Patch Now: F5 BIG-IP Code and Undisclosed Flaws Stolen; Capita Fined £14M Over Ransomware Attack; Microsoft Patch Tuesday, EoL for Windows 10 and More

The SANS Technology Institute (SANS.edu) has announced that applications are now open for the 2026 Paller Cybersecurity Scholarship, a full-tuition award established in honor of SANS founder Alan Paller.

SANS.edu created this scholarship to identify and support the world’s top emerging cyber talent while helping to close the global cybersecurity skills gap. The scholarship is open to international students (non-U.S. citizens) pursuing undergraduate or graduate studies in cybersecurity.

Apply by January 15, 2026, or share this opportunity with your network: www.sans.edu/paller-cybersecurity-scholarship

On Wednesday, October 15, 2025, network technology and security company F5 disclosed a security incident discovered on August 9, 2025, in which an unspecified nation-state threat actor "maintained long-term, persistent access to, and downloaded files from, certain F5 systems." The period of unauthorized access has not been disclosed. The company's 8-K filing with the US Securities and Exchange Commission (SEC) notes that the US Department of Justice allowed a delay of public disclosure from September 12 to October 15. F5 is a major provider of enterprise cybersecurity, cloud management, and application delivery controllers (ADC) including BIG-IP hardware and software, widely used by government agencies and Fortune 500 companies worldwide. Upon discovery of the attack, F5 activated its incident response protocols, implemented containment actions, engaged cybersecurity experts for support, and contacted federal law enforcement and government partners. Investigation confirmed that the threat actor had long-term access to "the BIG-IP product development environment and engineering knowledge management platform," and during that time exfiltrated BIG-IP source code, information about undisclosed BIG-IP vulnerabilities still being worked on, and "configuration or implementation information for a small percentage of customers." F5's software supply chain, customer relationship management, financial, case support management, and iHealth systems have not been affected, and there is no evidence that the threat actor accessed or modified NGINX source code, F5 Distributed Cloud Services, or Silverline systems. As investigation continues, F5 has rotated credentials and strengthened access controls; automated patch management and inventory; enhanced network security architecture; and hardened their product development environment. F5 urges customers to apply newly released updates for "BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients," and offers guidance for threat hunting and monitoring, hardening and remediation, and SIEM integration. While F5 has not observed active exploitation, the potential "imminent threat to federal networks" prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to direct federal civilian agencies to inventory, harden, and patch "BIG-IP F5OS, BIG-IP TMOS, Virtual Edition (VE), BIG-IP Next, BIG-IQ software, and BNK/CNF" by October 22.

The UK Information Commissioner's Office (ICO) has fined business process outsourcing firm Capita £14 million (US$18.8 million) over a 2023 ransomware attack that exposed personal information of 6.6 million individuals. The initial attack vector appears to have been a drive-by JavaScript download on March 22, 2023, followed by the deployment of Qakbot and Cobalt Strike. Capita failed to take significant containment action for more than two full days after becoming aware of the attack. Although the company was largely operational by April 6, 2023, it was not until mid-June 2023 that they returned to 100 percent uptime. The ICO initially intended to fine Capita £45 million (US$60.5 million), but rolled that figure back after Capita took responsibility for the incident, cooperated with authorities, provided support to victims of the incident, and made security improvements to their systems and operations. The majority of Capita's customers are in the UK and Europe.

On Tuesday, October 14, Microsoft released updates to address more than 170 vulnerabilities across the company's product lines. Three of the vulnerabilities, a high severity Windows Agere Modem Driver Elevation of Privilege Vulnerability (CVE-2025-24990), a high severity Windows Remote Access Connection Manager Elevation of Privilege Vulnerability (CVE-2025-59230), and a Secure Boot bypass in IGEL OS before 11 (CVE-2025-47827) are being actively exploited. Also on October 14, several Microsoft products reached end-of-life; these include Windows 10, Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016. Windows 10 users who are not prepared to upgrade to Windows 11, which in some cases necessitates new hardware, have several options: they can pay $30 for an additional year of security updates, and the fee will be waived if the PC is registered to a Microsoft account. Users could also install a Linux operating system instead.

The Entry/Exit System (EES), which "digitally records the entry and exit of non-EU nationals travelling to 29 European countries for short stays," has begun a six-month gradual implementation that began October 12, 2025, and anticipates full operation by April 10, 2026. The participating countries are all those committed to the Schengen Agreement, and so do not include the Republic of Cyprus and the Republic of Ireland. The system collects passport data, dates and places of entry and exit, facial images, fingerprints, and recorded refusals of entry. Europol may access and search the EES for law enforcement purposes under "strict conditions and procedures, based on case-by-case assessment and supervised by the European Data Protection Supervisor (EDPS)." The Register reports inconsistencies and difficulties in the initial operation of EES self-service machines, including delays in Prague as agents were forced to revert to standard manual border checks.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical (CVSS 10.0) misconfiguration vulnerability that could lead to remote code execution in Adobe Experience Manager (CVE-2025-54253) to the Known Exploited Vulnerabilities (KEV) catalog. The flaw has a mitigation deadline of November 5, 2025. The vulnerability affects Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. Adobe addressed the vulnerability with unexpected updates in August 2025; at that time, proof-of-concept code for the vulnerability had been made public. Users are urged to update to version 6.5.0-0108 or newer as soon as possible.

On Tuesday, October 14, SAP released updates to address 13 vulnerabilities, including a critical (CVSS 10.0) deserialization issue in SAP NetWeaver AS Java. The vulnerability (CVE-2025-42944) could be exploited to achieve arbitrary command execution. According to the description in NIST's National Vulnerability Database CVE listing, "an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability." Users are urged to update as soon as possible.

Threat actors have been exploiting a known vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software. Cisco released an advisory about and updates for the high severity stack-based buffer overflow issue in late September 2025. The vulnerability could be exploited to create denial-of-service conditions or execute code as root user by sending a maliciously-crafted SNMP package to a vulnerable device. Researchers at Trend Micro have observed threat actors exploiting the vulnerability (CVE-2025-20352) to deploy root kits on unpatched devices. The researchers write, "the operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The operation targeted victims running older Linux systems that do not have endpoint detection response solutions, where they deployed Linux rootkits to hide activity and evade blue-team investigation and detection."

An update for Jeep infotainment system pushed out on Friday, October 10, 2025, was found to be causing the vehicles to cease operating. The issue affected Jeep Wrangler 4xe hybrids. The faulty update caused the vehicles to lose power while being driven. The update was pulled after reports of problems started coming in. Jeep parent company Stellantis released a fix and will reimburse customers for related expenses they may have incurred as a result of the problematic update, including towing and diagnostic fees. The Ars Technica article notes that Friday afternoon is a less-than-ideal time to push out an update.

Researchers from UC San Diego and the University of Maryland found that "geostationary satellite communication ... [broadcasts] a shockingly large amount of sensitive traffic ... unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls and SMS, and consumer Internet traffic from in-flight Wi-Fi and mobile networks." Using an $800 satellite receiver, the researchers were able to retrieve and examine unencrypted signals that resolved to sensitive data. The researchers have been warning the various entities whose data are being broadcast, unprotected; many have taken steps to encrypt those data.

A Massachusetts district judge has determined a sentence of four years in prison and 3 years of supervised release for Matthew Lane, who pleaded guilty to unauthorized access to protected computers, cyber extortion conspiracy, cyber extortion, and aggravated identity theft related to late-2024 cyberattacks against an unnamed telecommunications company and an educational software provider believed to be PowerSchool. This included the theft of personal data belonging to millions of teachers and children. Lane must also pay over $14 million in restitution plus a $25,000 fine. Asahi Group Holdings, Ltd. has updated its notice of a cyberattack first announced on September 29, 2025 and disclosed to be ransomware on October 3. The company is continuing to restore its systems, and states that investigation has "identified the possibility that personal information may have been subject to unauthorized data transfer." Asahi will notify any affected parties and comply with laws protecting personal information as investigation continues. "The impact of this incident on our systems is limited to those managed in Japan."