7 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
F5 Networks Source Code and Vulnerability Data Breach
The threat actor reportedly gained access to F5’s internal development and engineering environments and exfiltrated portions of product source code, knowledge base materials, and vulnerability data. The exposure of this data could accelerate exploit development for previously unknown vulnerabilities affecting F5 products. Cybersecurity agencies have observed increased scanning activity targeting F5 BIG-IP and BIG-IQ devices since the disclosure.
Update:
F5 disclosed the incident publicly on October 15, 2025, after detecting unauthorized access dating back to early August 2025.
F5 has published an official advisory under article K000156572, "F5 Quarterly Security Notification (October 2025)", detailing the fixed versions and patches addressing vulnerabilities across its product lines. This advisory can be found at:
The company also released an earlier incident overview under article K000154696:
Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED-26-01, requiring federal agencies to patch or isolate all affected F5 devices.
Description:
A sophisticated threat actor compromised F5 Networks' internal systems and exfiltrated sensitive data including proprietary source code and internal vulnerability documentation. The breach affected development environments linked to products such as BIG-IP, BIG-IQ, and F5OS. These products are widely deployed for load balancing, application delivery, and security enforcement across enterprise and government networks.
Mitigation Recommendation:
- Inventory all F5 assets, including BIG-IP, BIG-IQ, F5OS, and Advanced WAF systems. Identify firmware and software versions, and note any devices accessible from the internet.
- Apply the latest patches and updates listed in the F5 advisory K000156572: https://my.f5.com/manage/s/article/K000156572
- Ensure management interfaces for all F5 devices are not exposed publicly. Restrict administrative access to internal or segmented management networks only.
- Rotate credentials, API keys, and SSL/TLS certificates associated with F5 devices and management platforms, in case any sensitive data was compromised.
- Enable detailed logging and forward system logs to a central SIEM. Monitor for unusual login attempts, configuration changes, or unauthorized traffic from F5 devices.
- Implement compensating controls if patching cannot be completed immediately. These include disabling unused services, applying access controls, and using web application firewall (WAF) rules to detect and block exploit attempts.
