Vulnerability Management, Critical Infrastructure Security, Governance, Risk and Compliance, Patch/Configuration Management, Breach, Threat Intelligence, Government Regulations, Exposure management

CISA issues emergency directive after F5 discloses nation-state breach

(Adobe Stock)

F5 revealed Oct. 15 that its systems were breached by a nation-state threat actor, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive regarding certain F5 products.

The company said Wednesday that files from its BIG-IP product development environment and engineering knowledge management platforms were stolen in the breach, which was first discovered in August 2025. These files included BIG-IP source code and information about undisclosed vulnerabilities.

F5 released information about 45 vulnerabilities in a quarterly security notification following the breach, including 27 high-severity flaws, 16 medium-severity flaws, one low-severity bug and one “security exposure” not assigned a CVE. The Wednesday security notification provided details such as affected and fixed product versions.

CISA’s emergency directive warned that the nation-state threat actors, who maintained long-term, persistent access to F5’s systems, could use the stolen information to develop exploits for the known vulnerabilities, as well as attempt to discover new zero-day vulnerabilities in BIG-IP products.

Under the directive, federal civilian executive branch (FCEB) agencies are required to inventory all F5 BIG-IP products, identify and secure all networked management interfaces that are publicly accessible via the internet and apply all product fixes provided by F5 by Oct. 22, 2025.

The directive specifies that the patching requirement applies to products from the BIG-IP F5OS, BIG-IP TMOS, BIG-IQ and BIG-IP Next for Kubernetes/Cloud-Native Network Functions (BNK/CNF) series, while other F5 products not included in this list should be updated to the latest release by Oct. 31, 2025. Any subsequent updates from F5’s download portal should be applied within one week of their release, CISA added.

Public-facing F5 devices that have reached end of support are ordered to be disconnected and decommissioned if possible; agencies that cannot immediately remove these devices are required to report their reasons to CISA as well as provide plans for eventual decommissioning.

A summary of BIG-IP F5OS, BIG-IP TMOS, Virtual Edition (VE), BIG-IP Next, BIG-IQ, BIG-IP BNK/CNF, BIG-IP iSeries, rSeries and any end-of-support F5 devices on agency networks is due in a report to CISA by Oct. 29, 2025 and a detailed inventory of all instances of such products is due on Dec. 3, 2025.

F5 said it has no evidence that data from its customer relations management (CRM), financial, support case management or iHealth systems was accessed by the attackers, nor did it find evidence of modification to its software supply chain. It also said it has no knowledge of undisclosed critical or remote code vulnerabilities being affected and that it is not aware of any exploitation of undisclosed vulnerabilities stemming from the attack.

However, the company noted that some files stolen from its knowledge management platform contained configuration and implementation information related to a small percentage of its customers, and that it plans to reach out to affected customers as appropriate after reviewing these files.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds