SANS Stormcast Tuesday, March 31st, 2026: Honeypot Session Lifetime; Let’s Encrypt Tests Mass Revocation; F5 RCE Exploited

The Stormcast episode highlights how honeypot sessions are typically fleeting, often ending within seconds, with only a handful persisting for minutes. Analysts note that the final command an attacker issues can betray their awareness of the decoy environment, prompting operators to tweak response signatures to prolong engagement and gather richer intelligence. This insight underscores the value of detailed command‑level telemetry for threat hunting and deception strategies.

A major focus of the discussion is Let’s Encrypt’s recent mass‑revocation drill using the ACME renewal information (ARI) extension. Conducted in the staging environment, the test validates the industry‑mandated requirement for certificate authorities to demonstrate scalable revocation capabilities. However, the hosts point out that most ACME client implementations still lack ARI support, meaning many users may miss critical revocation signals during real‑world incidents. This gap highlights the need for broader client updates and proactive monitoring of certificate lifecycle tooling.

Finally, the episode revisits the F5 BIG‑IP APM vulnerability (CVE‑2025‑53521), which has been re‑classified from a denial‑of‑service flaw to a remote code execution issue with a CVSS score of 9.8. Organizations that deprioritized patches based on the original classification must reassess their remediation posture immediately. The discussion reinforces the importance of continuous vulnerability management, especially when threat actors exploit newly disclosed exploits, and advises security teams to verify that all F5 appliances are fully patched to mitigate the elevated risk.