This Month in Cyber: When the Giants Stumble, We All Feel the Shake
October 22, 2025
Hey everyone. I’ve been in the cybersecurity trenches for 19+ years, and I’ve seen a lot of things that would make you want to unplug everything and move to a cabin up a mountain in BC/Alberta, or somewhere along the Pacific Northwest! But this past month? This was a big one. Huge and powerful enterprise stalwarts of cybersecurity, have had absolutely brutal vulnerabilities and PWNage exposed.
We were hit with two massive, "drop everything and patch" stories from the biggest names in cybersecurity & networking. It’s a perfect brutal reminder of that old saying we all live by: if you're connected to the internet, you're never truly safe.
First, the F5 "Oh Crap" Moment
Let's start with the one that's less of a "vulnerability" and more of a "the keys to the kingdom were just stolen!"
F5, the company that basically is application delivery and load balancing for half the Fortune 500 (they develop & run NGINX!), disclosed that they were breached. And not just any breach. A sophisticated, nation-state-level attacker was inside their network for months. Possibly over a year!
What did they steal? The crown jewels:
- Portions of the BIG-IP source code.
- Worse, details on undisclosed vulnerabilities—flaws F5 was working on but hadn't patched or told the public about yet.
The attackers now have a blueprint to find new zero-days and a list of existing zero-days. This is as bad as it gets. This is actual nightmare fuel and I am certain people at F5 have already lost sleep, shareholder value and jobs. CISA immediately issued an Emergency Directive (ED 26-01), and F5 just dropped a monster patch bundle with 44 new CVEs, likely scrambling to fix the very things the attackers found.
The Homelab Angle: Don't you dare think you're safe because you're "just" a homelabber. This breach and the subsequent patches directly affect BIG-IP Virtual Edition (VE) and the cloud-native/Kubernetes versions. I know some run a BIG-IP VE to learn load balancing or to act as an ingress for your K8s cluster. Go patch. Right now. And for the love of all things holy, never, ever expose your TMUI management interface or SSH to the public internet. That’s rule #1, and this breach is why! Luckily it seems the hackers were extremely focused on the F5 tech stack and left NGINX alone, says F5 themselves -
"We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment..."
So this means our homelabs are as safe as they were before, however the UK's NCSC put it perfectly:
"while there's no suggestion NGINX was affected by this breach, you should always keep it updated as a matter of standard security hygiene."
And Then, Cisco’s Firewall Inferno
As if the F5 news wasn't enough to ruin our month, Cisco decided to join the party with its own cluster of zero-day vulnerabilities.
The headliner is CVE-2025-20333, a critical CVSS 9.9 Remote Code Execution (RCE) flaw in their ASA and FTD firewalls. Attackers are already actively exploiting this in the wild by chaining it with another bug (CVE-2025-20362) to achieve unauthenticated RCE. That’s security-speak for "game over." An attacker from anywhere on the internet can take complete control of your firewall.
The Homelab Angle: This is where it gets really personal for us. It’s not just the big-iron firewalls. Related vulnerabilities disclosed in this same mess (like CVE-2025-20363 and CVE-2025-20352) directly impact Cisco IOS and IOS XE.
We all run IOS XE—whether it's a virtual CSR 1000v for our lab routing or an old physical switch we got off eBay. In fact, a new attack campaign dubbed "Operation Zero Disco" is specifically targeting older, EOL switches—like the classic Catalyst 3750G—to install persistent rootkits. That's your lab they're after.
The Takeaway
I’m not trying to be a doomer. I love this stuff. But this is the pragmatic reality of the field. These are two of the biggest, most trusted names in networking, the very companies we rely on to build our perimeters. And both were hit, hard, in the same 30-day span. You see? Gotta keep your guard up.
Patch your lab. Segment your network (your IoT junk should not be on the same VLAN as your management interfaces). And check those firewall rules. Assume you're a target, even at home. Have you heard of Shodan scanners?!
Stay frosty 🧊!
Member discussion