Threat Advisories:
Operation Silk Lure Scam: When Job Hunts Leads to Malware Storm-1175’s Masterstroke Exploits CVE-2025-10035 in GoAnywhere MFT F5 BIG-IP Breach: Nation-State Hackers Expose Source Code and Undisclosed Flaws Microsoft’s October 2025 Patch Tuesday TA585 Leverages ClickFix Technique and MonsterV2 Malware Astaroth Targets Brazil Using GitHub Infrastructure CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild Stealit’s New Trick: Packing Malware Inside Node.js Single Executables Hidden in Plain Sight: The Abuse of Nezha and the Ghost RAT That Followed UTA0388: AI-Powered Targeted Operations Leveraging GOVERSHELL Zimbra Zero-Day Hidden in “Harmless” ICS File Targets Military Service Finder Plugin Flaw Opens Door to Full Site Compromise Redis Under Siege: RediShell Flaw Opens Door to Remote Code Execution CVE-2025-61882: Oracle EBS Zero-Day Actively Exploited in the Wild Water Saci: Brazil’s WhatsApp-Borne Malware Storm Confucius Hackers Spy on Critical Sectors Using AnonDoor FunkLocker: Emerging AI-Assisted Ransomware Olymp Loader: Modular Malware Built for Rapid Exploitation VMware Aria and Tools Vulnerabilities Fixed Amid Ongoing Exploitation DarkCloud Rising: Spear-Phishing Campaign Targets Manufacturing Sector
Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
0:00
0:00
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

F5 BIG-IP Breach: Nation-State Hackers Expose Source Code and Undisclosed Flaws

Red | Attack Report
Download PDF

F5 Networks Breach: Nation-State Attack on Product Development Systems

Summary

In August 2025, a highly sophisticated nation-state actor compromised F5 Networks’ internal engineering and development infrastructure, targeting the BIG-IP, BIG-IQ, and F5OS product lines.
The attackers exfiltrated source code, bug-tracking data, and undisclosed vulnerabilities, exposing sensitive information that could enable future targeted exploits against enterprise and government networks worldwide.
Although no active exploitation was observed at the time of discovery, the stolen data significantly increases exposure risk for organizations relying on F5 technologies. The operation is suspected, with low confidence, to be linked to the China-based UNC5221 espionage group associated with the BRICKSTORM malware family.

Timeline Highlights:

  • August 2025: Intrusion discovered; persistent access confirmed for up to 12 months.
  • September 12, 2025: F5 initiated containment and investigation.
  • October 15, 2025: Public disclosure and patch release for 40+ vulnerabilities.
  • October 22–31, 2025: CISA ED 26-01 patch deadlines for all F5 devices.

Attack Details

The attack was limited to F5’s product development environments and did not affect corporate business systems.
Compromised assets included engineering knowledge management systems, source repositories, and internal configuration files for a limited subset of customer deployments.

Post-incident, F5 partnered with IOActive and NCC Group to conduct forensics and containment.
Following containment, 44 vulnerabilities across BIG-IP, BIG-IQ, and F5OS were patched, including:

  • CVE-2025-53868 – Appliance-mode bypass
  • CVE-2025-58424 – TMM-level connection manipulation
  • CVE-2025-59483 – Arbitrary file upload
  • CVE-2025-61960 – APM portal denial-of-service

These flaws span privilege escalation, input validation failures, and denial-of-service vulnerabilities.
The U.S. CISA issued Emergency Directive 26-01, requiring federal agencies to patch affected systems immediately—reflecting the criticality of this supply-chain compromise.

This attack underscores the growing threat of vendor infrastructure compromises, especially those targeting cybersecurity and networking supply chains, with potential downstream impacts across global enterprise and government environments.

Recommendations

  1. Immediate Patching: Apply the October 15, 2025 security updates to all F5 BIG-IP, BIG-IQ, F5OS, and APM modules to remediate 44 critical vulnerabilities.
  2. Access Hardening: Disable unnecessary management interfaces and enforce MFA on all admin accounts.
  3. Enhanced Threat Monitoring: Deploy EDR and network monitoring to detect data exfiltration or abnormal login patterns.
  4. Decommission Legacy Devices: Remove or isolate unsupported F5 hardware from production to eliminate unpatchable attack vectors.
  5. Compliance: Adhere strictly to CISA ED 26-01 deadlines — October 22 (Tier 1) and October 31 (Tier 2).
  6. Supply Chain Review: Conduct third-party audits of development pipelines to strengthen software supply chain security.

MITRE ATT&CK TTPs

TacticTechnique IDTechnique Description
Initial AccessT1190Exploit Public-Facing Application
ExecutionT1078 / T1003Valid Accounts, OS Credential Dumping
PersistenceT1548 / T1548.002Abuse Elevation Control Mechanism, Bypass UAC
Privilege EscalationT1068Exploitation for Privilege Escalation
Defense EvasionT1070Indicator Removal
DiscoveryT1083File and Directory Discovery
ExfiltrationT1041 / T1005Exfiltration Over C2 Channel, Data from Local System
ImpactT1498 / T1499Network and Endpoint Denial-of-Service
Credential AccessT1212 / T1078.003Exploitation for Credential Access, Local Accounts

References

SEO Keywords: F5 breach 2025, F5 BIG-IP vulnerability, UNC5221 China nexus, BRICKSTORM malware, F5OS privilege escalation, BIG-IP arbitrary file upload, CISA ED 26-01 patch deadline, F5 source code leak, F5 nation-state cyber attack, supply chain compromise, F5 BIG-IQ denial-of-service, F5 TMM vulnerability.

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox