Amid the security incident involving F5 BIG-IP announced on 15 October 2025, GreyNoise is sharing recent insights into activity targeting BIG-IP to aid in defensive posturing. The below anomalies may not necessarily relate to the 15 October incident. 

Past 24 Hours

  • GreyNoise has observed elevated crawling activity targeting BIG-IP beginning 15 October at 6:41PM EST. 
  • Most traffic in the past 24 hours against our F5 BIG-IP profile has targeted U.S.- and French-based sensors. 
  • The majority of tagged traffic is targeting our BIG-IP profile, implying targeted activity rather than opportunistic. 
    • Most of this activity was crawling, targeting our BIG-IP profile, with minimal activity observed attempting to execute code against F5 BIG-IP’s management interface.
  • Most traffic appears to be originating from researchers and academic institutions — mostly from Cortex Xpanse. 

14 October Anomaly

  • On 14 October, GreyNoise observed elevated activity targeting our F5 BIG-IP profile, targeting only systems based in South Africa. 
  • All associated traffic shared the same TCP fingerprint (64240_2-1-3-1-1-4_1460_8) and only contained SYN packets, failing to establish a full connection. 
  • All traffic originated from HOSTIFOX INTERNET VE BILISIM HIZMETLERI TICARET SANAYI LIMITED SIRKETI.

23 September 2025 Anomaly

  • Another anomaly on 23 September occurred, again targeting our BIG-IP profile and primarily crawling for internet-exposed BIG-IP assets. 
  • This traffic originated from Digital Ocean and shared a similar TCP fingerprint with the SYN requests (64240_2-4-8-1-3_1460_7). 
  • Associated HTTP fingerprints include:
    • ge11nn030000_fe444ad14866_000000000000_000000000000
    • ge11nn040000_e1d2031bdfea_000000000000_000000000000
    • ge11nr040000_e1d2031bdfea_000000000000_000000000000
  • The overwhelming majority of traffic targeted U.S.-based assets, with only minimal activity targeting South Africa.

Search the GreyNoise Visualizer to see real-time activity against F5 technologies.

GreyNoise will continue monitoring the situation and make updates as necessary.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account