Data theft at network provider F5: Attackers steal code and security gaps

Contents

Network provider F5 is facing a data leak that apparently persisted for a long time and involved the theft of source code and previously unpublished security vulnerabilities. Administrators must now urgently apply dozens of patches for its BIG-IP appliance and other products; otherwise, further breaches are to be expected. This has also prompted the US cybersecurity agency CISA and its British counterpart to issue an urgent warning.

The manufacturer leaves it unclear how the attackers penetrated the F5 network, but the investigations have confirmed a data exfiltration. The source code for BIG-IP, along with information about known security vulnerabilities of low, medium, and high severity that were not yet fixed at the time of the attack, fell into unauthorized hands. These are a godsend for exploit developers -- they likely immediately got to work and tailored malware to the vulnerabilities. Equally fatal: For some F5 customers, specific configuration and implementation notes were stored in the attacked systems, which can then be misused for targeted attacks.

F5 emphasizes that neither critical severity vulnerabilities nor those with code execution capabilities (RCE) fell into the hands of the attackers. Small comfort, because: With the stolen source code, they could specifically search for such vulnerabilities. At least: The attacker(s) apparently had no access to the development infrastructure for the NGINX web server, which has belonged to F5 for six years. And according to the manufacturer's findings, customer, financial, or support databases were also spared.

Private keys stolen, but build process intact?

The software supply chain and build process, on the other hand, were not affected, according to an investigation conducted with security specialists from NCC Group and IOActive. However, this statement does not quite fit with another piece of loot. Apparently, the keys used for software and image signing also fell into the hands of the attackers, as the manufacturer has exchanged the private keys and certificates.

As F5 explains in a support article, older versions will no longer be able to verify versions signed with the newer keys, which could impact installations, updates, and the deployment of virtual machines.

F5 Patches: A Dozen for Free

Among the apparently leaked security vulnerabilities is one with a **high** severity (CVE-2025-53868, CVSS 8.7/10), which allows attackers with valid credentials to bypass security measures. However, the device must be running in Appliance Mode, and the attacker must already have access to the SCP or SFTP protocol (Secure Copy / Secure File Transfer Protocol).

There are also numerous vulnerabilities in F5OS and various submodules of BIG-IP, which F5 is now fixing. These include:

• 27 high-severity vulnerabilities, or 29 if the BIG-IP device is running in “Appliance Mode,”
• 16 medium-severity vulnerabilities, and
• 1 low-severity vulnerability.

Administrators should update quickly and be aware of the danger posed by the stolen data. The fact that the patches also involve a reissuance of code signing certificates is likely to cause additional sweat on sysadmins' brows.

CISA and NCSC on High Alert

The intrusion and the stolen security vulnerabilities prompted the US cybersecurity agency CISA to issue an urgent directive (“Emergency Directive”) to all federal agencies. By the middle of next week, or by the end of the month at the latest, their administrators must either patch affected devices or take them offline. They must also report which affected devices were found in their networks. However, due to the budget shutdown in the US, there may be delays if IT personnel have been laid off or sent on unpaid leave.

The British NCSC also joined the warnings. The German CERT-Bund initially only issued a security advisory, which, however, excluded the network intrusion at F5.

(cku)