Executive Summary
In late 2023, F5 Networks experienced a prolonged attack attributed to a nation-state threat actor who gained persistent access to internal systems, stealing segments of BIG-IP source code, undisclosed vulnerabilities, and customer configuration data. The company became aware of the intrusion on August 9, with public disclosure on October 15 following a rare emergency directive from federal authorities. F5 coordinated with security firms and mobilized rapid emergency software and hardware updates across thousands of customer deployments while investigating the breach’s full scope. The identified impact included widespread emergency patching and a limited set of customers affected by stolen configuration data, though F5 reported that most exfiltrated information was not sensitive.
This incident underscores ongoing targeting of technology and security vendors by advanced persistent threat actors. With the steady increase in supply chain attacks, the F5 breach highlights the need for stronger product code security, rapid response to vulnerability disclosure, and cross-industry collaboration against sophisticated intrusions.
Why This Matters Now
The F5 breach highlights both the increasing sophistication of nation-state targeting of security infrastructure and the urgency for organizations to rapidly remediate exposed vulnerabilities across distributed environments. As attackers shift to supply chain and platform-level exploitation, swift coordinated response and improved third-party code assurance are critical to prevent cascading risks.
Attack Path Analysis
The attackers initially gained access to F5's internal systems, likely exploiting vulnerabilities or misconfigurations. They escalated their privileges to access sensitive systems and configuration data. Once inside, lateral movement enabled access across multiple environments, including development and potentially adjacent customer data systems. Command and control was maintained over a prolonged period, enabling covert data staging and management of the intrusion. The adversary exfiltrated segments of BIG-IP source code, configuration data, and vulnerability details. The overall impact was mitigated through rapid patching, but some customer data exposure and disclosure of internal vulnerabilities occurred.
Kill Chain Progression
Initial Compromise
Description
Nation-state threat actors gained initial access to F5's internal environment, likely via exploitation of unpatched vulnerabilities or misconfiguration in externally exposed services.
Related CVEs
CVE-2025-20029
CVSS 8.7An authenticated attacker can execute arbitrary system commands via the iControl REST interface and tmsh components in F5 BIG-IP systems.
Affected Products:
F5 Networks BIG-IP – 17.1.0 - 17.1.2, 16.1.0 - 16.1.5, 15.1.0 - 15.1.10
Exploit Status:
proof of conceptCVE-2025-53868
CVSS 8.5A highly privileged authenticated attacker can bypass Appliance mode restrictions using undisclosed commands via SCP and SFTP in F5 BIG-IP systems.
Affected Products:
F5 Networks BIG-IP – All versions
Exploit Status:
no public exploitCVE-2025-58071
CVSS 7.5Undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate when IPsec is configured in F5 BIG-IP systems.
Affected Products:
F5 Networks BIG-IP – 15.1.0 - 15.1.10.8, 16.1.0 - 16.1.6.1, 17.1.0 - 17.1.3, 17.5.0 - 17.5.1
Exploit Status:
no public exploitCVE-2025-54755
CVSS 4.9An authenticated attacker can access files beyond intended restrictions due to a directory traversal vulnerability in the TMUI component of F5 BIG-IP systems.
Affected Products:
F5 Networks BIG-IP – 15.1.0 - 15.1.10.8, 16.1.0 - 16.1.6.1, 17.1.0 - 17.1.3, 17.5.0 - 17.5.1
Exploit Status:
no public exploitCVE-2025-61990
CVSS 7.5Undisclosed traffic patterns can cause the Traffic Management Microkernel (TMM) to terminate in multi-blade configurations of F5 BIG-IP systems.
Affected Products:
F5 Networks BIG-IP – 15.1.x, 16.1.x, 17.1.x
Exploit Status:
no public exploitCVE-2025-48008
CVSS 7.5Undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate when a TCP profile with Multipath TCP (MPTCP) is enabled on a virtual server in F5 BIG-IP systems.
Affected Products:
F5 Networks BIG-IP – 15.1.0 - 15.1.10.8, 16.1.0 - 16.1.6, 17.1.0 - 17.1.2.2
Exploit Status:
no public exploitCVE-2025-24326
CVSS 7.5Undisclosed traffic can cause an increase in memory resource utilization when the BADoS TLS Signatures feature is configured in F5 BIG-IP systems.
Affected Products:
F5 Networks BIG-IP – 17.1.0 - 17.1.1, 16.1.0 - 16.1.5, 15.1.0 - 15.1.10
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Supply Chain Compromise
Data from Local System
Automated Exfiltration
System Information Discovery
Unsecured Credentials
Impair Defenses
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Tamper Detection Mechanisms
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Continuous Identity Verification
Control ID: Identity Pillar—Maturity Stage: Advanced
NIS2 Directive – Incident Detection and Response
Control ID: Article 21(2)
ISO/IEC 27001:2022 – Reporting Information Security Events
Control ID: A.16.1.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical F5 BIG-IP infrastructure compromised by nation-state attack exposes payment processing, requiring emergency updates and enhanced Zero Trust segmentation compliance.
Health Care / Life Sciences
Patient data networks using F5 systems face HIPAA compliance risks from stolen configuration data, demanding immediate security updates and traffic encryption.
Telecommunications
Network infrastructure providers heavily reliant on F5 perimeter security face service disruption risks from nation-state attack requiring comprehensive system hardening.
Government Administration
Critical infrastructure agencies using F5 BIG-IP systems targeted by nation-state actors must implement emergency directive compliance and enhanced threat detection capabilities.
Sources
- F5 asserts limited impact from prolonged nation-state attack on its systemshttps://cyberscoop.com/f5-attack-limited-impact-earnings-call/Verified
- March 5 Advisory: BIG-IP iControl REST and tmsh Vulnerability [CVE-2025-20029]https://www.censys.com/advisory/cve-2025-20029Verified
- Security Advisory 2025-037: Multiple Vulnerabilities in F5 Productshttps://cert.europa.eu/publications/security-advisories/2025-037/Verified
- CVE-2025-58071 Impact, Exploitability, and Mitigation Stepshttps://www.wiz.io/vulnerability-database/cve/cve-2025-58071Verified
- Mitigate Risk of Compromise on F5 Deviceshttps://www.lockheedmartin.com/en-us/suppliers/news/features/2025/cybersecurity-f5.htmlVerified
- F5 Networks Quarterly Security Updateshttps://assets.adgm.com/download/assets/20250206%20-%20F5%20Networks%20Quarterly%20Security%20Updates%20-%20Alert%20114.pdf/c84d8842e51111ef887f46bbe3e71b28Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust Network Segmentation, East-West Traffic Security, rigorous egress controls, and real-time visibility would have constrained attacker movement, limited data loss, and enabled earlier detection. Microsegmentation, encrypted workload flows, and distributed inline enforcement could have stopped lateral movement and exfiltration even after an initial foothold.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized inbound traffic exploiting external services.
Control: Zero Trust Segmentation
Mitigation: Limited attacker ability to move beyond the initially compromised account.
Control: East-West Traffic Security
Mitigation: Detected and blocked unauthorized workload-to-workload traffic.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous C2 and remote access activity rapidly detected and alerted.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized outbound flows to attacker-controlled locations.
Enabled fast enterprise-wide incident containment and impact analysis.
Impact at a Glance
Affected Business Functions
- Network Traffic Management
- Application Delivery
- Security Operations
Estimated downtime: 7 days
Estimated loss: $5,000,000
The breach led to the exfiltration of BIG-IP source code and customer configuration data, potentially exposing sensitive information and increasing the risk of targeted attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Cloud Firewall and egress enforcement to restrict and monitor all inbound and outbound communications.
- • Implement Zero Trust Segmentation and East-West Traffic Security to confine applications, workloads, and users to least privilege access.
- • Enhance threat detection and anomaly response for early identification of covert lateral movement and C2 activity.
- • Ensure all sensitive data in transit is encrypted with high-performance protocols across hybrid and multicloud environments.
- • Centralize multicloud visibility and control to accelerate incident response, impact assessment, and compliance reporting.
