Blog

Become a Vogue Business Member to receive unlimited access to Member-only reporting and insights, our Beauty and TikTok Trend Trackers, Member-only newsletters and exclusive event invitations.

It’s the end of an era at Hermès. The house’s artistic director of menswear Véronique Nichanian is stepping down after 37 years, Hermès confirmed on Thursday. She will present her last collection during Paris men’s week in January. It’s understood that her successor will be appointed in the coming days.

Nichanian began her career at Cerruti before being poached by Hermès’s chief executive Jean-Louis Dumas in 1988 to lead menswear. She became known for her inventive, wearable designs, grabbing attention with high-quality materials and a beautiful colour palette. Her Spring/Summer 2026 collection was “breathable clothing, just some lightness, softness, sensuality in the silk, in the prints,” she told editors after the show. She introduced a monkey print on tote bags. “Just for fun. It can’t do any harm in this world.”

Nichanian becomes the latest luxury designer to leave a creative vacancy at a major fashion house following the SS26’s big reset, which saw 15 designer debuts. But Nichanian is a particularly notable exit: she had the longest tenure of a serving creative director in fashion.

On her decision to step down, she told Le Figaro in an exclusive interview: “I still love this job. However, I believe that to practice it the way I like to, it now requires more and more time — and today, I want to devote that time to other things… Hermès has, above all, shown great elegance by allowing me to choose the moment that felt right to step down. I’ve been thinking about it and discussing it with Axel and Pierre-Alexis Dumas for a year or two now. It’s time to pass the baton.”

Hermès’s financial performance has continued to defy the ongoing luxury slowdown. The company posted 8 per cent growth in the first half of 2025, with ready-to-wear and accessories growing 5.5 per cent in the period.

Comments, questions or feedback? Email us at feedback@voguebusiness.com.

More from this author:

What’s Sephora’s secret recipe?

LVMH fashion sales down 2% in Q3

Maria Grazia Chiuri returns to Fendi as chief creative officer

Executive Summary

On Oct. 15, 2025, F5 — a U.S. technology company — disclosed that a nation-state threat actor conducted a significant long-term compromise of their corporate networks. In this incident, attackers stole source code from their BIG-IP suite of products and information about undisclosed vulnerabilities. F5’s BIG-IP suite is commonly used by large organizations, primarily in the U.S. but also globally, for availability, access control and security. Organizations including government agencies and Fortune 500 companies rely on BIG-IP.

Cortex Xpanse currently identifies over 600,000 F5 Big-IP instances exposed to the internet.

F5’s investigation revealed that the attackers maintained long-term access to the company’s product development environment and engineering knowledge management platform. This enabled attackers to access highly sensitive data.

F5 also released details of several vulnerabilities of varying severity. Some of the key vulnerabilities are:

• CVE-2025-53868: A BIG-IP SCP and SFTP vulnerability with a CVSS score of 8.7. This could allow for a significant impact on affected systems.
• CVE-2025-61955: An F5OS vulnerability with a CVSS score of up to 8.8 in appliance mode. This could lead to major compromises of F5OS-A and F5OS-C systems.
• CVE-2025-57780: An F5OS vulnerability with a CVSS score of up to 8.8 in appliance mode, representing another critical threat to F5OS systems.

Key Takeaways

• What Was Exfiltrated: The threat actor exfiltrated files from the BIG-IP product development environment and engineering knowledge management platforms. These files contained some BIG-IP source code and information about undisclosed vulnerabilities. F5 stated it currently has no knowledge of undisclosed critical or remote code vulnerabilities, and it has not observed active exploitation of any undisclosed F5 vulnerabilities.
• Customer Impact: There is no evidence of access to — or exfiltration of — data from F5’s CRM, financial, support case management or iHealth systems. However, some of the exfiltrated files from the knowledge management platform contained configuration or implementation information for a small percentage of customers.
• Supply Chain Integrity: There is no evidence of modification to F5’s software supply chain, including source code and build and release pipelines.
• Unaffected: There is no evidence that the threat actor accessed or modified the NGINX source code or product development environment. There was also no evidence that the threat actor accessed or modified the F5 Distributed Cloud Services or Silverline systems.

While details of what exactly was exfiltrated are not publicly available, the theft of source code and previously undisclosed vulnerabilities is significant and could potentially facilitate rapid exploitation of vulnerabilities.

Guidance

Unit 42 highly recommends following F5 public guidance in its public Security Notification and Quarterly Security Notification.

Palo Alto Networks customers receive protections from and mitigations for these CVEs in the following ways:

• The Unit 42 Incident Response team can be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
• Cortex Xpanse has existing attack surface rules that can be used to assist customers in identifying publicly accessible F5 devices.

Details of the Attack

According to F5, the compromise of their corporate networks was conducted by an unspecified sophisticated nation-state actor. Attacks in recent years have illustrated the allure of technology companies as not just a viable target, but a force multiplier in increasing the efficiency and timeline of espionage activity.

F5 also released details of several vulnerabilities of varying severity. Some of the key vulnerabilities are:

• CVE-2025-53868: A BIG-IP SCP and SFTP vulnerability with a CVSS score of 8.7. This could allow for a significant impact on affected systems.
• CVE-2025-61955: An F5OS vulnerability with a CVSS score of up to 8.8 in appliance mode. This could lead to major compromises of F5OS-A and F5OS-C systems.
• CVE-2025-57780: An F5OS vulnerability with a CVSS score of up to 8.8 in appliance mode, representing another critical threat to F5OS systems.

History of Targeted Attacks

There is a history of nation-state actors going after high value targets in the technology industry. Given the reach of F5’s BIG-IP suite, well-resourced, sophisticated actors have focused on it in the past.

In late 2023, a critical vulnerability (CVE-2023-46747) emerged within the BIG-IP Traffic Management User Interface (TMUI), allowing for an authentication bypass. UNC5174, a China-nexus threat actor, actively exploited this flaw. Mandiant’s investigation revealed that the group leveraged this vulnerability to create backdoor administrator accounts, ultimately gaining command execution on compromised devices.

For three years, a Chinese state-sponsored group reported as Velvet Ant used malicious software to exploit outdated F5 BIG-IP equipment. This allowed persistent access and exfiltration of data from a targeted organization’s network.

In July 2025, a critical vulnerability (CVE-2022-1388) became the gateway for another sophisticated attack. The China-nexus group known as Fire Ant — overlapping with UNC3886 — exploited an iControl REST authentication bypass flaw in F5 BIG-IP devices. This allowed them to deploy web shells, tunnel traffic between network segments and execute arbitrary system commands.

Current Scope of the Attack Against F5

The threat actor exfiltrated files from the BIG-IP product development environment and engineering knowledge management platforms. F5’s post as of Oct. 16 stated that the company has found no evidence of access to — or exfiltration of — data from its CRM, financial, support case management or iHealth systems. However, some of the exfiltrated files from the knowledge management platform contained configuration or implementation information for a small percentage of customers.

F5 stated that the stolen files contained some BIG-IP source code and information about undisclosed vulnerabilities. F5 stated it currently has no knowledge of undisclosed critical or remote code vulnerabilities. It also has not observed active exploitation of any undisclosed F5 vulnerabilities.

There has been no evidence of modification to F5’s software supply chain, including source code and build and release pipelines. There is also no evidence that the threat actor accessed or modified the NGINX source code or product development environment. Finally, there was no evidence that the threat actor accessed or modified the F5 Distributed Cloud Services or Silverline systems.

Generally, if an attacker steals source code it takes time to find exploitable issues. In this case, the threat actor also stole information on previously undisclosed vulnerabilities that F5 was actively working to patch. This could provide the ability for threat actors to exploit vulnerabilities that have no public patch, potentially increasing speed to exploit creation.

The disclosure of 45 vulnerabilities in this quarter versus just six last quarter suggests F5 is moving as fast as they can to actively patch as many flaws as possible before the threat actors can exploit them.

Interim Guidance

Unit 42 highly recommends following F5 public guidance in its public Security Notification and Quarterly Security Notification. This guidance includes:

• Updating BIG-IP software
• A threat hunting guide
• Hardening guidance
• Security information and event management (SIEM) integration recommendations

F5 strongly recommends updating BIG-IP software as soon as possible. F5 support is providing a threat hunting guide to strengthen detection and monitoring. It also published best practices for hardening F5 systems, adding automated hardening checks to the F5 iHealth Diagnostic Tool. This tool can help surface gaps, prioritize actions and provide links to remediation guidance.

Lastly, F5 recommends the following:

• Enabling BIG-IP event streaming to SIEM
• Following step-by-step instructions for syslog configuration (KB13080)
• Monitoring for login attempts (KB13426) to enhance visibility and alerting for:
  • Admin logins
  • Failed authentications
  • Privilege and configuration changes

Conclusion

The potential impact of this compromise is unique due to the theft of confidential information regarding previously undisclosed vulnerabilities that F5 was actively in the process of patching. This data potentially grants threat actors the capacity to exploit vulnerabilities for which no public patch currently exists, which could accelerate the creation of exploits.

According to public information, the compromise was identified in early August 2025. While F5 stated they had not yet seen evidence of in-the-wild exploitation, the timing suggests that these vulnerabilities could have been exploited for upwards of two months. This highlights the need to immediately address mitigation guidance.

F5’s prompt disclosure and mitigation guidance are crucial first steps. The top priority for any organization using F5 BIG-IP is to implement mitigation and hardening guidance without delay and begin threat hunting activities immediately.

This underscores the need for a defense-in-depth strategy in the face of unknown, emerging and previously-identified vulnerabilities.

Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks Product Protections

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107

Cortex Xpanse

Cortex Xpanse has existing attack surface rules that can be used to assist customers in identifying publicly accessible F5 devices.