F5 breach — BIG-IP source code and vuln info stolen
F5 disclosed a breach in which a nation-state actor stole portions of BIG-IP source code and data about undisclosed vulnerabilities. F5 says access persisted long-term; disclosure was delayed at the DoJ’s request. Customer config data for a small subset may have been exposed; impacted customers will be notified. CISA issued an Emergency Directive (ED 26-01) requiring U.S. federal agencies to inventory affected products and apply updates by 22 Oct 2025. Bloomberg later linked the intrusion to UNC5221 using BRICKSTORM malware.
F5 confirms breach; BIG-IP source code taken.
Security vendor F5 says a sophisticated nation-state actor spent quality time in its network and walked off with bits of BIG-IP source code plus details of unpatched vulnerabilities. The firm learned of the breach on 9 August 2025, held back public disclosure at the DoJ’s request, and has since brought in Mandiant and CrowdStrike, rotated keys/certs, and bulked up monitoring. It hasn’t seen further unauthorised activity post-containment.
F5 adds: no indication (so far) that the stolen vuln info has been weaponised, and CRM/finance/support systems weren’t accessed. Some knowledge-base files apparently included customer configuration/implementation tidbits; those customers will get a heads-up.
The U.S. CISA isn’t taking chances. Its Emergency Directive 26-01 orders federal agencies to inventory F5 gear, remove public-facing management interfaces, and apply the latest updates by 22 October 2025—then report back by 29 October. A Bloomberg follow-up links the activity to UNC5221 and the BRICKSTORM backdoor, suggesting a China-nexus espionage team. In short: expect a busy quarter of accelerated patch releases as F5 races adversaries to fix issues before they do.
What customers should do now
• Patch BIG-IP/F5OS/BIG-IP Next/BIG-IQ/APM clients immediately.
• Isolate management interfaces; enforce MFA; restrict by IP.
• Monitor for abnormal auth, config changes, and traffic to unusual destinations.
• Inventory and decommission end-of-life devices.
When attackers get source code and bug notes, they get a cheat-sheet. Respond like they’ve already studied it.