/run/bigtlog.pipe and /run/bigstart.ltm and makes changes to system binaries, including /usr/bin/umount and /usr/sbin/httpd. Attackers have also been observed modifying the sys-eicheck utility, which relies on RPM integrity checks to verify on-disk executables.Log analysis can reveal patterns related to the attack. The user “f5hubblelcdadmin” accessing the iControl REST API from localhost, SELinux disable commands in auditd logs and Base64-encoded data written to files followed by execution of `/run/bigstart.ltm` all indicate successful intrusion. F5 also observed threat actors using HTTP 201 response codes with CSS content-type headers to disguise malicious traffic.
Mitigation: Organizations that applied the October 2025 updates are already protected, as the original patches also address the RCE vector, but systems running vulnerable versions require immediate patching and compromise assessment.Organizations should not assume their systems are clean based solely on patching because UCS backup files from compromised systems can contain copies of the malware. F5 recommends rebuilding configurations from scratch rather than restoring from backup if the compromise timeframe is uncertain.The sys-eicheck utility can identify integrity failures in /usr/bin/umount and /usr/sbin/httpd, though attackers have targeted the components this tool relies on.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4152658/5-month-old-f5-big-ip-dos-bug-becomes-critical-rce-exploited-in-the-wild.html
