F5 Security Incident and Patch Advisory

Published: Friday 17 October 2025

Prepared by: Adam Skupien, Vulnerability Security Analyst

Purpose

This alert highlights multiple high-severity vulnerabilities disclosed by F5 in its October 2025 Quarterly Security Notification (QSN) and a related cybersecurity incident impacting F5’s internal systems.

The vulnerabilities affect BIG-IP, BIG-IQ, F5OS, and BIG-IP Next. F5 confirmed that a nation-state actor accessed internal development systems but found no evidence of exploitation or customer compromise. However, a limited number of exfiltrated files from F5’s knowledge management platform contained configuration or implementation information for a small percentage of customers, who F5 is contacting directly. Independent reviews verified that the integrity of F5’s software supply chain and release pipelines was not compromised or modified.

While no exploitation has been observed, the vulnerabilities could allow privilege escalation, information disclosure, or service disruption. The Australian Cyber Security Centre (ACSC) has issued an advisory highlighting these vulnerabilities and the associated F5 incident, urging Australian organisations to apply the latest updates and follow vendor mitigation advice. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released Emergency Directive ED-26-01 on 15 October 2025, outlining mandatory actions for federal agencies including patching, restricting management interfaces, and removing unsupported devices.

Vulnerability details

On 15 October 2025, F5 disclosed multiple high-severity vulnerabilities through its October 2025 QSN, alongside a statement regarding a cybersecurity incident affecting internal systems. The incident involved exfiltration of BIG-IP source code and vulnerability research data. However:

• Independent investigations by NCC Group and IOActive confirmed that the F5 software supply chain and build and release pipelines were not modified.

• No evidence of compromise to customer systems has been detected. However, a small subset of files exfiltrated from F5’s internal knowledge management platform contained limited configuration or implementation information for a small number of customers. F5 is reviewing these files and contacting affected customers directly.

• No exploitation of the disclosed vulnerabilities has been observed to date.

That same day, CISA issued Emergency Directive ED-26-01, requiring agencies to apply F5 patches, remove unsupported systems, and restrict management interfaces.

Timeline of Key Events:

(All dates shown in Australian Eastern Daylight Time – AEDT)

• August 2025: F5 detected persistent unauthorized access within internal BIG-IP development and engineering systems.
• September 2025: Third-party forensic and containment activities initiated with assistance from CrowdStrike, Mandiant, NCC Group, and IOActive.
• 16 October 2025: F5 released the Security Incident Advisory (K000154696) and the October 2025 Quarterly Security Notification (K000156572), including patched software versions and hotfixes for supported products.
• 16 October 2025: The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED-26-01, requiring U.S. federal agencies to implement immediate mitigations.
• 16 October 2025: The Australian Cyber Security Centre (ACSC) published its advisory recommending affected Australian organisations to apply patches and follow the vendors guidance.

Affected Products:

The vulnerabilities disclosed in the October 2025 Quarterly Security Notification (K000156572) affect the following F5 products and components:

• BIG-IP (All Modules)

• BIG-IP Next (SPK / CNF)

• BIG-IQ

• F5OS-A / F5OS-C

• BIG-IP Advanced WAF / ASM

• NGINX App Protect

F5 Silverline and Distributed Cloud Services are not impacted

A total of 44 vulnerabilities were disclosed in the October 2025 Quarterly Security Notification (K000156572). All vulnerabilities were rated Medium to High severity (CVSS v3.1 up to 8.7, CVSS v4.0 up to 8.8), with no confirmed remote code execution vulnerabilities. Additionally, F5 identified one Security Exposure in BIG-IP AFM, where a specific configuration scenario could reduce the effectiveness of certain denial-of-service protections. 

Organisations should review F5 Article K000156572 to confirm whether their systems are affected and apply the appropriate patches or hotfixes for their product versions.

Some vulnerabilities listed in the October 2025 QSN currently have no fixed software version available for certain BIG-IP Next (SPK and CNF) builds. Organisations running affected versions should follow F5’s mitigation advice in Article K000156572 and plan to upgrade once a fix becomes available.

Impact

Exploitation of these vulnerabilities could allow attackers to gain elevated privileges, access sensitive information, or disrupt F5 application delivery services.

While no exploitation has been confirmed, the theft of source code and vulnerability data increases the risk of future targeted attacks.

Organisations should prioritise patching and mitigation efforts, and closely monitor future F5 advisories and updates to stay protected against emerging threats. 

Mitigation actions

F5 has released patched versions addressing most of the disclosed vulnerabilities across supported products. Some issues, particularly within certain BIG-IP Next components, are pending fixes. Organisations using affected F5 platforms should act promptly to reduce risk and maintain compliance with vendor and government guidance.

Recommended Actions:

• Apply updates to the latest fixed versions listed in the October 2025 QSN or newer hotfixes.
• Restrict management and control-plane access to trusted internal networks or jump hosts using firewall rules, network segmentation, or VPN controls to prevent unauthorised access.
• Replace or upgrade unsupported and end-of-life systems to ensure ongoing security patching and vendor support.
• Ensure BIG-IP systems are configured to forward syslog data to a SIEM or central log collection platform for continuous monitoring of administrative logins, configuration changes, and authentication activity.
• Subscribe to F5 security advisories for ongoing updates.

Following ACSC and CISA guidance will significantly reduce the likelihood of compromise. Regular patching and continuous monitoring remain essential.  

Detection capabilities

Detection and Response platforms can monitor for activity associated with F5 vulnerability exploitation. As these devices are appliances, they cannot host EDR or SIEM agents, reducing direct visibility.

F5 recommends forwarding all relevant logs to a remote SIEM or syslog server to ensure visibility into administrative and authentication events.

Detection Practices

• Configure remote syslog forwarding for BIG-IP to send logs to a SIEM or central log collection platform for continuous monitoring.
• Review logs under /var/log/ for failed or unusual administrative logins and authentication attempts.
• Monitor for unexpected configuration changes or privilege escalations that may indicate compromise.
• Use F5’s Threat Hunting Guide (available via customer support) for detailed search criteria.

Triskele Labs customers with the Vulnerabiity Scanning service are being scanned for exposure, while customers under the Managed Detection and Response (MDR) service are continuously monitored for related indicators of compromise.

References

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/Multiple-high-severity-vulnerabilities-in-F5-products-and-incident-impacting-F5
• https://my.f5.com/manage/s/article/K000154696
• https://my.f5.com/manage/s/article/K13080
• https://my.f5.com/manage/s/article/K13426
• https://my.f5.com/manage/s/article/K000156572
• https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices