Breaking

BLUF: Three unexpected ports (53/tcp, 8080/tcp, 8443/tcp) have been detected open on digitalnoise.net outside of authorized baseline configuration. Immediate investigation required to determine whether services on these ports are authorized, misconfigured, or indicative of compromise. DETAILS Baseline configuration for digitalnoise.net authorizes two ports only: 80/tcp (HTTP) and 443/tcp (HTTPS). Current scan results show five open ports: 80/tcp, 443/tcp, 53/tcp, 8080/tcp, and 8443/tcp — three of which are outside authorized baseline. 53/tcp (DNS over TCP): Atypical for a standard web host; DNS/TCP is commonly associated with zone transfers or DNS tunneling. Whether a DNS service is intentionally running here is unconfirmed. 8080/tcp and 8443/tcp: Common alternate HTTP/HTTPS ports frequently used by proxy services, development servers, or management interfaces. Whether these are authorized services or unauthorized additions is unconfirmed. Root cause is unknown at this time. This may represent misconfiguration, unauthorized software installation, or active threat actor activity. No attribution is made. IMPACT Scope: digitalnoise.net external attack surface is larger than authorized baseline. Risk: Unintended services exposed to the public internet expand the available attack surface. Port 53/tcp in particular may indicate DNS misconfiguration or potential data exfiltration channel if exploited. Affected parties: Any users, services, or data hosted on or transiting digitalnoise.net. Exploitation status: Unknown. No confirmed evidence of active exploitation at this time. RECOMMENDED ACTIONS Immediately audit all running services on digitalnoise.net — identify what process is bound to 53/tcp, 8080/tcp, and 8443/tcp. If services are unauthorized: Stop and disable immediately; review system logs for the timeframe in which these ports became open. If services are authorized but undocumented: Update the authorized baseline and assess whether public exposure is appropriate. Review firewall and network ACL rules to determine whether these ports should be blocked at the perimeter regardless of service status. Check for signs of lateral movement or persistence on the host, particularly if 53/tcp activity is confirmed — DNS tunneling is a known exfiltration technique. Do not assume benign cause until services are positively identified and verified against change records. SOURCES Port scan results: automated baseline comparison, digitalnoise.net (confirmed) Huntress External Recon methodology: open port detection and surface monitoring (contextual reference) UK NCSC guidance on network device monitoring (contextual reference) All other contextual memory items: not directly applicable to this event; not used in assessment Uncertainty flag: Service identity, authorization status, and exploitation status for all three unexpected ports are UNCONFIRMED pending host-level investigation.

BLUF: A critical unauthenticated remote code execution vulnerability in F5 BIG-IP (CVE-2026-0826, CVSS 9.8) is being actively exploited in the wild. All organizations running BIG-IP versions prior to 17.1.2 are affected. Apply the F5 patch immediately. DETAILS Vulnerability: Unauthenticated stack buffer overflow in the F5 BIG-IP iControl REST API. A remote, unauthenticated attacker can send a crafted request to achieve arbitrary code execution on the management plane — no credentials required. Affected versions: F5 BIG-IP all versions prior to 17.1.2. Scope of impact across older supported branches (16.x, 15.x) is not confirmed in provided reporting — organizations on those branches should treat themselves as at risk pending F5 clarification. Exploitation timeline: Rapid7 observed in-the-wild exploitation within 24 hours of public disclosure. This is consistent with the accelerated weaponization pattern seen across recent high-profile network appliance CVEs. CISA action: CVE-2026-0826 has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog today, triggering mandatory remediation deadlines for U.S. federal civilian executive branch (FCEB) agencies under BOD 22-01. Patch status: F5 has released a patch. Version 17.1.2 is confirmed as the remediated release. IMPACT Who is affected: Any organization with F5 BIG-IP appliances running software versions prior to 17.1.2 — particularly those with the iControl REST API exposed to untrusted networks or the internet. Scope: F5 BIG-IP is widely deployed across enterprise, financial services, government, and critical infrastructure environments as an application delivery controller and load balancer. Compromise of BIG-IP can provide attackers with a privileged network position, enabling lateral movement, traffic interception, and credential harvesting. Exploitation maturity: Active exploitation confirmed within 24 hours of disclosure. Assume exploit code is broadly available. Note: Attribution of active exploitation to specific threat actors is not confirmed in current reporting. RECOMMENDED ACTIONS Patch immediately. Upgrade all F5 BIG-IP instances to version 17.1.2 or later. Prioritize internet-facing and management-plane-exposed devices. Restrict iControl REST API access. If patching cannot be completed immediately, restrict access to the iControl REST API to trusted management networks only via ACLs or firewall rules. F5 has historically documented this as a viable interim mitigation — verify current F5 guidance for this CVE. Audit exposure. Identify all BIG-IP instances in your environment and confirm whether the management interface or iControl REST API is reachable from untrusted networks. Hunt for compromise. Review BIG-IP access logs for anomalous API activity, unexpected process execution, or configuration changes — particularly for activity in the 24-hour window following public disclosure. FCEB agencies: Remediation is mandatory under BOD 22-01. Confirm your KEV remediation deadline with your CISO. SOURCES Rapid7 (active exploitation reporting) CISA Known Exploited Vulnerabilities Catalog (KEV addition, confirmed) F5 Security Advisory (patch confirmed: BIG-IP 17.1.2) Behavior on older supported BIG-IP branches (16.x, 15.x) not confirmed in available reporting. Monitor F5 advisory for full version matrix.

GeekWire: The Tech News Outlet That Actually Gets the Pacific Northwest Here’s the thing about tech journalism in 2024: most of it is either breathless venture capital fan fiction or cynical hot-take manufacturing. GeekWire, the Seattle-based technology and business news outlet founded in 2010, occupies a refreshingly different lane. It’s neither a cheerleader for every Series A that lands nor a doomsayer convinced tech is destroying civilization. It’s just… competent. And in a media landscape where competence feels increasingly rare, that’s worth examining. ...