Full Report
Partnering with an EDR vendor after a nation-state has already stolen your source code isn’t innovation — it’s a gamble. You don’t build a fire extinguisher while the house is burning. You find every spark before it becomes the next inferno.Key takeaways:F5’s BIG-IP is used to secure everything from government agencies to critical infrastructure. The theft of BIG-IP source code and undisclosed vulnerabilities by a nation-state actor is a five-alarm fire for national security and puts all organizations at risk. We provide detailed steps Tenable customers can take immediately, as well as general guidance on how organizations can protect themselves now and in the long term.The breach of F5’s BIG-IP product development environment is a five-alarm fire for national security and once again raises doubts about the safety of the software supply chain.Among the data stolen in the nation-state attack: source code for BIG-IP networking solutions as well as undisclosed security vulnerabilities that were under investigation. According to F5’s October 15 8-K filing with the U.S. Securities and Exchange Commission (SEC), some of the exfiltrated files from its knowledge management platform contained configuration or implementation information for a small percentage of customers. The company also rotated its signing certificates and keys on October 13.F5’s BIG-IP isn't just another piece of software. It is a foundational element in the technology stack used to secure everything from government agencies to critical infrastructure. In the hands of a hostile actor, this stolen data is a master key that could be used to launch devastating attacks, similar to the campaigns waged by Salt Typhoon and Volt Typhoon. We haven’t seen a software supply chain compromise of this scale since SolarWinds.The implications are far-reaching. BIG-IP is used by approximately 57,000 companies; while the majority are in the $1 million – $10 million revenue range, F5 says its products are used by 85% of the Fortune 500. Affected products include BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, BIG-IQ, and BIG-IP Next for Kubernetes (BNK) / Cloud-Native Network Functions (CNF). For a full list of CVEs associated with this incident, see Frequently Asked Questions About The August 2025 F5 Security Incident.While F5 has not observed evidence of modified source code or a supply-chain attack, the stolen data could potentially be used to develop new exploits for unpatched vulnerabilities. In response, F5 released security patches on October 15.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring that all organizations with F5 products apply these updates immediately. “The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies,” said CISA Acting Director Madhu Gottumukkala in a follow-up statement. “These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems. We emphatically urge all entities to implement the actions outlined in this Emergency Directive without delay.” The U.K.’s National Cyber Security Center (NCSC) also issued an alert about the incident.This incident does not affect Tenable products but we have released new plugins and additional guidance to help organizations secure their environments.Organizations using F5 BIG-IP are advised to update the software as soon as possible, harden any public-facing BIG-IP devices, and remove any unsupported devices from their networks. The company said it is “partnering with CrowdStrike to extend Falcon EDR sensors and Overwatch Threat Hunting to BIG-IP for additional visibility and to strengthen defenses. An early access version will be available to BIG-IP customers and F5 will provide all supported customers with a free Falcon EDR subscription.”While we applaud F5’s transparency and efforts to help organizations respond to the incident, this is not the time for experimentation. You don’t build a fire extinguisher while your house is burning. Likewise, waiting for an EDR vendor to build a solution after a threat actor has already accessed your most sensitive environment is ill-advised. The nation-state actor has been embedded in F5’s environment for some time, with access to highly sensitive data. They can act on what they’ve accessed at any time. Moreover, threat actors have repeatedly demonstrated their ability to disable EDR tools, thereby evading endpoint-based detection methods and rendering them largely useless.The following key actions required by CISA in its emergency directive extend well beyond the capabilities of EDR:Inventory: Identify all instances of F5 BIG-IP hardware devices and F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IP IQ software, and BNK / CNF.Harden public-facing hardware and software appliances: Identify if physical or virtual BIG-IP devices exposed to the public internet provide public access to the networked management interface.Update instances of BIG-IP hardware and software applications: Apply the latest vendor updates by Oct. 22, 2025, for the following products: F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF — validate the F5 published MD5 checksums for its software image files and other F5 downloaded software. For other devices, update with the latest software release by Oct. 31, 2025, and apply the latest F5-provided asset hardening guidance.Disconnect end of support devices: Disconnect all public-facing F5 devices that have reached their end-of-support date. Report mission-critical exceptions to CISA.Mitigate against cookie leakage: If CISA notifies an agency of a BIG-IP cookie leakage vulnerability, the agency shall follow CISA’s accompanying mitigation instructions.Report: Submit a complete inventory of F5 products and actions taken to CISA by 11:59 p.m. EDT, Oct. 29, 2025.We cannot stress enough the importance of finding and fixing the 44 CVEs associated with this incident immediately. Doing so requires visibility into areas of your infrastructure that can’t be reached by the “good enough” vulnerability scanning tools available from endpoint vendors. The immediate need is for effective triage.Below, we provide detailed guidance on steps Tenable customers can take immediately. (Non-Tenable customers can start a free trial of Tenable Vulnerability Management today to see where they’re impacted so they can swiftly take action.)Longer term, organizations need to prepare for the likelihood of nation-state actors leveraging additional F5 vulnerabilities for initial access, after which they will pivot to Living off the Land techniques to stealthily execute commands, establish persistence, move laterally, and escalate privileges. We’ve seen examples of such activity with Salt Typhoon and Volt Typhoon. Once it occurs, it becomes very difficult to detect and eradicate the actor. More guidance on preventive measures can be found below in the section “How do I protect my organization from the long-term impact of the F5 BIG-IP breach?”I’m a Tenable Vulnerability Management customer. What should I do today?Here are two examples of how to use Tenable Vulnerability Management to quickly find F5 BIG-IP in your environment and identify the related CVEs. A full list of CVEs associated with this incident can be found here.The screenshot below shows how you can quickly filter for the F5 BIG-IP version using plugin id: 76940 . This allows you to quickly see the version and the installed modules of your F5 device. Source: Tenable, October 2025 The screenshot below shows how you can see all known vulnerabilities for your F5 device. You can filter for CVEs and export the data to engage the various teams for remediation. Source: Tenable 2025 How do I protect my organization from the long-term impact of the F5 BIG-IP breach?In addition to applying the urgent mitigations above, organizations need to be on alert for any infiltration attempts. Organizations are urged to take the following actions:Inventory all F5 assets in your environments. Tenable Vulnerability Management can provide a detailed and comprehensive inventory of your F5 assets as part of its network-wide scanning. It identifies F5 devices through methods like active scanning, passive monitoring, and credentialed scans, collecting detailed information about the asset, including its configuration and vulnerabilities. This granular level of discovery goes beyond simple asset lists to give you a clear, actionable view of every F5 device on your network.Continuously monitor assets in cloud, IT and OT environments. Tenable Vulnerability Management offers continuous monitoring across diverse environments, including IT, cloud, and OT. By deploying Tenable agents on transient devices, performing active scans on traditional IT assets, and using passive monitoring for sensitive OT systems, Tenable Vulnerability Management ensures you have an always-on, real-time assessment of your security posture, regardless of where the assets reside.Correlate data from asset inventories, vulnerability assessments, and security operations for a unified view of risk. Tenable Vulnerability Management is designed to be a central hub for vulnerability data. It correlates data from its own asset discovery and vulnerability assessments to provide a unified view of risk. It can also integrate with other security tools and CMDBs to enrich asset data and streamline remediation workflows.Incorporate threat intelligence feeds to understand which threats are most likely to be exploited and what risks they pose to your unique environment. Tenable utilizes a risk-based prioritization approach to help you focus on the most dangerous threats. It combines its Vulnerability Priority Rating (VPR) with your unique environmental context to provide a single, dynamic score that reflects the true risk of a vulnerability. This allows you to move beyond static, generic scores like CVSS and focus remediation efforts on the issues that are most likely to be exploited in the wild, enabling you to reduce your organization's overall cyber risk more effectively.Learn moreStart a free trial of Tenable Vulnerability Management today.
Analysis Summary
The provided article is a promotional piece from Tenable discussing their exposure management platform in the context of significant vulnerabilities, specifically referencing the numerous critical CVEs discovered in F5 BIG-IP devices. **It does not detail a specific, singular security incident, timeline, or response effort.** Instead, it focuses on the *potential* risk posed by unpatched F5 vulnerabilities and how Tenable's tools can help manage that risk.
Therefore, the incident timeline and response sections will be structured based on the *implied* incident scenario (exploitation of F5 BIG-IP vulnerabilities) and Tenable's *recommended* response actions (patching and risk management).
# Incident Report: Managing F5 BIG-IP Critical Vulnerability Risk
## Executive Summary
This report addresses the critical risk exposure associated with numerous severe Common Vulnerabilities and Exposures (CVEs) affecting F5 BIG-IP devices, as highlighted by Tenable. While no specific, dated incident is detailed, the context implies organizations are at high risk of compromise via platform vulnerabilities, potentially leading to unauthorized access, data exfiltration, and severe operational disruption if timely patching is not prioritized. The recommended response centers on integrated asset discovery, risk-based prioritization using threat intelligence, and rapid patching.
## Incident Details
- **Discovery Date:** Due to the nature of the source material (a vendor advisory/blog), specific discovery dates for an *actual* single incident are **Not Disclosed**. The report focuses on the discovery of 44 relevant CVEs.
- **Incident Date:** N/A (Focus is on ongoing vulnerability risk, not a specific historical event).
- **Affected Organization:** Generic/Multiple organizations utilizing vulnerable F5 BIG-IP infrastructure.
- **Sector:** Across all sectors utilizing F5 infrastructure (e.g., financial, technology, critical infrastructure).
- **Geography:** Not specified.
## Timeline of Events
*As this is a vulnerability advisory summary, the timeline reflects the potential attack progression if an F5 BIG-IP device is exploited, followed by recommended actions.*
### Initial Access
- **Date/Time:** Ongoing (upon exposure of vulnerable F5 devices).
- **Vector:** Exploitation of one or more of the 44 publicized F5 BIG-IP CVEs.
- **Details:** Attackers leverage known flaws in the BIG-IP management interfaces or system components.
### Lateral Movement
- **Details:** Once initial access is achieved (likely remote code execution or shell access depending on the specific CVE exploited), attackers would likely proceed to pivot into the internal network, leveraging the BIG-IP as a hardened foothold.
### Data Exfiltration/Impact
- **Details:** Potential for large-scale data theft, configuration manipulation, denial of service, or establishment of persistent backdoor access across the network perimeter.
### Detection & Response
- **How it was discovered:** Proactive vulnerability scanning (e.g., using Tenable scanning tools) against perimeter assets, or detection via intrusion detection systems observing unusual traffic to the BIG-IP environment.
- **Response actions taken:** Urgent asset inventory, VPR-based prioritization, and emergency patching of all affected BIG-IP systems.
## Attack Methodology
*This section details the potential MITRE ATT&CK techniques associated with exploiting F5 infrastructure vulnerabilities:*
- **Initial Access:** Exploitation of Public-Facing Application (T1190) via unpatched F5 BIG-IP CVEs.
- **Persistence:** N/A (Often device-level persistence or web shell deployment).
- **Privilege Escalation:** Highly dependent on the specific CVE exploited (e.g., gaining root or system-level access on the appliance).
- **Defense Evasion:** Exploitation of the appliance itself bypasses many standard network-level defenses.
- **Credential Access:** Potential access to configuration files containing credentials or session tokens.
- **Discovery:** Network mapping and internal reconnaissance following breach of the perimeter device.
- **Lateral Movement:** Using the F5 device as a proxy or pivot point to reach internal segments.
- **Collection:** Targeting sensitive data accessible through the compromised perimeter network path.
- **Exfiltration:** Sending collected data out via established tunnels or decrypted channels.
- **Impact:** Service unavailability (DoS) or data compromise.
## Impact Assessment
- **Financial:** Potential costs associated with emergency remediation, regulatory fines, and potential business downtime.
- **Data Breach:** High risk of sensitive PII, customer data, or intellectual property exposure due to the perimeter location of the F5 device.
- **Operational:** Significant operational disruption risk due to the critical nature of F5 devices (load balancing, WAF, access control).
- **Reputational:** High if an exploit leads to a high-profile public breach.
## Indicators of Compromise
*As this is a general advisory, specific IOCs are only available upon patch release; however, general behavioral IOCs are noted:*
- **Network indicators:** Unusual outbound connections originating from the F5 management or self-IP interfaces to external, non-standard destinations. (IPs/URLs defanged: N/A)
- **File indicators:** Creation of unexpected web shells or configuration file modifications on the BIG-IP appliance.
- **Behavioral indicators:** Sudden spikes in administrative login attempts or unexpected changes in load balancing rules or traffic redirection.
## Response Actions
*Based on Tenable's recommendations for managing this class of risk:*
- **Containment measures:** Immediate implementation of compensating controls (e.g., blocking external management access/limiting exposure) if patching is not immediately feasible; isolating affected appliances.
- **Eradication steps:** Thorough forensic analysis of the appliance filesystem to locate and remove persistence mechanisms.
- **Recovery actions:** Applying all necessary vendor patches for the 44+ identified F5 CVEs, followed by a full security audit of the system configuration.
## Lessons Learned
- **Key takeaways:** Perimeter devices like F5 BIG-IP, which often sit exposed to the internet, represent a disproportionately high risk when critical vulnerabilities are disclosed. Ignoring vendor advisories for high-profile appliances is extremely dangerous.
- **What could have been done better:** Proactive scanning and vulnerability assessment schedules must prioritize critical infrastructure, and a robust patch management program must be in place to handle zero-day or high-profile disclosures within hours, not days.
## Recommendations
- Immediately inventory *all* F5 BIG-IP devices across the enterprise.
- Prioritize remediation based on external exposure and the potential exploitability of the specific CVEs present (using risk-based exposure management, like VPR).
- Patch or deploy compensating controls for *all* 44 referenced CVEs without delay.
- Incorporate threat intelligence feeds to understand which threats are most likely to be exploited in the current landscape.