Cyber Threat Brief — March 28 2026
⚠️ This report is AI-generated. Always validate findings.
1. F5 BIG-IP APM Unauthenticated RCE Under Active Exploitation — CVE-2025-53521
TL;DR: CISA added CVE-2025-53521 (CVSS 9.8/9.3) to the KEV catalog on March 27 after confirming active exploitation by China-linked UNC5221. Originally classified as DoS (October 2025), reclassified to unauthenticated RCE in March 2026 following discovery that the F5 source code breach enabled weaponization. Federal deadline: March 30.
What’s New:
- CISA KEV addition March 27 with emergency 3-day remediation deadline (March 30) — one of the shortest deadlines issued
- Reclassified from denial-of-service to unauthenticated RCE after F5 confirmed nation-state actors (UNC5221) accessed source code and undisclosed vulnerability details during a 12-month network intrusion disclosed October 2025
- BRICKSTORM backdoor (Go ELF binary) deployed on compromised BIG-IP appliances — uses HTTP/2-to-WebSocket upgrade for C2 to mimic legitimate traffic; statically linked with no dependencies for edge appliance deployment
- Affects BIG-IP APM 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, 15.1.0–15.1.10 when APM access policy is configured on a virtual server
- CISA/NSA/CCCS published updated BRICKSTORM MAR (MAR-261234.c1.v1) with YARA rules and IOCs for Rust-based samples showing advanced persistence and evasion
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| BRICKSTORM binary (Go ELF, statically linked) | Backdoor | T1059.004 | File integrity monitoring on BIG-IP | Hunt with YARA rule G_APT_Backdoor_BRICKSTORM_3 |
| HTTP/2 → WebSocket upgrade C2 pattern | C2 channel | T1071.001, T1572 | BIG-IP packet capture / proxy logs | Hunt for anomalous WS upgrades from appliance |
sys-eicheck modifications | Integrity evasion | T1562.001 | BIG-IP system integrity logs | Verify sys-eicheck hash against known-good |
C05d5254 identifier in system artifacts | Malware indicator | T1027 | BIG-IP filesystem | Hunt |
| Suspicious files on disk per F5 advisory | Webshell/payload | T1505.003 | File integrity monitoring | Check F5 K-article IOC list |
| Anomalous outbound TLS from BIG-IP mgmt | C2 beaconing | T1071.001 | Firewall / netflow | Alert on BIG-IP mgmt → external TLS |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No BIG-IP APM-specific exploitation or BRICKSTORM detection rules; need: anomalous process on BIG-IP, outbound WS from appliance, sys-eicheck modification |
| Elastic | None | No BIG-IP or BRICKSTORM coverage |
| Sigma | None | Need: BRICKSTORM YARA-equivalent network signature; BIG-IP filesystem IOC hunt; HTTP/2-to-WebSocket C2 pattern |
| YARA | G_APT_Backdoor_BRICKSTORM_3 (Mandiant) | Available — run via mandiant/brickstorm-scanner on BIG-IP appliances |
| CISA MAR | MAR-261234.c1.v1 (Feb 2026) | YARA + Sigma rules included in MAR; download from CISA for import |
Sources: CISA KEV Alert March 27 · Help Net Security · Rapid7 F5 Breach Analysis · CISA BRICKSTORM MAR · Mandiant BRICKSTORM Scanner
Status Updates
- CVE-2026-4681 (PTC Windchill/FlexPLM): No patch yet; PTC “imminent threat” warning still active. Hunt for
GW.class/payload.bin/dpr_*.jspon Windchill servers. Original brief. - CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing; no new IOCs. Public PoC remains available. Original brief.
- CVE-2026-3055 (Citrix NetScaler): Still no public PoC or ITW exploitation; high weaponization likelihood per Rapid7/Arctic Wolf. Original brief.
- CVE-2026-33634 (Trivy supply chain): CISA KEV since March 26; federal deadline April 9. Block
scan.aquasecurtiy[.]org/45.148.10[.]212. Original brief.