Amit Pawar, SVP, Solutions Advisory & Customer Success, Xage Security
Over the past year, the Cybersecurity and Infrastructure Security Agency (CISA) has issued three emergency directives targeting VPN and gateway technologies: Ivanti, Cisco ASA/FTD, and now F5 BIG-IP. Each directive underscores the same critical flaw: legacy VPN architectures expose organizations to escalating cyber risks.
| Vendor | Date | Emergency Directive | Summary |
| Ivanti | Jan 2025 | Continued fallout from ED 24-01 (Jan 2024) |
Chained exploits and authentication bypass led to rapid disconnection and rebuild orders for internet-facing portals. |
| Cisco ASA/FTD | Sep 25, 2025 | ED 25-03 |
Required triage, patching, and in some cases disconnection, due to in-the-wild targeting of VPN/web interfaces, including signs of persistent compromise. |
| F5 BIG-IP | Oct 15, 2025 | ED 26-01 | Cited an “imminent threat” to BIG-IP customers following a corporate network breach, mandating rapid hardening and updates. |
The common thread is clear: internet-facing VPN portals and management planes remain high-value targets for attackers. Patching helps only temporarily; it cannot correct the architectural weaknesses that make these systems inherently unsafe.
Legacy VPNs are failures waiting to happen that critical infrastructure operators can no longer afford to ignore. A public portal serves as a single chokepoint—an always-on, internet-exposed authentication surface that attracts zero-day exploits and credential attacks. Once inside, attackers get open access to the internal network enabling easy attack escalation and, often, effortless lateral movement. These risks are compounded by VPNs’ centralized points to hack, where compromised gateways may store secrets, API keys, and configuration data, magnifying the blast radius of any successful attack.
On top of this, emergency patching and reimaging cause unplanned downtime, a serious operational burden for industrial operators managing safety-critical systems. Together, these factors reveal how brittle and outdated the legacy VPN stack has become.
Remote Access Risk of the F5 Breach
The F5 breach, discovered on August 9, 2025, but disclosed only in mid-October, is the latest example of this systemic weakness. Although SEC rules generally require breach disclosure within four days, F5 received a delay exemption due to “substantial risk to national security or public safety.” The long exposure window and F5’s deep footprint in critical sectors—utilities, pipelines, manufacturing, and transportation—make this event especially concerning.
These sectors rely on stable, continuous operations and strict change control. Emergency head-end patching or device rebuilds can disrupt production, increase safety risks, and strain already limited technical staff, even when the issue originates in IT.
F5 confirmed that the incident was a nation-state intrusion involving long-term access to internal systems, theft of BIG-IP source code, and exposure of information about undisclosed vulnerabilities. CISA’s ED 26-01 now requires agencies to inventory affected F5 products, secure or remove exposed interfaces, and apply updates by tight deadlines (patch by October 22; scoping by October 29).
In scope: F5 updates for BIG-IP (TMOS), F5OS, BIG-IP Next (including BNK/CNF), BIG-IQ, and APM clients. Organizations using APM for remote access should treat this as an active incident, not a maintenance task. Source code access means adversaries now have insight into potential new zero-days.
How Xage Replaces Vulnerable VPN Systems
Xage Secure Remote Access (SRA) eliminates the public VPN portal entirely. Access is brokered per session and per asset, with connections terminated at multiple boundaries. This design ensures there’s no flat network after login and no single gateway to defend against constant attack.
To reduce exposure, organizations must combine Zero Trust and defense-in-depth. Together, these principles build layered protection, contain breaches before they spread, and speed recovery—even against state-backed adversaries.
Modern resilience depends on eliminating single points of failure. Centralized security architectures create risk: when one system falls, everything behind it is exposed. In contrast, mesh-style architectures distribute credentials, so it’s not possible to get the keys to the castle by compromising any one system.
Xage SRA embodies this model with identity-first, least-privilege control, governing who can access specific assets or applications, for how long, and under what conditions, with multi-factor authentication at every step for both IT and OT systems. Policies are enforced locally, maintaining secure access even during WAN outages, so there’s no central headend that can fail or be taken down for patching.
Built-in Privileged Access Management (PAM) and dynamic segmentation further strengthen defense with just-in-time access, credential rotation, session recording, and immutable audit logs. These controls limit credential abuse, reduce lateral movement, and simplify compliance.
By removing exposed portals, hardening identity, and maintaining operations even during outages, Xage helps enterprises align with CISA’s latest directives—protecting critical systems without relying on brittle VPN architectures. The F5 breach is more than another security headline; it’s a clear signal that legacy VPNs and jump servers can no longer meet the security and resilience demands of modern OT environments.
For a deeper look at why VPNs and jump servers fall short as an effective strategy for OT remote access—and why they urgently need to be replaced—explore our blog: Why VPNs and Jump Servers Fall Short for OT Remote Access.
Forward-looking companies like Pacific Canbriam are already leading the way. By replacing their VPN with Xage Zero Trust Access, they have built a future-ready OT security architecture designed for resilience and scale. You can read their full story here: Beyond VPNs: How Pacific Canbriam Built a Future-Ready OT Security Architecture.
