The Cybersecurity and Infrastructure Security Agency is warning the public of active cyberthreats targeting vulnerabilities found in devices and software made by the cybersecurity company F5.
In an emergency directive issued Wednesday, the agency said attackers can exploit flaws in F5 products and gain unauthorized access to embedded credentials and application programming interface keys.
Leaders from CISA and the Department of Homeland Security will be present at the Potomac Officers Club’s 2025 Homeland Security Summit on Nov. 12. Learn more about the present and emerging threats to the nation and network with prominent industry figures at the in-person event. Secure your tickets now.
Details of F5 Breach
The directive follows F5’s disclosure that an unidentified nation-state cyber threat actor has long-term, persistent access to and has extracted data from the company’s BIG-IP product development environment and engineering knowledge management platforms.
F5 has applied measures to contain the threat and has since not observed malicious behaviors in its systems. The company said it is also taking further steps to protect customers and has rolled out updates to affected products, including BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM.
What Affected Organizations Must Do
The emergency directive instructs federal civilian executive branch agencies and other organizations from the public and private sectors to identify and update at-risk F5 virtual and physical devices and software.
“The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies,” stated CISA Acting Director Madhu Gottumukkala. “These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems. We emphatically urge all entities to implement the actions outlined in this Emergency Directive without delay.”
In line with the directive, the Federal Risk and Authorization Management Program also published a notice to inform cloud service providers, or CSPs, about the threat. CSPs that use affected F5 devices within their respective FedRAMP authorization boundaries are tasked to complete vulnerability response actions, such as applying vendor-supplied patches and removing access of affected devices to the public internet, by Oct. 22.
