U.S. cybersecurity firm F5 on Wednesday disclosed that unidentified risk actors broke into its methods and stole information containing a few of BIG-IP’s supply code and knowledge associated to undisclosed vulnerabilities within the product.
It attributed the exercise to a “extremely refined nation-state risk actor,” including the adversary maintained long-term, persistent entry to its community. The corporate stated it realized of the breach on August 9, 2025, per a Form 8-K filing with the U.S. Securities and Alternate Fee (SEC). F5 stated it delayed the general public disclosure on the request of the U.S. Division of Justice (DoJ).
“We’ve got taken intensive actions to include the risk actor,” it noted. “Since starting these actions, we’ve not seen any new unauthorized exercise, and we imagine our containment efforts have been profitable.”
F5 didn’t say for the way lengthy the risk actors had entry to its BIG-IP product improvement atmosphere, however emphasised that it has not noticed any indication that the vulnerabilities have been exploited in a malicious context. It additionally stated that the attackers didn’t entry its CRM, monetary, help case administration, or iHealth methods.
That stated, the corporate acknowledged that among the exfiltrated information from its information administration platform contained configuration or implementation info for a small proportion of shoppers. Impacted clients are anticipated to be instantly notified following a assessment of the information.
Following the invention of the incident, F5 has engaged the providers of Google Mandiant and CrowdStrike, in addition to rotated credentials and signing certificates and keys, strengthened entry controls, deployed tooling to higher monitor threats, bolstered its product improvement atmosphere with additional safety controls, and applied enhancements to its community safety structure.
Customers are suggested to use the latest updates for BIG-IP, F5OS, BIG-IP Subsequent for Kubernetes, BIG-IQ, and APM purchasers as quickly as attainable for optimum safety.
CISA Points Emergency Directive
In response to F5’s disclosure, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) has issued an emergency directive (ED 26-01) that requires Federal Civilian Government Department businesses to stock F5 BIG-IP merchandise, test if the networked administration interfaces are accessible from the general public web, and apply newly launched updates from F5 by October 22, 2025.
“A nation-state affiliated cyber risk actor has compromised F5 methods and exfiltrated knowledge, together with parts of the BIG-IP proprietary supply code and vulnerability info, which supplies the actor with a technical benefit to use F5 units and software program,” the company said. “This poses an imminent risk to federal networks utilizing F5 units and software program.”
“The risk actor’s entry might allow the flexibility to conduct static and dynamic evaluation for identification of logical flaws and zero-day vulnerabilities, in addition to the flexibility to develop focused exploits.”
CISA can also be urging organizations to harden public-facing units, disconnect those who have reached end-of-life help date, and mitigate towards a BIG-IP cookie leakage vulnerability. All businesses are additional required to submit a whole stock of F5 merchandise and actions taken to CISA no later than October 29, 2025, 11:59 p.m. EDT.
In a report revealed Thursday, Bloomberg revealed that the attackers had been within the firm’s community for at the very least 12 months, and that the intrusion concerned the usage of a malware household dubbed BRICKSTORM, which is attributed to a China-nexus cyber espionage group tracked as UNC5221.
Final month, Mandiant and Google Menace Intelligence Group (GTIG) divulged that corporations within the authorized providers, software-as-a-service (SaaS) suppliers, Enterprise Course of Outsourcers (BPOs), and know-how sectors within the U.S. have been focused by the suspected Chinese language hacking group (and different associated clusters) to ship the BRICKSTORM backdoor.
When reached for remark, GTIG/Mandiant instructed The Hacker Information that it doesn’t have something to share at this stage.
“Typically, if an attacker steals supply code, it takes time to search out exploitable points,” Michael Sikorski, CTO and Head of Menace Intelligence for Unit 42 at Palo Alto Networks, stated in an announcement. “On this case, additionally they stole info on undisclosed vulnerabilities that F5 was actively working to patch.”
“This supplies the flexibility for risk actors to use vulnerabilities that haven’t any public patch, doubtlessly rising velocity to use creation. The disclosure of 45 vulnerabilities on this quarter vs. simply 6 final quarter suggests F5 is transferring as quick as they will to actively patch these stolen flaws earlier than the risk actors can exploit them.”
(The story was up to date after publication with particulars of the emergency directive issued by CISA.)
