CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

F5 Devices Targeted by Nation-State Actors; CISA Issues Emergency Directive

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A nation-state threat actor is exploiting vulnerabilities in F5 devices and software to gain unauthorized access to federal networks. The actor can exfiltrate sensitive data and establish persistent access. CISA has issued Emergency Directive 26-01 to mitigate the risk, requiring immediate updates to F5 products. The directive affects all Federal Civilian Executive Branch (FCEB) agencies. The directive follows F5's disclosure of a breach in their development environment, where the actor had long-term access and exfiltrated files. The vulnerability poses a significant risk to any organization using F5 technology.

Timeline

  1. 15.10.2025 15:00 1 articles · 23h ago

    CISA Issues Emergency Directive 26-01 for F5 Device Vulnerabilities

    CISA has issued Emergency Directive 26-01 in response to a nation-state threat actor exploiting vulnerabilities in F5 devices and software. The directive requires all FCEB agencies to apply the latest vendor-provided updates to F5 products by October 22, 2025. The directive follows F5's disclosure of a breach in their development environment, where the actor had long-term access and exfiltrated files.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

F5 BIG-IP Source Code and Vulnerability Information Stolen in Cyberattack

F5 has released security updates to address 44 vulnerabilities, including those stolen in a breach detected on August 9, 2025. The company has not found evidence that the stolen information has been used in actual attacks or disclosed publicly. The breach was attributed to a highly sophisticated nation-state threat actor, and F5 has taken extensive actions to contain the threat. F5's BIG-IP is a critical product used in application delivery networking and traffic management by many large enterprises. The company has 23,000 customers in 170 countries, including 48 of the Fortune 50 entities. The breach did not compromise F5's software supply chain or result in suspicious code modifications. The company has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms and has advised users to apply the latest updates for BIG-IP and related products. The breach involved a nation-state threat actor gaining persistent, long-term access to F5's product development environment and engineering knowledge management platforms. F5 disclosed the breach on October 15, 2025, confirming that the attack was detected in August 2025. The threat actor exfiltrated files containing BIG-IP source code and information regarding undisclosed vulnerabilities. F5 has not found evidence of access to or exfiltration of data tied to its CRM, financial, support case management, or iHealth systems, nor the NGINX source code or product development environment. F5 has identified no evidence of modification to its software supply chain, including source code, build pipeline, and release pipeline. F5 has worked with multiple incident response firms and law enforcement to mitigate the event and believes it has contained the threat. F5 has rotated credentials, strengthened access controls, deployed improved inventory and patch management automation, integrated better monitoring and detection tools, and implemented enhancements to network security infrastructure. F5 advises customers to apply the latest BIG-IP updates and has shared guidance for hardening customers' systems. On October 15, 2025, CISA directed federal civilian executive branch (FCEB) agencies to inventory F5 BIG-IP products and apply updates where necessary. The US government has urged federal agencies to take immediate action after F5 revealed it had been breached by a nation-state actor. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive demanding that federal agencies evaluate if the networked management interfaces are accessible from the public internet and apply updates from F5. CISA warned that the threat actor's access to the F5 development environment could enable it to conduct static and dynamic analysis to discover logical flaws, zero-day vulnerabilities, and targeted exploits. The Justice Department ordered a delay in public disclosure of the breach on September 12, 2025. F5 has improved internal security including access controls, inventory and patch management, network security, and monitoring of all software development platforms. Tom Kelermann, VP of cyber risk at Hitrust, argued that the F5 breach is likely to be the first stage in a supply chain campaign. Ilia Kolochenko, CEO of ImmuniWeb, agreed that the stolen IP could be used to craft zero-day exploits for subsequent APT campaigns.

Open in new tab