Firmware and Hardware Cyber Threat News

Welcome to the Firmware and Hardware Cyber Risk newsletter. The last month has been brutal for cybersecurity teams tasked with protecting hardware and network edge devices in critical network infrastructure and supply chains. (BTW we did a live session on network edge device risk with tons of audience interaction and Q&A. If network attacks are on your mind, it is worth a listen. You can grab the recording here.

Here’s what’s on the docket for this edition:

Let’s Dive In!

F5 disclosed in October that nation-state actors maintained persistent access to their development systems, exfiltrating BIG-IP source code and details of undisclosed vulnerabilities before patches could be developed. The breach, discovered in August but likely active for over a year, prompted CISA to issue Emergency Directive 26-01 requiring federal agencies to inventory and patch all F5 hardware within one week. Shadowserver Foundation data reveals approximately 269,000 F5 devices remain exposed online globally, with 134,000 located in the United States alone.

This incident represents more than a typical vulnerability disclosure because attackers now possess the technical advantage to conduct static and dynamic analysis of F5’s source code, potentially discovering zero-day vulnerabilities faster than defenders can patch them. The breach follows an alarming pattern identified in the Verizon DBIR showing network device vulnerability exploitation increased 8x in the past year, with F5 joining Cisco, Palo Alto, and Ivanti as prime targets for sophisticated adversaries. Organizations running F5 infrastructure should treat their deployments as potentially compromised and implement compensating controls beyond standard patching, particularly for the 44 vulnerabilities F5 has already disclosed. In the first week of December, CISA and NSA released new analysis of the BRICKSTORM backdoor malware, thought to be associated with the F5 breach.

Read more: https://eclypsium.com/blog/f5-breach-future-risk/

The OWASP Top 10 2025 release candidate introduces Software Supply Chain Failures as its own dedicated category at position #3, expanding beyond the previous focus on vulnerable components to encompass the entire ecosystem of dependencies, build systems, and distribution infrastructure. Community surveys revealed this was the top concern for security professionals, with exactly 50% of respondents ranking supply chain risk as their primary worry. Despite minimal CVE coverage with only 11 associated vulnerabilities, supply chain failures showed the highest average incidence rate at 5.19% when tested across applications.

The expanded scope reflects how supply chain attacks have evolved from simple dependency vulnerabilities to sophisticated campaigns targeting developer workstations, CI/CD pipelines, and package registries. Real-world incidents like the Shai Hulud npm worm, the GlassWorm VS Code attack, and the $1.5 billion Bybit cryptocurrency theft demonstrate that attackers no longer need to compromise production systems directly when they can poison the software development and distribution process itself. OWASP now recommends treating build infrastructure with production-level security controls, implementing SBOMs for visibility, and securing the entire development lifecycle from IDE to deployment.

Read more: https://eclypsium.com/blog/owasp-top-10-2025-software-supply-chain-risk/

Eclypsium researchers discovered that approximately 200,000 Framework laptops and desktops contain signed UEFI shells with memory manipulation commands that effectively bypass Secure Boot protections. The shells, distributed by Framework for Linux users to update firmware, contain the “mm” (memory modify) command that provides direct read/write access to system memory before the operating system loads. Because these shells are signed with trusted certificates, they execute without triggering security warnings, allowing attackers to disable security controls at the firmware level.

The vulnerability demonstrates how legitimate diagnostic tools can become de facto backdoors when improperly secured, even when signed by trusted authorities. Attackers can leverage these shells to overwrite the gSecurity2 UEFI variable with NULL, completely disabling Secure Boot’s signature verification and allowing installation of persistent firmware implants that survive OS reinstalls. Framework is releasing BIOS updates and DBX revocations to blacklist vulnerable shells, but the incident highlights a broader problem where signed diagnostic tools across the industry contain dangerous functionality that undermines the entire trust model of Secure Boot.

Read more: https://eclypsium.com/blog/bombshell-the-signed-backdoor-hiding-in-plain-sight-on-framework-devices/

A survey of over 100 government employees at AFCEA TechNet Indo-Pacific revealed concerning disconnects between threat awareness and defensive capabilities across federal agencies. While 35% of respondents correctly identified network infrastructure as the most vulnerable attack surface, 55% reported being only “somewhat confident” in their supply chain security programs against nation-state threats. Most alarming was the finding that 52% believe government shutdowns have a “major impact” on DoD cybersecurity posture, with another 40% citing “some impact” from skeleton crews and delayed patching during funding lapses.

The capability gaps extend deeper into technical readiness, with 34 respondents admitting they lack the ability to gather and analyze Software, Hardware, and Firmware Bills of Materials despite new DoD mandates requiring comprehensive supply chain visibility. Additionally, 45% reported only partial familiarity with Living off the Land techniques used by groups like Salt Typhoon and Volt Typhoon, the same adversaries currently targeting federal networks through compromised edge devices. The survey data aligns with Verizon DBIR findings showing 32-day median remediation times for network vulnerabilities, windows that extend even further during shutdowns when security teams cannot maintain normal operations or procure emergency patches.

Read more: https://eclypsium.com/blog/dod-federal-cybersecurity-survey-results-2025/

Eclypsium’s “Edge of Catastrophe” webinar addresses the convergence of multiple network infrastructure attacks including F5’s source code leak, Cisco ASA compromises, and the RedNovember campaign that have made edge devices the most active battleground in cybersecurity. The session provides immediate, actionable strategies for organizations struggling to defend routers, VPNs, and firewalls that typically lack EDR agents and receive minimal monitoring from traditional security tools. Presenters detail specific firmware versions being targeted, the monitoring gaps attackers exploit to maintain hidden access, and detection rules organizations can implement immediately.

The webinar emphasizes that these attacks succeed because most organizations operate with fundamental visibility gaps at the firmware and hardware layers where attackers establish persistence. With network device exploitation increasing 8x according to recent data and median remediation times stretching to 32 days, the window for compromise has never been larger. The session delivers a prioritized checklist for finding active compromises, hardening exposed devices, and implementing compensating controls when patching isn’t immediately possible, recognizing that many organizations run end-of-life equipment that no longer receives vendor support.

Read more: https://info.eclypsium.com/ondemand-edge-of-catastrophe

New research from Futuriom unravels the insane complexity of securing the booming AI data center industry. Learn how neoclouds like CoreWeave, Crusoe, and Nebius are scaling at breakneck speed—and why hyperscalers are diversifying their chips, energy sources, and security strategies to keep pace.

Read the research: https://eclypsium.com/futuriom-research-report/

That’s it for this issue! Make sure to follow Eclypsium, Inc. and subscribe to the Firmware & Hardware Cyber Threat Newsletter.(p.s. if this is your area of interest, check out our podcast, Below The Surface, a weekly deep dive into the latest firmware vulnerabilities, hardware hacking tidbits, and network edge threats featuring Paul Asadoorian and guests!