIG-IP modules affected by CVE-2025-58424, as identified in Recorded Future [6], a leading cyber-threat intelligence and vulnerability tracking platform, along with their corresponding function category:

Table 1. BIG-IP Modules Impacted by CVE-2025-58424 and their Functional Classification

III. Tactics and Techniques

The following table maps out MITRE ATT&CK Techniques Associated with CVE-2025-58424:

Table 2. MITRE ATT&CK Techniques Associated with CVE-2025-58424

IV. Adversary Tools and Services

Although a specific threat actor has not been linked to the F5 breach, public reporting from Google Cloud Mandiant (Mandiant is Google Cloud’s threat intelligence sector that conducts research on advanced persistent threat APT activity and state sponsored cyber activity) suggests that this vulnerability may be of the works of UNC5221, a Chinese threat actor that targets network and edge devices [7]. Attackers using CVE-2025-58424 resemble UNC5221 who have conducted previous campaigns; however, it does not prove that they are the same actor. It only indicated that comparable techniques and similar tools are deployed, which is crucial to monitor in case the same malware or infrastructure recurs in the future.

The primary malware family linked to this vulnerability is BRICKSTORM, a backdoor that allows attackers to gain sustained remote access and command over compromised systems. Due to its cross-platform capabilities, BRICKSTORM can be used on Windows, Linux, and BSD (Berkley Software Distribution), which enables attackers to infiltrate a variety of network environments [7]. In past campaigns, UNC5221 has been observed to have persistence for more than a year (roughly 393 days), showing that they prioritize data collection and being hidden over big attacks that quickly cease access [7].

To stay hidden, this group uses cloud services like Cloudflare Workers and Heroku as part of their command-and-control (C2) blueprint to perform cloud-fronting. Could-fronting is a technique that makes malicious traffic appear to be from reliable businesses. Additionally, they employ DNS-over-HTTPS (DoH), which encrypts network communication to make it difficult for defenders to identify anomalies. After entering the system, this group advances into virtualized environments such as VMware, vCenter, and ESXi, which are frequently found in data centers [7]. This allows them to increase their level of control and remain undetected, even in the event that one machine is isolated or patched.

Recorded Future also discovered that CVE-2025-58424 appears in legitimate penetration testing tools like Tenable Nessus plugin #270590, as well as other tools like the DDoS Toolkit and generic Backdoor malware [6]. This demonstrates that both attackers and defenders are actively using this vulnerability: Adversaries are looking for unpatched targets, and defenders are using it for testing and securing systems.

Altogether, these results demonstrate that CVE-2025-58424 lies in a hybrid threat space that can be exploited by both independent and state-sponsored threat actors. Despite the lack of confirmation regarding who is responsible for F5’s BIG-IP modules, the similarity in tactics and techniques points to a larger campaign approach that emphasizes data manipulation, stealth, and continuous persistence.

V. Indicators of Compromise (IOCs) and Detection Indicators

There are currently no verified Indicators of Compromise (IOCs) available for CVE-2025-58424 as of this advisory. Being that this is a possible early warning sign of exploitation, security teams should keep an eye out for anomalies in outgoing connections to cloud-hosted command-and-control (C2) services and encrypted DNS traffic.

The following table rounds up observable behaviors and network patterns connected to the exploitation activity linked to CVE-2025-58424. Until confirmed IOCs are released, these indicators serve to assist analysts in searching for related activity:

Table 3. Detection and Monitoring Indicators for CVE-2025-58424

VI. Recommendations

CVE-2025-58424 allows attackers to infiltrate and modify data within active TCP sessions that use protocols lacking encryption or message integrity protection, such as those without TLS. The issue stems from predictable identifiers in TMM, that is, the Traffic Management Microkernel, a core component of F5 Networks, which can be leveraged to inject malicious data into the data plane. To mitigate these threats, organizations should implement the following course of action:

  1. Upgrade BIG-IP

F5 have introduced patched versions for affected modules. Organizations using affected models should upgrade to patched versions (15.1.10.8+, 16.1.6+, or 17.5.0+) for optimum security and performance.

For additional guidance:

Navigate to F5’s official website to learn more about common issues and best practices when upgrading BIG-IP systems: https://my.f5.com/manage/s/article/K000157079

  1. Turn on the TCP Injection Protection Setting

Administrators can enable the ‘tm.tcpstopblindinjection’ database variable via the Traffic Management Shell (TMSH) to add an extra layer of protection and serve as temporary mitigation until the patch is applied.

a. Log in to the TMOS Shell (tmsh) with the following command from the Advanced Shell (bash):

Tmsh

b. Enter the following command to enable the ‘tm.tcpstopblindinjection’ database variable:

modify /sys db tm.tcpstopblindinjection value enable

c. Verify the change with the following command:

list /sys db tm.tcpstopblindinjection

To limit exposure, it is recommended to restrict management and self-IP access to trusted networks and enforce TLS across all traffic in addition to patching systems. 8 of 9

Security analysts should maintain increased monitoring of network traffic and logs for unusual TCP behavior, injection attempts, or sequence number anomalies while systems are in the process of being patched. The CVSS score is rated moderate, but the potential for unauthorized data manipulation within live network segments makes this a serious threat that requires immediate attention and remediation.

Table 3. Summary of Affected Products & Fixed Versions

Note: Refer to Table 1 in Section II (Targets) for a complete list of affected BIG-IP modules.

VII. References

[1] F5 Networks. (2025, October). Security Advisory K000156572: BIG-IP Software Vulnerabilities Quarterly Notification | MyF5. https://my.f5.com/manage/s/article/K000156572

[2] National Vulnerability Database (NVD). (2025, October 15). CVE-2025-58424: F5 BIG-IP Traffic Management Microkernel Data Corruption Vulnerability | National Institute of Standards and Technology (NIST). https://nvd.nist.gov/vuln/detail/CVE-2025-58424

[3] F5 Networks. (2025, October 15). Security Advisory K000151297: BIG-IP System Software Security Update for CVE-2025-58424 | MyF5. https://my.f5.com/manage/s/article/K000151297

[4] F5 Networks. (2025, October). Security Advisory K44525501: CVE-2025-58424 BIG-IP Data Plane Vulnerability Overview | MyF5. https://my.f5.com/manage/s/article/K44525501

[5] F5 Networks. (2025, October). Security Advisory K000157079: Upgrading BIG-IP Systems – Best Practices and Mitigation Guidance | MyF5. https://my.f5.com/manage/s/article/K000157079

[6] Recorded Future Insikt Group (2025, October 23). Vulnerability Enrichment: CVE-2025-58424. Recorded Future. https://app.recordedfuture.com/portal/analyst-note/doc:_b2QRX https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

[7] Yoder, S., Wolfram, J., Pearson, A., Bienstock, D., Madeley, J., Murchie, J., Slaybaugh, B., Lin, M., Carstairs, G., & Larsen, A. (2025, September 24). Another BRICKSTORM: Stealthy backdoor enabling espionage into tech and legal sectors. Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

[8] Lakshmanan, R. (2025, October 15). F5 breach exposes BIG-IP source code — Nation-state hackers behind massive intrusion. The Hacker News. https://thehackernews.com/2025/10/f5-breach-exposes-big-ip-source-code.html

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Taylor Alvarez, Isaiah Johnson, Eduarda Koop, and Waratchaya Luangphairin (June)

BIG-IP Integrity Vulnerability Threat Report2025-11-04T15:12:08-05:00

Virtual Cyber Workshop for Critical Infrastructure 12/9/25

Virtual Cybersecurity Workshop for Critical Infrastructure

December 9, 2025 | 8:30am – 12 Noon (Eastern Time)

Cyber Florida’s Critical Infrastructure Program (CIP) Workshop brings together public-sector leaders, IT professionals, and emergency managers to tackle real-world cyber threats facing Florida’s essential services. These hands-on sessions deliver practical tools, expert insights, and interactive scenarios designed to help SLTT agencies strengthen their cyber resilience and readiness.

  • Receive actionable recommendations for enhancing compliance with Florida Statute 282.318
  • See an overview of Cyber Florida’s no-cost solutions and services to strengthen your organization’s cyber defenses.
  • Engage in an exciting tabletop exercise hosted by the National Cybersecurity Preparedness Consortium (NUARI), offering hands-on experience in responding to cyber incidents.

Whether you’re securing water systems, transportation networks, or municipal services, these workshops are your front line in building a safer Florida. Don’t miss this chance to improve your cybersecurity posture and resilience!

Virtual Cyber Workshop for Critical Infrastructure 12/9/252025-11-04T10:22:10-05:00

Steve Orrin — Building Trust at Intel and the Poker Table

Episode 65 — Steve Orrin

No Password Required Podcast Episode 65 — Steve Orrin

Steve Orrin, Federal Chief Technologist at Intel Corporation, has forged a career that bridges biology, cybersecurity startups, and large-scale technology leadership. In this episode, hosts Jack Clabby of Carlton Fields, P.A., and Kayley Melton of the Cognitive Security Institute explore Steve’s journey—from early hacking and biochemistry research to founding startups and shaping the future of secure innovation at Intel.

Steve explains how “the Edge” has evolved from basic IoT devices into a powerful ecosystem driving everything from aircraft to MRI machines. He shares hard-won lessons on building high-performing teams, nurturing talent, and embedding security from the very start—never as an afterthought.

In the Lifestyle Polygraph, Steve reveals the ambitious “counter-AI” project he’d launch with an unlimited Intel budget and shares the best poker tell he’s ever spotted at the World Series of Poker.

Follow Steve on LinkedIn: https://www.linkedin.com/in/sorrin/

Steve Orrin — Building Trust at Intel and the Poker Table2025-11-04T07:51:07-05:00

Arnie Bellini – The Visionary Behind CyberBay

Arnie Bellini, best known as the former CEO and co-founder of ConnectWise, helped shape Tampa Bay’s technology landscape. Today, he’s leading a new movement – turning Tampa Bay into CyberBay, the next cybersecurity hub of the United States.

In this premiere episode of The CyberBay Podcast, co-host and Tampa Bay Business Journal reporter Anjelica Rubin sits down with Arnie to trace his journey from early tech entrepreneur to thought leader, philanthropist, and investor.

Arnie reflects on the Bellini family’s deep roots in Tampa Bay, the trials and triumphs of building ConnectWise at the dawn of the tech revolution, and the philosophies that have guided his career and life. Together, he and Anjelica unpack the vision behind the CyberBay movement and his mission to defend the digital borders of the U.S.

Arnie Bellini – The Visionary Behind CyberBay2025-11-03T14:48:21-05:00

Inaugural CyberBay Summit a Success!

cyberbay_fav

Thank You for Making CyberBay Summit 2025 a Success!

What an incredible week in Tampa Bay! CyberBay Summit 2025 brought together hundreds of cybersecurity professionals, innovators, educators, and students to explore the future of digital resilience and collaboration.

From thought-provoking keynotes and hands-on technical workshops to the buzzing energy of the exhibit floor, the conversations and connections made this year proved that Florida’s cybersecurity ecosystem is stronger and more united than ever.

A heartfelt thank you to all our attendees, speakers, exhibitors, and sponsors for making this year’s summit possible. Your expertise, enthusiasm, and partnership drive our shared mission to build a safer, more secure digital future for all.

We’re already looking ahead to what’s next, so stay tuned for details on CyberBay Summit 2026. Follow the CyberBay movement on LinkedIn.

Thank you to our friends at Bay News 9 Spectrum News for covering CyberBay Summit 2025.

Cybersecurity experts gather for inaugural ‘Cyber Bay’ event

This news segment was picked up and ran in the Rochester, San Antonio, Buffalo, Austin, and Central Florida Spectrum News markets!

USF University Communications and Marketing covered the event as well: Simulated cyberattack, national security highlight inaugural CyberBay conference.

Inaugural CyberBay Summit a Success!2025-10-29T19:31:00-04:00

McCrary Institute: Code Red

The coordinated “typhoon” campaigns, led by actors like Volt Typhoon, reflect a new phase of state-sponsored cyber warfare that demands a comprehensive U.S. and allied response integrating cybersecurity, intelligence, diplomacy, and legal reform. Dive into the McCrary Institute’s comprehensive brief on this persistent threat.

McCrary Institute: Code Red2025-10-29T17:43:15-04:00

CyberLaunch Virtual Qualifiers- Important Info

CyberLaunch Logo 2025

Learn more about the virtual qualifiers platform and hear from the team

Recap: Cyber Launch Familiarization Session on ARCS Range – Teachers Wednesday, October 29 | Meeting | Microsoft Teams

Requirement for the Virtual Qualifiers:

Make sure your school/district whitelists the following domains in order to get access to the Virtual Qualifiers and receive communication about the events.

*simspace.com

*cyberflorida.org

Include the wildcard asterisk to allow subdomains.

CyberLaunch Virtual Qualifiers- Important Info2025-10-30T09:25:56-04:00

Student Spotlight: Jayden Greer

Jayden Greer

Student: Jayden Greer

School: George Jenkins High School

District: Polk County

Meet Jayden Greer! Jayden’s passion for cybersecurity began with an early interest in technology and was further inspired by his teacher’s creation of the Cybersecurity Academy.

Jayden currently holds one cybersecurity certification and is determined to achieve several more by the end of the year. Over several months, Jayden has gained valuable hands-on experience working with the school’s network administrator. After high school, Jayden plans to attend the University of South Florida to pursue a bachelor’s degree in cybersecurity and continue developing skills through real-world experience and additional certifications.

Do you teach a great student who should be featured in our Student Spotlight?
Please complete the form below!

Student Spotlight: Jayden Greer2025-10-02T09:29:35-04:00

Teacher Spotlight: Jacob Hill

Jacob Hill

Teacher: Jacob Hill

District: Escambia County

Jacob Hill is an innovative educator at Pensacola High School, where he has spent the past four years shaping young minds. He draws on nearly two decades of experience in international business education across secondary and higher education. He currently leads classes in IB Business Management, AP Computer Science, and AP CK Cybersecurity while also directing the school’s Work-Based Learning initiatives.

Seeing immense opportunities in the rapidly evolving field of cybersecurity, Hill launched the program to help students enter a high-demand industry. It equips them with technical expertise and the essential soft skills—critical thinking, creativity, and teamwork—that distinguish future leaders.

Beyond the classroom, Hill’s leadership extends to his roles as FBLA District 1 Director, service on the Florida FBLA State Board, and coaching cross country, empowering students to grow as leaders and individuals. In his downtime, he enjoys cooking and exploring new global cuisines, cheering for Chelsea FC, and designing graphics for school and community events.

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

Teacher Spotlight: Jacob Hill2025-10-01T10:24:12-04:00

The ReX-Files: CyberHerd Documentary

CyberHerd
CyberHerd Documentary Premiere

Photos from the CyberHerd documentary premiere at USF on September 24, 2025

Rex Wilson, brand manager for Cyber Florida

Watch the CyberHerd documentary on the Cyber Florida YouTube channel!

The ReX-Files: The Episode where Rex talks about producing the CyberHerd documentary

More than a competition story, The Making of a Defender shows how solving the nation’s cybersecurity challenges is becoming a pillar of the Tampa Bay community and beyond. As CyberBay grows, this story becomes one of its cornerstones.

In anyone’s professional career, there are only a handful of opportunities to truly elevate people in a lasting way. I’m not talking about the small but powerful kindnesses we practice daily—thank you, Mister Rogers, for teaching us that. I mean something bigger, something rare, where the timing, circumstances, and people all align. Last year, I was given that kind of opportunity.

Just over a year ago, I noticed that the USF CyberHerd (Ya Herd!—they know what I mean) was quietly making big waves in cybersecurity competitions. Despite sharing a home with them at USF, I hadn’t followed them closely. If anything, I was more familiar with their long-dominant Orlando rivals, Hack UCF. But as I dug in, I discovered that the CyberHerd wasn’t just competing with them—they were winning.

That’s when I thought, “Maybe there’s a story here.”

I pitched the idea to my supervisor, Kate Whitaker, and our director, Ernie Ferraresso. They believed in it, brought it to leadership, and just like that, we were greenlit.

With the talented team at Two Stories Media, I began documenting the CyberHerd’s journey for a full year—competitions, practices (so much practice), and everything in between. Anyone who has ever made a documentary knows: you don’t get to script the ending. Sometimes you land the perfect Cinderella moment, other times the pumpkin explodes and lands on your head. This story had a little of both.

What I didn’t expect, though, was how much I would learn along the way. I began to see these students not just as competitors but as something closer to elite athletes—driven, resilient, and focused. Sitting front-row, I realized my job wasn’t just to record their journey; it was to elevate it. To make sure their hard work, sacrifice, and brilliance weren’t lost in the shuffle but instead woven into USF history and the broader CyberBay movement.

The story of the 2024–25 CyberHerd now lives beyond me. It’s captured, told, and preserved as part of something much larger than any one of us. To Waseem, Jacob, Jack, Michelle, Coach Marbin, Sriram, and the rest of the CyberHerd family—thank you for letting me in.

Am I proud of this project? Strangely, no. Pride isn’t the word. What I feel instead is something deeper: gratitude. Gratitude for the chance to help tell your story. Gratitude for the friendships formed. And gratitude for the knowledge that this story will outlast us all.

Your friend in cyber competitions,

Rex Wilson

P.S. – Thank you to our friends at USF Communications and Marketing for publishing this excellent article about the CyberHerd documentary.

The ReX-Files: CyberHerd Documentary2025-09-30T14:20:06-04:00

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.