Week that Was for 10.18.25

Top stories.

• F5 discloses long-term breach tied to nation-state actors.
• Fortra confirms exploitation of maximum-severity GoAnywhere flaw.
• Patch Tuesday notes.
• Threat actors exploit Cisco flaw to deploy Linux rootkits.
• US and UK seize $15 billion in Bitcoin from alleged scam syndicate.
• PowerSchool hacker receives a four-year prison sentence.

F5 discloses long-term breach tied to nation-state actors.

Seattle-based cybersecurity firm F5 disclosed Wednesday that state-sponsored hackers had "long-term, persistent access" to its networks, leading to the theft of source code and customer information, TechCrunch reports. The company says the hackers had access to the development environment for its BIG-IP product suite and its engineering knowledge management platform.

The company said in an SEC filing, "Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP. We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities. We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines."

Bloomberg cites people familiar with the matter as saying the hack is believed to be linked to China, and that the hackers were inside F5's networks for at least twelve months. Ars Technica notes that F5's BIG-IP line is used across the US government and by most of the largest companies in the world.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering Federal civilian agencies to immediately inventory F5 devices and apply the latest updates by October 22nd. The agency stated, "The threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software. The threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits."

Fortra confirms exploitation of maximum-severity GoAnywhere flaw.

Security firm Fortra has belatedly confirmed in-the-wild exploitation of a maximum-severity vulnerability in its GoAnywhere managed file transfer (MFT) software, which was patched three weeks ago, CyberScoop reports. The vulnerability (CVE-2025-10035) is a deserialization flaw that "allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection."

The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog two weeks ago, and Microsoft last week published a report on the active exploitation. CISA and Microsoft both say the vulnerability is being used in ransomware campaigns.

Researchers at watchTowr, who published a report on the vulnerability last month, note that some details of the exploitation are still unclear. watchTowr's CEO Ben Harris told CyberScoop that the exploitation implies that "the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability."

Patch Tuesday notes.

Microsoft on Tuesday issued patches for 172 vulnerabilities, including six zero-day flaws, BleepingComputer reports. Three of the zero-days are being actively exploited, while the others were publicly disclosed before a patch was available.

KrebsOnSecurity notes that this is the last month that Windows 10 will receive security patches unless customers enroll in the Extended Security Updates program. The operating system has officially reached end-of-life. The cost for the Extended Security Updates program is $30, or free if users register their PCs to a Microsoft account.

The Register reports that Adobe has fixed 36 vulnerabilities in its products, including several critical remote code execution flaws. SAP has issued 13 new security notes and updated four previous security notes. Three of the flaws are deemed critical. Fortinet and Ivanti have also fixed high-severity flaws, SecurityWeek reports.

Threat actors exploit Cisco flaw to deploy Linux rootkits.

Trend Micro has published a report on the exploitation of a Cisco SNMP vulnerability (CVE-2025-20352) to deploy rootkits on older Linux systems. The researchers have dubbed the operation "Zero Disco" after the universal password used by the malware. The report notes, "Trend Micro telemetry has, as of writing, detected that Cisco 9400 series and 9300 series are affected by this operation. The operation also affected Cisco 3750G devices with no guest shell available, but this type of device has already been phased out."

Trend Micro adds, "Currently there is no universal automated tool that can reliably determine whether a Cisco switch has been successfully compromised by the ZeroDisco operation. If you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation of firmware/ROM/boot regions."

US and UK seize $15 billion in Bitcoin from alleged scam syndicate.

Authorities in the US and UK took action against a major Cambodian crime organization that was running forced-labor scam compounds across the country, WIRED reports. The US Justice Department charged Chen Zhi, founder and chairman of the Cambodian conglomerate Prince Holding Group, with directing the scam operations. The Justice Department alleges that Zhi "was directly involved in using violence against the individuals within the forced labor camps and possessed images of Prince Group’s violent methods, including photographs depicting beatings and other methods of torture."

Justice says the seized funds were "proceeds and instrumentalities of the defendant’s fraud and money laundering schemes, and were previously stored in unhosted cryptocurrency wallets whose private keys the defendant had in his possession."

PowerSchool hacker receives a four-year prison sentence.

19-year-old Matthew Lane of Massachusetts has been sentenced to four years in prison after pleading guilty to hacking education software provider PowerSchool, the Record reports. Lane stole information belonging to more than 70 million individuals and demanded a ransom of $2.9 million in exchange for not publishing the data. In addition to his prison sentence, Lane has been ordered to pay $14 million in restitution and a $25,000 fine.