Nation-State Hackers Breach F5: Steal BIG-IP Source Code and Zero-Day Info

In August 2025, F5, a major U.S. cybersecurity company, learned of a significant cybersecurity breach involving a highly sophisticated nation-state actor. The threat actor maintained persistent access to F5’s systems and exfiltrated sensitive files, including portions of the BIG-IP source code and information on undisclosed vulnerabilities. This breach could provide the attacker with the ability to exploit vulnerabilities in F5 products by leveraging the stolen source code and vulnerabilities.

Severity: Critical

Key Findings Of The Incident

• Stolen Data: The threat actor exfiltrated files such as,
  • BIG-IP product source code
  • Information about undisclosed security flaws that F5 was actively working on for BIG-IP
• Scope of Impact:
  • The breach affected the BIG-IP product development environment and engineering knowledge management platforms.
  • Some exfiltrated files from the knowledge management platform contained configuration or implementation information for a small percentage of customers. F5 is reviewing these files and will communicate with affected customers directly.

Actions Taken By F5

• Containment: F5 successfully contained the threat actor’s access, and no new unauthorized activities have been observed since.
• Collaborations: F5 has partnered with cybersecurity firms such as CrowdStrike and Mandiant, along with law enforcement, to mitigate the threat.
• Security Updates: F5 has released security patches for several of its products, including BIG-IP, F5OS, BIG-IQ, and BIG-IP Next for Kubernetes.

Security Review

F5 engaged third-party security firms for security assessment of its products:

• IOActive was engaged to assess critical F5 software source code (including BIG-IP) and the development build pipeline. IOActive’s in-progress review found no evidence that the threat actor introduced any vulnerabilities into the assessed scope and did not identify any critical severity vulnerabilities in the reviewed source code.
• NCC Group was also engaged for a security assessment of critical F5 software source code and a review of the software development build pipeline. NCC Group’s assessment involved 76 consultants over 551 person-days of effort. The objective was to identify critical and high-risk security issues. No evidence of modification to the software supply chain (source code, build, or release pipelines).

Key Vulnerabilities Identified

The incident prompted F5’s October 2025 Quarterly Security Notification, which addressed the stolen undisclosed vulnerabilities. The updates apply to numerous products, including those mandated by CISA i.e., BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, BIG-IQ, and BIG-IP NK/CNF

These security updates address several high, medium, and low-risk vulnerabilities such as:

• CVE-2025-53868 (BIG-IP SCP and SFTP Vulnerability)
• CVE-2025-61955 (F5OS Vulnerability)
• CVE-2025-60016 (BIG-IP SSL/TLS Vulnerability)
• And multiple others in various BIG-IP/F5OS/BIG-IP Next modules affecting SSL/TLS, MPTCP, DNS Cache, HTTP/2, DTLS 1.2, and others.

Cisa’s Directive

CISA issued Emergency Directive (ED 26-01) on October 15, 2025, directing federal agencies to take immediate action. Agencies must:

• Inventory and update F5 BIG-IP and related products.
• Harden public-facing devices and ensure network management interfaces are not exposed to the internet.
• Apply updates by October 22, 2025, and decommission unsupported devices by October 31, 2025.

Recommendations

1. Immediately install the latest vendor-provided updates for all affected F5 products, especially F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF. Before applying updates for BNK/CNF, validate the F5 published MD5 checksums for the software image files.
2. F5 recommends enabling BIG-IP event streaming to your SIEM. Follow F5’s step-by-step instructions for syslog configuration (KB13080) and monitoring for login attempts (KB13426). This will enhance visibility and alerting for admin logins, failed authentications, and privilege & configuration changes.
3. Follow best practices (https://my.f5.com/manage/s/article/K53108777) for hardening your F5 systems.
4. Use F5’s iHealth Diagnostic Tool to automate hardening checks. This helps identify gaps, prioritize actions, and provides links to remediation guidance.

Source:

• https://my.f5.com/manage/s/article/K000154696
• https://raw.githubusercontent.com/askf5/K000154696/main/IOActive_Security_Review_2025_Attestation_Letter.pdf
• https://raw.githubusercontent.com/askf5/K000154696/main/NCC_Group_Letter_of_Engagement_Oct_10_2025.pdf
• https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
• https://my.f5.com/manage/s/article/K000156572

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.