Internet scanning services warn that hundreds of thousands of F5 systems are exposed online and may potentially be vulnerable to compromise. The cybersecurity company suffered a major breach, exposing severe vulnerabilities, source code, and other data.
F5 detected a long-term intrusion by a highly sophisticated nation-state threat actor and disclosed the data theft on October 15th, 2025. F5 is a leading maker of network and security appliances that power the modern internet, widely used by major cloud providers, internet service operators, and other critical organizations.
Two different network scanning services released advisories warning that over two hundred thousand exposed F5 systems are in the US alone, many of which are likely still unpatched.
Censys, a cybersecurity platform that continuously scans the internet for exposed, vulnerable assets, has detected 262.500 exposed F5 systems in the US. That’s 38.5% of the global total.
Most other exposed systems have been detected in Germany (47.600), France (46,700), Japan (29,100), China (24,400), followed by thousands in the UK, Netherlands, Australia, Brazil, and other countries.
“Over 90% of the observed systems appear to be running BIG-IP Local Traffic Manager (LTM) or Access Policy Manager (APM). A smaller portion includes Application Security Manager (ASM), Advanced WAF, and the BIG-IP Configuration Utility,” Censys said.
Similarly, the Shadowserver Foundation, a nonprofit that helps network defenders by monitoring the internet for security threats and exposed systems, released a warning about 269,000 IP addresses with F5 exposures. Nearly half of these are in the US (132,700), followed by Japan, China, Germany, the UK, Australia, and other countries.
The reports do not indicate how many of systems have been patched to the latest versions.
Hundreds of thousands of F5’s BIG-IP systems direct network traffic around the globe, and the threat actor behind the attack on the company has extensive knowledge of them.
“We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP,” F5 said in the security advisory.
We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.
F5 has released updates for its systems: BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. The updates patch severe vulnerabilities that are known to attackers.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive obliging federal agencies to address the flaws by October 22nd.
“The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies,” Madhu Gottumukkala, CISA Acting Director, said previously.
“These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems. We emphatically urge all entities to implement the actions outlined in this Emergency Directive without delay.”
F5 stated that it currently has no knowledge of other undisclosed critical or remote code vulnerabilities. The firm assures it has taken “extensive actions to contain the threat actor,” and has not observed any new unauthorized activity since. NGINX, Distributed Cloud, and Silverline are not affected by the breach.
However, the major supply-chain breach poses a huge threat to unpatched systems. Censys warns that exposed source code and internal flow data can lead to potential future zero-day exploitation.
Censys also reminds users of best practices: inventory all F5 / BIG-IP assets (hardware, virtual, and cloud) and restrict management interfaces (TMUI, iControl REST, APM, API) from untrusted networks.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked