F5 Issues Critical Patches for Stolen BIG-IP Vulnerabilities
▼ Summary
– F5 disclosed that state hackers breached its systems on August 9, 2025, stealing source code and information on undisclosed BIG-IP security vulnerabilities.
– The company has released security updates addressing 44 vulnerabilities, including those stolen, and strongly advises customers to update their systems immediately.
– F5 confirmed there is no evidence of the stolen vulnerabilities being exploited or disclosed, and no modification to its software supply chain has been detected.
– CISA issued an emergency directive requiring federal agencies to apply F5 patches by specific deadlines and decommission unsupported public-facing F5 devices.
– Exploiting BIG-IP vulnerabilities can allow attackers to steal credentials, move laterally in networks, and establish persistence, making them high-value targets for threat groups.
F5 Networks has rolled out critical security patches for its BIG-IP product line following a confirmed breach in which attackers obtained proprietary source code and details about previously unknown vulnerabilities. The intrusion, discovered on August 9, 2025, involved state-sponsored hackers accessing F5 systems, though the company states there is no indication these flaws have been exploited or publicly disclosed. In response, F5 has issued updates addressing a total of 44 vulnerabilities, including those compromised during the incident, and is urging all customers to install the fixes immediately.
According to F5, the latest security updates mitigate risks stemming from the breach. Available patches cover BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. While F5 emphasized it has not identified any undisclosed critical or remote code execution vulnerabilities, the firm strongly recommends applying updates without delay. The company also confirmed that its software supply chain, including source code and build pipelines, remains unaltered, and no active exploitation of the stolen vulnerability information has been observed.
To bolster defenses, F5 has published guidance for securing F5 environments. Administrators are advised to enable BIG-IP event streaming to their SIEM systems, set up remote syslog servers, and actively monitor for login attempts, failed authentications, and configuration or privilege changes. These measures enhance visibility and alerting capabilities, helping organizations detect potential threats early.
In a related development, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED 26-01, mandating that all Federal Civilian Executive Branch agencies secure affected F5 products, including F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF, by October 22. A slightly extended deadline of October 31 applies to other F5 hardware and software appliances on agency networks. CISA also instructed federal entities to disconnect and decommission any public-facing F5 devices that are no longer supported.
Exploiting BIG-IP vulnerabilities can provide attackers with access to credentials and API keys, enable lateral movement across networks, facilitate data theft, and establish long-term persistence on compromised systems. These security flaws are highly sought after by both nation-state actors and cybercriminal groups, who have historically used them to map internal infrastructure, exfiltrate data undetected, deploy wipers, and gain unauthorized access to corporate networks.
As a Fortune 500 technology leader, F5 delivers cybersecurity, cloud management, and application delivery services to more than 23,000 customers globally, including 48 of the Fortune 50 companies. The prompt release of these patches underscores the serious nature of the incident and the importance of maintaining up-to-date security postures across all deployments.
(Source: Bleeping Computer)
