BREAKING DEVELOPMENT... The compromise of F5’s systems and the exfiltration of files, including some of its BIG-IP source code and vulnerability information, set off alarm bells throughout the federal government ecosystem and beyond, prompting Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning and a directive for agencies to take prompt action to mitigate the risk.
CISA is rightfully concerned that the nation state -affiliated cyber threat actor responsible could use the proprietary source code to exploit the F5 devices and software used throughout the federal government and other organizations.
“The threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits,” CISA said in the October 15 directive.
Calling the cyber threat actor behind the attack “an imminent threat” that “could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access,” CISA warned “this could potentially lead to a full compromise of target information systems.”
The incident shows “how vulnerabilities at the infrastructure and supply chain levels can have a domino effect on national security,” said Noelle Murata, senior security engineer at Xcape, Inc., who noted that earlier filings indicated a connection between the threat actor and China's Ministry of State Security. “The possibility of highly customized zero-day exploits is increased by the fact that a nation-state actor has sustained access to F5's source code.”
The compromise seems familiar to security experts. Based on the description of the vulnerability, “it appears quite similar to CVE-2022-1388,” which was discovered in F5 Network’s BIG-IP and allows unauthenticated actors to gain control of the system through the management port or self-IP addresses which was “discovered in F5 Network’s BIG-IP and allows unauthenticated actors to gain control of the system through the management port or self-IP addresses,” said Lydia Zhang, president & co-founder of Ridge Security Technology, Inc. That vulnerability was exploited. That vulnerability was exploited in 2022.
“CVE-2022-1388 leverages two techniques: the ‘admin:’ empty token authentication bypass, and the abuse of the HTTP hop-by-hop request header, which manipulates the header to enable a remote code execution (RCE) attack,” Zhang said.
The Justice Department, which had instructed F5 to delay disclosure of the compromise for a month amid an ongoing investigation, gave the go-ahead for the company to finally sound the alarm this week, which it did in multiple filings with the SEC, prompting CISA’s directive.
The directive applies “to agency assets in any federal information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information,” whether FedRAMP-authorized or not. It lays out clear steps that agencies must take to address the compromise, including:
Take an Inventory of F5 assets. Agencies should immediately identify all BIG-IP hardware devices as well as all instances of BIG-IP F5OS, BIG-IP TMOS, Virtual Edition (VE), BIG-IP Next, BIG-IQ software, and BNK/CNF.
Harden Public-Facing F5 BIG-IP Devices. For all public-facing BIG-IP physical or virtual devices, identify if the networked management interface is accessible directly from the public internet. For all devices with confirmed exposure, agencies should follow the requirements in CISA’s Binding Operational Directive (BOD) 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces. They should also report those findings to CISA and follow further CISA instructions.
Update Instances of BIG-IP Hardware and Software Appliance. By October 22, 2025, apply the latest vendor-provided update for F5OS, BIG-IP TMOS, BIG-IQ and BNK/CNF. For the latter, prior to applying the update, agencies must validate the F5 published MD5 checksums for its software image files and other F5 downloaded software. Those agencies already have configured the management interface for a device so that it is exclusively shown to a management network and only accessible via a jump box as part of their best practices should note that in their reporting and follow the agency’s regular update schedule for this device.
For all F5 virtual and physical devices not covered in this action, agencies must update with the latest software release patch by October 31, 2025, and apply the latest F5-provided asset hardening guidance.
All subsequent updates must be applied via F5’s download portal within one week of vendor release.
Disconnect End of Support Devices. Agencies are required to disconnect and decommission all public-facing F5 devices that have reached end of support. Those that cannot disconnect F5 devices that have reached their end of support date shall report to CISA any mission critical needs preventing such action, and the plans for eventual decommissioning of the device.
Mitigate Against Cookie Leakage. If CISA notifies an agency of a BIG-IP cookie leakage vulnerability, the agency shall follow CISA’s accompanying mitigation instructions.
Report. All agencies must report their findings and actions October 29 in a summary of products within scope on agency networks. And they must provide a detailed inventory of all instances of products within scope on agency networks to CISA by December 3.
In a press call, CISA Acting Director Madhu Gottumukkala said organizations outside of the federal government must update their F5 systems to avoid “catastrophic compromise of critical information systems.”