EPA Cyber Alerts: Mitigate Vulnerabilities in F5 Devices

The United States Environmental Protection Agency (EPA) is issuing this alert to inform water and wastewater systems about Emergency Directive (ED) 26-01 issued by the Cybersecurity and Infrastructure Security Agency (CISA). This directive highlights an ongoing exploitation campaign by a nation-state affiliated cyber threat actor that has compromised F5 systems. The actor has exfiltrated data, including portions of F5’s BIG-IP source code and vulnerability information, providing them with a technical advantage to exploit F5 devices and software. This poses a critical threat to water and wastewater systems using F5 products. F5 is a is a technology company that provides products and services to protect and enhance the speed, reliability, and security of applications and networks.

• Link to Emergency Directive 26-01
• Specific Common Vulnerability and Exposure (CVE) information can be found on the vendor’s webpage

Mitigations

Although Emergency Directive 26-01 is directed at federal agencies, EPA strongly recommends that water and wastewater systems review the Emergency Directive and follow the mitigation steps. Systems that outsource technology support should consult with their service providers for assistance with these steps.

Important: Water and wastewater systems are not required to report their activities to CISA, including those outlined in mitigation steps 2.b, 6, and 8 in the Emergency Directive. This requirement applies only to federal agencies; however, systems may choose to report voluntarily and are encouraged to do so if a compromise is detected.

Conclusion

If you have questions about any of the information in this alert, including assistance with the mitigation steps included in the Emergency Directive, please submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector. Additionally, CISA has provided the following contact information specific to this Emergency Directive:

• General information, assistance, and reporting: CyberDirectives@cisa.dhs.gov
• Reporting indications of compromise: contact@cisa.dhs.gov

EPA Cyber Alerts: Cisco Products and SonicWall Cyber Incidents

The Colorado Department of Public Health and Environment (CDPHE) is posting the following cyber alerts in partnership with the Environmental Protection Agency (EPA). Please reach out to EPA with any questions about this or any additional Cyber concerns  watercyberta@epa.gov.

Alert: Identify and Mitigate Potential Compromise of Cisco Devices

The United States Environmental Protection Agency (EPA) is issuing this alert to inform water and wastewater systems about Emergency Directive (ED) 25-03 issued by the Cybersecurity and Infrastructure Security Agency (CISA). This directive highlights an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to achieve unauthenticated remote code execution on Cisco ASAs. Additionally, it includes the manipulation of read-only memory (ROM), enabling threat actors to maintain access even through reboots and system upgrades.

Link to Emergency Directive 25-03

Mitigations

Although Emergency Directive 25-03 is directed at federal agencies, EPA strongly recommends that water and wastewater systems review the Emergency Directive and follow the mitigation steps. The Emergency Directive includes a detailed step-by-step guide along with resources to assist in implementing each mitigation. Systems that outsource technology support should consult with their service providers for assistance with these steps.

Important: Water and wastewater systems are not required to report their activities to CISA, including those outlined in mitigation steps 2, 3, and 6 in the Emergency Directive. This requirement applies only to federal agencies; however, systems may choose to report voluntarily and are encouraged to do so if a compromise is detected.

Conclusion

If you have questions about any of the information in this alert, including assistance with the mitigation steps included in the Emergency Directive, please submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector.

Additionally, CISA has provided the following contact information specific to this Emergency Directive:

• General information, assistance, and reporting: CyberDirectives@cisa.dhs.gov
• Reporting indications of compromise: contact@cisa.dhs.gov
• Colroado specific assistance and interpretation of the emergency directive for the water sector: kindra.brewer@cisa.dhs.gov

Cyber Alert EPA: Active Exploitation of Microsoft SharePoint Vulnerabilities

The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators about the active exploitation of security vulnerabilities in Microsoft SharePoint that allows attackers to mislead the system into thinking they are a trusted user, also known as network spoofing, and remotely run malicious code, known as a remote code execution (RCE). This exploit enables unauthorized access specifically to Microsoft SharePoint servers, which are hosted and operated on-site. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a cybersecurity alert on this malicious activity, publicly reported as “ToolShell.” 

Mitigations

All drinking water and wastewater systems with Microsoft SharePoint servers are strongly encouraged to implement the following mitigations immediately to enhance resilience against this compromise:

• Apply the necessary security updates released by Microsoft.
• Configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint servers.
• Rotate ASP.NET machine keys, then after applying Microsoft’s security update, rotate ASP.NET machine keys again, and restart the Internet Information Services (IIS) web server.
• Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet.
• Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
• Monitor for malicious POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Update intrusion prevention system and web application firewall rules to block exploit patterns and anomalous behavior.
• Implement comprehensive logging to identify exploitation activity.
• Audit and minimize layout and admin privileges

For additional information on detection, prevention, and advanced threat hunting measures, drinking water and wastewater systems owners and operators are encouraged to visit Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory as well as CISA’s cybersecurity alert.

Conclusion

The U.S. EPA requests that the Water Sector Coordinating Council (WSCC)/Government Coordinating Council (GCC) review this advisory and pass it along to all water & wastewater entities that may be susceptible to this threat. Additionally, we encourage the EPA Regions share the advisory with the state primacy agencies and direct implementation utilities.