X-Industry

Mitigate Vulnerabilities in F5 Devices

Posted by Bill Schenkelberg on October 18, 2025 at 8:40am

13744060882?profile=RESIZE_400xCISA is directing Federal Civilian Executive Branch (FCEB) agencies to inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply updates from F5. 

A nation-state affiliated cyber threat actor has compromised F5’s systems and exfiltrated files, which included a portion of its BIG-IP source code and vulnerability information.  The threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software.  The threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits.[1] 

This cyber threat actor presents an imminent threat to federal networks using F5 devices and software. Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems.

CISA has assessed these conditions pose an unacceptable risk to agencies and necessitate immediate emergency action involving the following F5 products:

  • Hardware: BIG-IP iSeries, rSeries, or any other F5 device that has reached end of support
  • Software: All devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, BIG-IQ, and BIG-IP Next for Kubernetes (BNK)/Cloud-Native Network Functions (CNF)

The requirements in this Directive address immediate risk and best position agencies to respond to anticipated targeting of these devices by the threat actor.

Scope - The required actions in this Directive apply to agency assets in any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

For federal information systems hosted in third-party environments, each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP-authorized or otherwise) and obtaining status updates pertaining to, and to ensure compliance with, this Directive.  Agencies should work through the FedRAMP program office to obtain these updates for FedRAMP-authorized cloud service providers and work directly with service providers that are not FedRAMP-authorized.

All other provisions specified in this Directive remain applicable.

Required Actions

This Emergency Directive requires agencies to take the following actions:

Inventory -

Immediately identify:

  • All BIG-IP hardware devices.
  • All instances of BIG-IP F5OS, BIG-IP TMOS, Virtual Edition (VE), BIG-IP Next, BIG-IQ software, and BNK/CNF.
  • Harden Public-Facing F5 BIG-IP Devices

For all public-facing BIG-IP physical or virtual devices, identify if the networked management interface is accessible directly from the public internet.  For all devices with confirmed exposure: 1

Follow the requirements in CISA’s Binding Operational Directive (BOD) 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces.

Report to CISA and follow further CISA instructions.   

Update Instances of BIG-IP Hardware and Software Appliances

By 22 October 2025, apply the latest vendor-provided update for each of the following products:

  • F5OS
  • BIG-IP TMOS
  • BIG-IQ
  • BNK/CNF – prior to applying the update, validate the F5 published MD5 checksums for its software image files and other F5 downloaded software.

Note: Agencies that, prior to the issuance of this Directive, have configured the management interface for a device so that it is exclusively shown to a management network and only accessible via a jump box, may note this best practice in their reporting and follow the agency’s regular update schedule for this device, overriding the timeline above.  

For all F5 virtual and physical devices not covered in required action 3:

  • Update with the latest software release patch by October 31, 2025, and apply the latest F5-provided asset hardening guidance.
  • Apply all subsequent updates via F5’s download portal within one (1) week of vendor release.

Disconnect End of Support Devices - For all public-facing F5 devices that have reached end of support, disconnect and decommission these devices.  Agencies that cannot disconnect F5 devices that have reached their end of support date shall report to CISA:

  • Any mission critical need(s) preventing such action; and
  • Plans for eventual decommissioning of the device.
  • Mitigate Against Cookie Leakage

If CISA notifies an agency of a BIG-IP cookie leakage vulnerability, the agency shall follow CISA’s accompanying mitigation instructions.    

Report - All agencies, regardless of the results of required action 1, must:

  • By 11:59 PM ET on October 29, 2025, report to CISA (using the provided template) a summary of products within scope on agency networks.
  • By 11:59 PM ET on December 3, 2025, report to CISA (using the provided template) a detailed inventory of all instances of products within scope on agency networks.
  • A Networked Management Interface is a dedicated device interface that is accessible over network protocols and is meant exclusively for authorized users to perform administrative activities on a device, a group of devices, or the network itself as defined in CISA’s Binding Operational Directive 23-02

CISA Actions:

  • CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.
  • CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
  • By March 1, 2026, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, the Federal Chief Information Officer, and the Federal Chief Information Security Officer identifying the implementation of this Directive, including cross-agency status and outstanding issues.

Additional Information

Visit https://www.cisa.gov/news-events/directives or contact the following for:

General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov

Reporting indications of compromise – contact@cisa.dhs.gov

This article is shared with permission at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5207428251321676122

[1] https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices

Views: 22
Tags: tr-25-291-001, f5, fceb, f5os, tmos, ve, cnf
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!