Advisory ID:   ngCERT-2025-100010

SUMMARY

ngCERT writes to alert on the exploitation of vulnerabilities in F5 Devices and Networks by threat actors. Notably, the threat actors compromised F5’s systems and exfiltrated files, including a portion of its BIG-IP source code and vulnerability information, enabling targeted exploits for credential access and network infiltration. The attack has implications for data exfiltration, financial losses and reputational damage. Reportedly, these vulnerabilities pose an imminent threat to government networks and organisations using F5 products, with no specific CVEs disclosed. It is worth noting that F5 rotated signing certificates and keys in October 2025 to address risks from the breach. Thus, ngCERT urges all government agencies and organizations using F5 products to act promptly to prevent compromise of their systems and networks.

Damage:      Critical

Probability:  High 

Platform(s): F5’s BIG-IP development and engineering platforms

DESCRIPTION

The breach, exploited through vulnerable internet-exposed software due to non-compliance with F5's own security guidelines, allowed long-term access to development and engineering platforms. Exfiltrated data includes BIG-IP source code and vulnerability information, facilitating static/dynamic analysis for flaws, exploit development, and access to embedded credentials/API keys. No specific CVEs have been disclosed yet, but the incident is related to F5's October 2025 Quarterly Security Notification and certificate/key rotation. Affected products include F5 BIG-IP hardware devices, F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IQ software, and BNK/CNF, with risks amplified for end-of-support devices. Exploitation requires no user interaction and can be remote if devices are internet-exposed. No public PoC exists, but the actor's knowledge increases the exploitation likelihood.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

1. Inventory and Assessment: Identify all F5 products (hardware, software, virtualised); conduct compromise assessments on internet-exposed management interfaces.
2. Apply Updates and Patches: Install the latest F5 security updates from the October 2025 Quarterly Notification, validating MD5 checksums; prioritize for key products by October 22, 2025, and others by October 31, 2025.
3. Certificate and Key Rotation: Rotate F5-associated digital certificates and keys per guidance; update BIG-IP image verification processes to recognise new signing keys.
4. Harden Systems: Restrict management access, follow F5 hardening best practices such as K53108777 and disconnect or replace end-of-support devices.
5. Monitoring and Reporting: Perform continuous threat hunting and report suspected compromises to ngCERT.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Inventory and Assessment: Identify all F5 products (hardware, software, virtualised); conduct compromise assessments on internet-exposed management interfaces.
2. Apply Updates and Patches: Install the latest F5 security updates from the October 2025 Quarterly Notification, validating MD5 checksums; prioritize for key products by October 22, 2025, and others by October 31, 2025.
3. Certificate and Key Rotation: Rotate F5-associated digital certificates and keys per guidance; update BIG-IP image verification processes to recognise new signing keys.
4. Harden Systems: Restrict management access, follow F5 hardening best practices such as K53108777 and disconnect or replace end-of-support devices.
5. Monitoring and Reporting: Perform continuous threat hunting and report suspected compromises to ngCERT.

HYPERLINK

• https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
• https://www.ncsc.gov.uk/news/confirmed-compromise-f5-network
• Chinese Hackers Blamed for Severe Breach at US Cyber Firm F5 - Bloomberg
• Confirmed compromise of F5 network - NCSC.GOV.UK
• F5 signing certificate and key rotation, October 2025

Advisory ID:   ngCERT-2025-100009

SUMMARY

ngCERT cautions on active exploitation of Zero-Dayvulnerabilities in Windows Remote Access Connection Manager (RasMan) and Windows Agere Modem Driver services, dubbed (CVE-2025-59230 and CVE-2025-24990). Both flaws are elevation of privilege (EoP) vulnerabilities stemming from improper access control, allowing local attackers to escalate to SYSTEM-level privileges. Notably, other vulnerabilities related to privileged escalation have been identified as (CVE-2025-49708 and CVE-2025-55315) with CVSS scores: 9.9. Although these vulnerabilities were addressed in Microsoft's October 2025 Patch Tuesday updates, Windows system users are at high risk of compromise and attacks. The ongoing exploitation of these vulnerabilities by attackers underscores the critical need for organizations to deploy security patches without delay..

Damage:      Critical (CVSS Score: 7.8)

Probability:  High 

Platform(s): Windows System (Remote Access Connection Manager and Windows Agere Modem Driver)

DESCRIPTION

The initial attack chain for CVE-2025-59230 begins when attackers obtain initial low-privilege local access, often through phishing, malware, or social engineering. The exploiter then sends specially crafted requests to the RasMan service, which manages remote network connections. Due to improper access controls, these requests bypass restrictions, allowing arbitrary code execution and escalation to SYSTEM privileges. This grants full system control, including data manipulation and persistence, with functional exploit code observed in the wild. For CVE-2025-24990, the exploitation process begins with low-privilege local access on a system where the driver is present (default in supported Windows versions, even without active hardware). The attacker interacts with the driver, triggering an untrusted pointer dereference that manipulates kernel memory. This leads to arbitrary code execution in kernel mode, escalating privileges to administrator or SYSTEM level. The chain can integrate with other flaws, such as CVE-2025-24052, for broader attacks like ransomware deployment, and also affect legacy fax modem setups.

CONSEQUENCES

Successful exploitation of the aforementioned flaws can result in:

1. Full system compromise.
2. Data breaches.
3. Malware infiltration.
4. Data deletion and exfiltration.
5. Ransomware deployment and attack.
6. Financial losses.
7. Reputational damage.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Immediately apply Microsoft's October 2025 security updates, followed by a system restart.
2. For CVE-2025-59230, disable the RasMan service if not needed for remote access or VPN.
3. Monitor logs for suspicious privilege escalations using tools like Sysmon or EDR.
4. For CVE-2025-24990, audit and remove dependencies on Agere Modem hardware.
5. Disable fax modem functionality through Group Policy if patching is delayed.
6. Restrict local logons to trusted accounts and implement least-privilege principles with AppLocker or Device Guard.
7. Conduct vulnerability scans to identify exposed systems.

HYPERLINK

• https://x.com/DarkWebInformer/status/1979747123571855770
• https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html
• https://gbhackers.com/hackers-exploit-windows-remote-access-connection-manager-0-day/
• https://socprime.com/blog/cve-2025-59230-and-2025-24990-vulnerabilities/

Advisory ID:   ngCERT-2025-100008

SUMMARY

ngCERT has observed a growing dependence on SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols, which are essential for securing data transmission across digital networks, particularly the internet. While SSL, introduced in the 1990s, has been deprecated due to significant security flaws, TLS, currently at version 1.3, serves as the modern, robust standard. TLS secures communication by encrypting data, authenticating parties through digital certificates, and ensuring data integrity via a secure handshake process that negotiates cryptographic parameters and exchanges keys. Beyond its role in securing websites (HTTPS), TLS also protects email, VoIP, messaging applications, and VPNs. Proper implementation is critical to defending sensitive information such as login credentials, financial data, and personal records from threats like man-in-the-middle attacks, data interception, and protocol downgrades. ngCERT advises organisations to disable outdated protocols (SSL, TLS 1.0/1.1), enforce strong cipher suites, maintain up-to-date systems, and use valid, trusted digital certificates to reduce risk and ensure secure communications.

Damage:      Critical 

Probability:  High 

Platform(s):  Web

DESCRIPTION

SSL/TLS (Secure Sockets Layer/Transport Layer Security) are cryptographic protocols fundamental to securing data transmission over digital networks by providing confidentiality, authentication, and data integrity. SSL, developed in the 1990s, was widely used but is now obsolete due to inherent vulnerabilities. It has been replaced by TLS, which is the current industry standard. TLS protects data by encrypting information transmitted between clients and servers, verifying identities using digital certificates issued by trusted Certificate Authorities (CAs), and ensuring that data is not modified during transit. The process begins with a TLS handshake in which both parties agree on supported cryptographic algorithms (cipher suites), exchange keys securely, and establish a session key for encrypted communication. TLS 1.3, the latest version, improves security by removing insecure algorithms, reducing handshake latency, and simplifying protocol operations. TLS underpins the security of a wide range of services including HTTPS websites, secure email (SMTP, IMAP, POP3), VPNs, VoIP, and messaging apps. As online services increasingly handle sensitive information, TLS plays a vital role in defending against cyber threats such as man-in-the-middle attacks, certificate spoofing, protocol downgrade attacks, and data interception. It is a cornerstone of modern digital security and privacy in today's interconnected world.

CONSEQUENCES

1. Data Exposure: Unencrypted or improperly secured transmissions may allow attackers to intercept passwords, personal data, and financial details.
2. Man-in-the-Middle (MitM) Attacks: Attackers can intercept or manipulate data by impersonating legitimate communication endpoints.
3. Protocol Downgrade Attacks: Attackers may force connections to use outdated and vulnerable SSL/TLS versions.
4. Certificate Issues: Use of expired, misissued, or untrusted certificates can cause service disruptions and trigger browser warnings.
5. Loss of User Trust: Security incidents can damage brand reputation and reduce customer confidence in digital services.
6. Regulatory Non-Compliance: Inadequate data protection may violate laws such as GDPR, HIPAA, or PCI-DSS, leading to penalties.
7. Financial Loss: Breaches and compliance failures can result in legal costs, fines, and lost revenue.
8. Compromised Integrity: Data may be altered in transit without detection, causing misinformation or injecting malicious payloads.
9. Service Disruption: Exploited vulnerabilities in SSL/TLS implementations can result in denial-of-service or related attacks.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Use Latest TLS Versions: Disable SSL, TLS 1.0, and TLS 1.1; enforce TLS 1.2 or TLS 1.3 for all encrypted communications.
2. Implement Strong Cipher Suites: Use modern, secure encryption algorithms; avoid outdated or weak ciphers such as RC4, DES, or MD5.
3. Obtain Certificates from Trusted CAs: Ensure all digital certificates are issued by reputable Certificate Authorities.
4. Regularly Renew and Manage Certificates: Track certificate expiration dates and renew or revoke them as needed to avoid security lapses.
5. Enable Certificate Validation: Ensure clients validate server certificates to detect spoofed or forged certificates.
6. Use Certificate Pinning (Where Applicable): Bind clients to specific, trusted certificates to prevent impersonation attacks.
7. Keep Software Up to Date: Regularly patch TLS libraries (e.g., OpenSSL), web servers, and dependent applications.
8. Perform Regular Security Audits: Conduct vulnerability assessments and penetration tests focused on TLS configurations.
9. Enforce HTTP Strict Transport Security (HSTS): Mandate HTTPS-only connections to prevent downgrade attacks and mixed-content issues.

HYPERLINK

• www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/
• www.freecodecamp.org/news/attacks-on-ssl-tls-and-how-to-protect-your-system/
• certera.com/blog/common-ssl-tls-challenges-issues-attacks-to-exploits/
• akimbocore.com/article/hardening-ssl-tls-common-ssl-security-issues-vulnerabilities/

Advisory ID:   ngCERT-2025-100006

SUMMARY

ngCERT warns of a new Pixnapping attack that allows malicious Android apps to covertly steal sensitive on-screen data, such as two-factor authentication (2FA) codes, messages, and emails, within seconds. These malicious apps initially gain access through phishing attempts and exploit Android APIs and a hardware side channel that affects nearly all modern Android devices, running versions 13-16. The attackers target banking, cryptocurrency, and social media accounts for data exfiltration, account takeover, financial and privacy losses. Organisations and individuals using Android devices for sensitive communications or SMS-based two-factor authentication (2FA) are at a high risk. Immediate actions, including app updates and vetting, permission restrictions, and adoption of non-SMS 2FA, are critical to mitigate these threats.

Damage:      Critical 

Probability:  High 

Platform(s):  Android Mobile Devices (Google Pixel and Samsung Galaxy S25), Applications Using SMS-Based                            2FA, Messaging Apps

DESCRIPTION

Pixnapping is a sneaky cyberattack that lets hackers steal sensitive information, like two-factor authentication (2FA) codes and private messages, from Android phones by analysing what's displayed on the screen. Disguised as a legitimate app, a malicious app which gained initial access to target phones through phishing attempts, often tricks apps like Google Authenticator or messaging apps into showing data. Afterwards, the malware uses special techniques to "read" the screen pixel by pixel without any permissions, making it hard to spot. By measuring how long it takes to render certain parts of the screen, the app figures out what’s being shown, such as text or numbers and can harvest data, such as 2FA codes, in seconds on devices. This attack, which spreads through fake apps downloaded from untrustworthy sources, poses a serious threat as it bypasses normal security. Although a side channel information disclosure vulnerability in Android, CVE-2025-48561, exploited in the attack has been partially fixed, a complete patch is expected in December 2025.

INDICATOR OF COMPROMISE

The following are observed Indicators of Compromise (IoCs):

1. CVE Exploitation: Presence of CVE-2025-48561 vulnerabilities on unpatched Android 13-16 devices.

2. Suspicious Apps: Apps with no declared permissions but exhibiting overlay or blur behaviours.

3. Behavioural Anomalies: Unusual rendering delays, semi-transparent overlays, or repeated app invocations.

4. Network/Activity Patterns: Anomalous Intent usage or VSync timing measurements in app processes.

5. App Enumeration: Unauthorised detection of installed apps like Authenticator or messaging tools.

6. Device-Specific Signs: Performance issues on Pixel/Samsung devices during sensitive app usage.

CONSEQUENCES

Successful Pixnapping exploitation can result in:

1. Sensitive Data Theft: Extraction of 2FA codes, private messages, emails, and location data, leading to account takeovers.
2. Financial and Privacy Losses: Unauthorised access to banking or payment apps (e.g., Venmo), enabling fraud or blackmail.
3. User Profiling: Detection of installed apps without permissions, aiding targeted attacks or surveillance.
4. Delayed Detection: Stealthy operation hides from users; partial patches can be bypassed, prolonging exposure until full fixes.
5. Broader Impacts: Compromises corporate or personal security, with recovery times averaging 14-25 seconds for 2FA theft on Pixels.

SOLUTION/MITIGATION

ngCERT recommends the following to defend against Pixnapping:

1. Patch Management: Apply Android security updates immediately; install the September 2025 patch for partial mitigation and await the complete fix in December.
2. App Installation Practices: Download apps only from Google Play; avoid side-loading or third-party sources.
3. 2FA Enhancements: Switch to app-based or hardware 2FA (e.g., Authy, YubiKey) over SMS or visible codes.
4. Device Hardening: Enable Google Play Protect, restrict app permissions, and use an antivirus with behavioural analysis.
5. Monitoring: Review app logs for unusual Intent invocations or overlays; employ mobile threat detection tools.
6. Developer Guidance: Limit visible sensitive data; no app-level fixes available yet; monitor Google advisories.
7. Awareness: Educate users on phishing risks leading to malicious app installs.

HYPERLINK

• https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/
• https://www.pixnapping.com/
• https://www.theregister.com/2025/10/13/android_pixnapping_attack_captures_2fa_codes/
• https://source.android.com/docs/security/bulletin/2025-09-01