.svg)
.svg)
F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
On October 15, 2025, F5 disclosed a highly successful security incident, designated K000154696, confirming that a sophisticated nation-state threat actor maintained long-term, persistent access to its systems. This breach targeted F5’s intellectual property related to its flagship BIG-IP product line, creating an unprecedented level of risk for organizations reliant on this critical network infrastructure.
The scale of the theft, combining core source code with internal vulnerability data and customer configurations, has transformed a corporate intrusion into a matter of national security, prompting an immediate Emergency Directive from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
This blog explains the BIG-IP incident, outlining its timeline, potential implications for national and global security, F5’s response efforts, and actionable mitigations that every F5 customer should implement.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
The Scope of the Compromise and Delayed Disclosure
F5 first became aware of unauthorized access on August 9, 2025. Due to the gravity of the incident, F5 requested and obtained authorization from the U.S. Department of Justice to delay public disclosure until mid-October, citing national security considerations under SEC regulations.
This delay was utilized by government partners to prepare defenses against the impending threat.
The Targeted Systems and Stolen Assets
The nation-state actor maintained long-term, persistent access to F5’s internal systems, specifically targeting the following production environments and exfiltrating three classes of critical data.
|
Targeted Location |
Stolen Asset Category |
Imminent Risk Analysis |
|
BIG-IP Product Development Environment |
Portions of BIG-IP Source Code |
Provides the ability for systematic analysis to uncover deep-seated, unknown zero-day vulnerabilities (N-days). |
|
Engineering Knowledge Management Platforms |
Undisclosed Vulnerability Data |
Acts as a roadmap, eliminating research time and allowing actors to quickly weaponize flaws that have no public fix. |
|
Engineering Knowledge Management Platforms |
Small Percentage of Customer Configuration Data |
Enables targeted, surgical attacks tailored to specific network topologies, security policies, and administrative settings of high-value targets. |
Integrity Assurance
Crucially, F5 reported, and independent reviews by NCC Group and IOActive validated, that the threat actor did not modify
- the software supply chain,
- source code, or
- build and release pipelines [1].
Furthermore, F5 found no evidence of access to
- customer relationship management (CRM),
- financial,
- support,
- iHealth,
- NGINX, or
- F5 Distributed Cloud services.
The Strategic Threat Calculus
Security experts are unanimous: the combination of proprietary source code and internal vulnerability details significantly accelerates the speed of exploit creation.
-
Zero-Day Acceleration: The stolen source code eliminates the need for time-consuming reverse engineering, allowing the adversary to swiftly move from intellectual property theft to developing highly functional zero-day exploits .
-
Targeted Exploitation: CISA warned that the threat actor's access provides a "technical advantage" to exploit F5 devices. The UK National Cyber Security Centre (NCSC) explicitly cautioned that successful exploitation could allow the threat actor to access embedded credentials and API keys, facilitate lateral movement, and establish persistent system access within a compromised network.
The fact that the U.S. The Department of Justice authorized F5 to delay public disclosure until national security implications were addressed underscores the strategic value of the stolen data to the nation-state adversary.
F5’s Incident Response and Shift to Proactive Defense
F5, engaging industry-leading firms, has taken extensive actions and believes its containment efforts have been successful, with no evidence of new unauthorized activity observed since detection.
Key operational and strategic response measures implemented include:
-
Infrastructure Hardening: Rotated credentials and strengthened access controls; deployed automated patch management and advanced monitoring tools; and hardened the product development environment.
-
Proactive Patching: Coordinated the public disclosure with the release of the October 2025 Quarterly Security Notification [2]. These updates aim to proactively eliminate the adversary's intelligence advantage by patching the vulnerabilities F5 was already investigating.
-
Strategic Visibility Partnership: F5 is partnering with CrowdStrike to extend Falcon Endpoint Detection and Response (EDR) sensors and Overwatch Threat Hunting directly onto BIG-IP devices. This move is a tacit acknowledgement that critical network devices require advanced, behavioral monitoring, and F5 is providing all supported customers with a free EDR subscription.
Actionable Intelligence: Recommendations for All F5 Customers
The threat is operational. Organizations using F5 products must adopt an aggressive, multi-layered defensive posture immediately:
Immediate Patching Mandate
Urgently apply all available updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Prioritize updates based on the October 2025 Quarterly Security Notification (K000156572) to mitigate the highest-severity flaws.
Deploy EDR and Enhance Monitoring
Deploy the free CrowdStrike Falcon EDR subscription to supported BIG-IP devices for superior control-plane visibility. Furthermore, ensure BIG-IP event streaming is enabled for your SIEM solution, configuring specific alerts for failed authentications, administrative logins, and privilege changes.
Zero-Trust Hardening
Run automated hardening checks using the F5 iHealth Diagnostic Tool. Enforce strict Zero-Trust principles for management access (Configuration utility, SSH), ensuring access is heavily segmented and limited only to explicitly trusted networks.
Credential Rotation
If your organization is among the "small percentage" F5 directly notifies, immediately rotate any associated embedded credentials, API keys, and privileged account configurations.
How Picus Simulates F5 Web Attack Campaigns Observed in the Wild?
We strongly recommend simulating the exploited vulnerabilities targeting F5 products and safely emulating the adversarial behaviors seen in recent F5 web attack campaigns to assess how effectively your controls withstand sophisticated cyber attacks.
With the Picus Security Validation Platform, you can also test your defenses against other high-profile vulnerabilities, such as regreSSHion, Citrix Bleed, and Follina, within minutes through a 14-day free trial.
Picus Threat Library includes the following threats for F5 attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
97569 |
F5 Web Attack Campaign |
Web Application |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address F5 vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs has validated the following signatures.
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGX |
asm_dynamic_prop_CVE_2022_41800 |
F5 Big-IP Command Injection (CVE-2022-41800) |
|
Check Point NGX |
asm_dynamic_prop_LINUX_SENS_FILES |
Linux System Files Information Disclosure |
|
Check Point NGX |
asm_dynamic_prop_CVE_2024_26026 |
F5 BIG-IP Next Central Manager SQL Injection |
|
Check Point NGX |
asm_dynamic_prop_CVE_2021_22986 |
F5 BIG-IP Remote Code Execution (CVE-2021-22986) |
|
Check Point NGX |
asm_dynamic_prop_DIR_TRAV_URL |
Web Servers Malicious URL Directory Traversal |
|
Check Point NGX |
asm_dynamic_prop_CVE_2020_5902 |
F5 BIG-IP Remote Code Execution (CVE-2020-5902) |
|
Citrix Netscaler VPX |
999945 |
web-misc wazuh prior to 4.9.1 - deserialization of untrusted data vulnerability (cve-2025-24016) |
|
Citrix Netscaler VPX |
998450 |
web-misc apache ofbiz prior to 18.12.14 - path traversal vulnerability (cve-2024-32113 |
|
F5 BIG-IP |
200101536 |
Shell command processor (ash/bash) access (Parameter) |
|
F5 BIG-IP |
200010175 |
"/etc/passwd" access (2) (Parameter) |
|
F5 BIG-IP |
200007041 |
Tomcat Directory Traversal attempt |
|
ForcePoint NGFW |
HTTP_CRL-F5-Big-IP-And-Big-IQ-iControl-iControlportal.cgi-Format-String-Vulnerability |
|
|
ForcePoint NGFW |
HTTP_CSU-Suspected-System-File-Disclosure |
|
|
ForcePoint NGFW |
HTTP_CRL-F5-iControl-Rest-Unauthenticated-RCE-CVE-2022-1388 |
|
|
ForcePoint NGFW |
HTTP_CSH-Apache-HTTP-Server-Mod_rpaf-X-Forwarded-For-Denial-Of-Service |
|
|
Fortinet Fortigate IPS |
52609 |
F5.BIG-IP.iControl.SOAP.CGI.Process.Format.String |
|
Fortinet Fortigate IPS |
52319 |
F5.BIG-IP.iControl.SOAP.API.CVE-2022-41622.CSRF |
|
Fortinet Fortigate IPS |
51543 |
F5.BIG-IP.iControl.REST.Authentication.Bypass |
|
Fortinet Fortigate WAF |
50070002 |
Generic Attacks |
|
Fortinet Fortiweb |
060070002 |
Generic Attacks(Extended) |
|
Fortinet Fortiweb |
090501141 |
Known Exploits |
|
Imperva SecureSphere |
HTTP Request Smuggling using Transfer-Encoding with non-RFC value |
|
|
WEB-MISC /etc/passwd |
||
|
CVE-2021-22986: F5 BIG-IP iControl RCE - 1 |
||
|
Trellix |
0x452c5700 |
HTTP: F5 BIG-IP And BIG-IQ IControlPortal.cgi Format String Vulnerability |
|
Trellix |
0x452be200 |
HTTP: F5 BIG-IP Authenticated Remote Code Execution Vulnerability |
|
Trellix |
0x4020af00 |
HTTP: Attempt to Read Password File |
|
modsecurity |
930110 |
Path Traversal Attack (/../) |
|
modsecurity |
932160 |
Remote Command Execution: Unix Shell Code Found |
|
paloalto NG Firewall |
93475 |
F5 BIG-IP iControl API Format String Vulnerability |
|
paloalto NG Firewall |
58623 |
F5 Traffic Management User Interface Remote Code Execution Vulnerability |
|
Snort CentOS Platform |
1.2049400.1 |
ET WEB_SERVER /etc/passwd Detected in URI |
|
Snort CentOS Platform |
1.61358.2 |
SERVER-OTHER F5 iControl SOAP format string attempt |
|
Snort CentOS Platform |
1.59735.2 |
SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt |
|
Snort CentOS Platform |
1.57336.3 |
POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt |
|
Snort CentOS Platform |
1.15990.10 |
SERVER-WEBAPP Multiple Vendor server file disclosure attempt |
|
Cisco FirePower |
1.54462.3 |
SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt |
|
Cisco FirePower |
1.15990.10 |
SERVER-WEBAPP Multiple Vendor server file disclosure attempt |
|
TrendMicro |
42081 |
HTTP: F5 BIG-IP iControl rpm-spec-creator Creation Attempt |
|
TrendMicro |
361 |
HTTP: Protected File Access (/etc/passwd) |
|
TrendMicro |
42452 |
HTTP: F5 BIG-IP and BIG-IQ iControl iControlPortal.cgi Format String Vulnerability |
|
TrendMicro |
12639 |
HTTP: Apache HTTP Server X-Forwarded-For Denial-of-Service |
|
TrendMicro |
4560 |
HTTP: HTTP Request Smuggling |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] “Website.” Available: https://www.darkreading.com/cyberattacks-data-breaches/f5-big-ip-environment-breached-nation-state-actor
[2] “myF5.” Available: https://my.f5.com/manage/s/article/K000156572. [Accessed: Oct. 16, 2025]
