Skip to content Skip to menu Skip to footer
Incident response

TRACE Cyber Intelligence Pulse - 17 October 2025

Image related to TRACE Cyber Intelligence Pulse - 17 October 2025

Cyber threats do not wait for you to catch up. Stay ahead with CyXcel’s weekly threat intelligence foresight, grounded in real-world incident response and powered by our fusion of legal, technical and strategic expertise.

Edited by: Samuel Kudláč, Senior Analyst, and Danny Howett, Technical Director – Digital Forensics and Incident Response.

Danny Howett

In Focus

Nation-state Actors Exfiltrate F5 BIG-IP Source Code and Vulnerability Information

This week, F5 Networks disclosed that a “highly sophisticated nation-state threat actor” maintained persistent long-term access to its systems, exfiltrating BIG-IP source code and undisclosed vulnerability information from the company’s product development environment and engineering knowledge platforms.

The breach presents major risks to F5’s customer base, which includes Fortune 500 companies and government agencies in the UK, US and United Arab Emirates. Although Cybersecurity and Infrastructure Security Agency (CISA) reports no evidence of federal agency compromises in the US, F5 products are used extensively across the federal government. In response, F5 released security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM clients.

Key Takeaways

CISA issued an emergency directive ordering US federal agencies to inventory all F5 BIG-IP products and apply vendor updates immediately, citing an “imminent threat to federal networks,” with the National Cyber Security Centre (NCSC) releasing similar guidance. 

The stolen source code and vulnerability information allow threat actors to identify and analyze logical flaws and zero-day vulnerabilities in F5’s BIG-IP products, facilitating the development of targeted exploits. Successful exploitation will highly likely lead to credential theft, lateral movement, and persistent access leading to full network compromise.

The incident follows a pattern of state-sponsored activity against F5’s BIG-IP infrastructure. Previous campaigns attributed to Chinese state-sponsored threat actors tracked as Velvet Ant, Fire Ant and UNC5174 have exploited critical F5 vulnerabilities to gain access and maintain persistence across a range of government and critical national infrastructure organizations in the UK, US and East Asia. 

Based on campaign sophistication, defense evasion capabilities, and historical targeting patterns of F5 infrastructure, CyXcel assesses that it is possible Chinese nation-state threat actors conducted this operation.

Organizations using F5 BIG-IP devices must immediately close internet-exposed management interfaces, consult vendor advisories, and apply the October 2025 security updates. Furthermore, it is recommended to rotate all embedded credentials, API keys and administrative accounts, and deploy EDR coverage to F5 environments for threat hunting focused on lateral movement and persistence indicators.

Sam Kudlac

Around the Globe

EU: Mango suffers a third-party data breach exposing customer data

Spanish fashion retailer MANGO reported a major third-party data breach to the Spanish Data Protection Authority. The incident impacted personally identifiable information (PII) of its customers globally, including first names, countries, postal codes, email addresses and telephone numbers. The exposed data presents phishing and social engineering risks to the affected individuals.

UK: Jaguar Land Rover breach attributed to nation-state actors

Security researchers from the National Crime Agency (NCA) and the NCSC assessed that the Jaguar Land Rover (JLR) breach was possibly conducted by state-sponsored actors, based on the campaign sophistication, dwell time and impact. The campaign likely began in late 2023 during JLR’s digital and production system overhaul with Tata Group subsidiaries. It is possible that a series of data leaks affecting JLR and Tata Consultancy Services from 2024 are related to the same threat activity cluster.

US: Harvard University breached via Oracle E-Business Suite

Harvard University confirmed it was compromised in a campaign exploiting CVE-2025-61882 in Oracle’s E-Business Suite, exposing administrative data. US and UK cybersecurity agencies attributed the campaign to the Cl0p ransomware group, with security researchers assessing over a hundred likely victims and ransom demands reaching eight figures.

CyXcel TRACE

We Can Help

Expand your threat intelligence monitoring capabilities beyond the dark web with support from CyXcel’s TRACE team. Contact our experts today to find out more.

Photo by Jonakoh on Unsplash.