"Imminent" nation-state threat to F5 devices, CISA urges deployment of critical updates

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to federal agencies on Wednesday to immediately update F5 software and devices after nation-state threat actors were found infiltrating the application security company.

The CISA directive comes as F5 disclosed the security incident to customers, directly and on its website, as well as in a breach notification filing with the US Securities and Exchange Commission (SEC), also on Wednesday.

Calling it an imminent risk to federal agencies, the cybersecurity watchdog said the threat actors could exploit vulnerabilities in certain F5 products and gain “unauthorized access to embedded credentials and Application Programming Interface (API) keys.”

This could allow hackers to move laterally within a network, gain access to sensitive data, and also establish persistent access, potentially leading to a full-blown compromise of the targeted system, the agency said.

What's more, new information on Thursday revealed the hackers, believed to be China-linked, may have been inside F5 networks for at least a year, according to a report by Bloomberg.

🚨 Nation-state affiliated threat actors have compromised F5’s systems & downloaded portions of its BIG-IP source code—posing serious risk to FCEB agencies. Follow the guidance in ED 26-01 immediately to protect systems from potential exploits. 🔗 https://t.co/cXH0W4jGZo pic.twitter.com/v6Y2vctSBI

undefined CISA Cyber (@CISACyber) October 15, 2025

“The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies,” said CISA Acting Director Madhu Gottumukkala.

The CISA director emphatically urges all entities to implement the actions outlined in this Emergency Directive without delay. The UK Cyber Security Centre released its own guidance on the F5 breach.

F5 has released critical updates for all at-risk F5 virtual and physical devices and downloaded software, including the following products:

• BIG-IP
• F5OS
• BIG-IP Next for Kubernetes
• BIG-IQ
• APM clients

“These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems,” Gottumukkala said.

F5 says hackers maintained long-term access

In its security notice, F5 revealed that an unnamed "highly sophisticated" nation-state threat actor was found inside the organization's networks in August, which had "downloaded files from certain F5 systems."

The accessed systems were said to include F5’s BIG-IP product development environment and engineering knowledge management platforms – which also contain BIG-IP source code and details on undisclosed vulnerabilities in the application delivery controller, yet to be secured by the company.

F5 reportedly told some affected customers that the Beijing-backed intruders had been in their systems for at least 12 months, maybe more, said Bloomberg, while security researchers at Mandiant told the media outlet the attackers were most likely connected to a known malware called BRICKSTORM.

The stealthy espionage group, identified as UNC5211, has been tracked by Mandiant since 2023, targeting "a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and other technology organizations.

Still, "While UNC5221 has been used synonymously with the actor publicly reported as Silk Typhoon," the Google Threat Intelligence Group (GTIG) said it does not believe "the two clusters are the same."

F5 stressed intel has not seen any undisclosed critical or remote code vulnerabilities, or active exploitation of any undisclosed F5 vulnerabilities since the discovery.

Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite, says the compromise of F5, a critical infrastructure technology provider, “a big one.”

“Given that F5 products are deeply embedded in corporate and government networks worldwide, the downstream risk is immense,” Dikbiyik explained. Besides government agencies, many Fortune 500 companies are known to use F5 application services.

Successful exploitation could lead to lateral movement, data exfiltration, and persistent access within victim networks. We are likely just seeing the beginning of this incident's impact,” he said.

Dikbiyik also reminds IT teams “this isn't just about your own F5 instances.”

Companies must urgently assess their third-party supply chain for exposure to these vulnerabilities, the threat intelligence expert points out. “Everyone, and I mean everyone, who might be even remotely exposed to this risk needs to take immediate action," Dikbiyik said.

F5 provides guidance

F5 says there is no evidence the hackers have accessed or exfiltrated any data from its customer relationship management (CRM) platforms, as well as financial, support case management, or iHealth systems.

However, the company did say some files from its knowledge management platform containing “configuration or implementation information for a small percentage of customers” have been stolen by the threat actor, and any affected companies will be notified directly as necessary.

Additionally, independent reviews found no evidence of modification to the F5 software supply chain, “including our source code and our build and release pipelines.” Also said to be untouched was F5’s NGINX source code, product development environment, the F5 Distributed Cloud Services, and Silverline systems.

The Silicon Valley-based tech company said it has enlisted the help of CrowdStrike, Mandiant, and other outside security experts to help “strengthen the security posture of our enterprise and product environments” and ensure customer protection.

In addition to updating devices and software, F5 provided additional tools for organizations to help harden their systems, including an available F5 threat hunting guide geared towards BRICKSTORM malware, automated hardening checks for the F5 iHealth Diagnostic Tool, and step-by-step instructions for SIEM integration and monitoring guidance.

F5 says since becoming aware of the breach, it has not seen any new unauthorized activity.

A spokesperson for the Chinese Embassy in Washington said in a statement they were not familiar with the situation, but that "China consistently opposes and combats hacking activities in accordance with the law, and we are even more opposed to the dissemination of false information for political purposes."