Executive Summary
On October 15, 2025, F5, a U.S. technology company, revealed a significant breach by a nation-state threat actor. The attackers accessed and stole source code and information about undisclosed vulnerabilities from F5’s widely used BIG-IP product suite, impacting numerous large organizations and government agencies. Cortex Xpanse has identified over 600,000 exposed BIG-IP instances on the internet.
F5’s investigation uncovered that the attackers maintained prolonged access to sensitive product development environments, compromising data integrity. Several vulnerabilities were disclosed, including:
- CVE-2025-53868: BIG-IP SCP and SFTP vulnerability with a CVSS score of 8.7.
- CVE-2025-61955 and CVE-2025-57780: F5OS vulnerabilities, both scoring up to 8.8, posing serious threats to systems.
Important Findings:
- Stolen files included sensitive source code and details on undisclosed vulnerabilities, though no critical vulnerabilities were identified.
- No evidence suggested that the attack affected F5’s CRM, finance, or service management systems, but some customer configurations were compromised.
- The integrity of F5’s software supply chain remains intact, with no evidence of modifications in source code or other systems.
Recommendations:
F5 and Palo Alto Networks advise following their security notices and updating BIG-IP software immediately. Tools for monitoring and threat hunting have been provided to enhance security.
Conclusion
The breach emphasizes the need for immediate action from organizations using BIG-IP due to sensitive information being stolen. This could accelerate exploitation of previously undisclosed vulnerabilities. F5 encourages employing comprehensive mitigation strategies and threat hunting measures to safeguard against potential future attacks.
