F5 disclosed a long-term nation-state compromise of its corporate networks that resulted in exfiltration of BIG-IP source code and information about previously undisclosed vulnerabilities, prompting release of multiple high-severity CVEs and urgent mitigation guidance. The incident affects a large internet-exposed install base of BIG-IP devices and has led vendors like Palo Alto Networks to publish protections, recommendations, and incident response options. #BIG-IP #CVE-2025-53868
Keypoints
- Nation-state actor conducted a long-term compromise of F5 corporate networks, accessing product development and engineering knowledge management platforms.
- Attackers exfiltrated some BIG-IP source code and information about previously undisclosed vulnerabilities, though F5 has not observed active exploitation of undisclosed flaws.
- F5 disclosed multiple high-severity vulnerabilities including CVE-2025-53868 (BIG-IP SCP/SFTP), CVE-2025-61955 (F5OS appliance mode), and CVE-2025-57780 (F5OS appliance mode).
- Cortex Xpanse identifies over 600,000 internet-exposed F5 BIG-IP instances, increasing potential risk if exploits are developed.
- F5 found no evidence of compromise to CRM, financial, support case management, iHealth, NGINX source, Distributed Cloud Services, Silverline, or software supply chain integrity.
- Palo Alto Networks and Unit 42 recommend immediate application of F5 guidance, threat hunting, product protections, and use of Cortex Xpanse attack surface rules to identify exposed devices.
- Immediate mitigation and a defense-in-depth posture are emphasized due to the theft of undisclosed vulnerability data that could accelerate exploit development.
MITRE Techniques
- [T1078] Valid Accounts – Threat actor maintained long-term access to corporate product development and engineering knowledge management platforms, enabling exfiltration of source code and vulnerability information (“the attackers maintained long-term access to the company’s product development environment and engineering knowledge management platform”).
- [T1041] Exfiltration Over C2 Channel – Attackers exfiltrated files containing BIG-IP source code and undisclosed vulnerability information from F5 environments (“the threat actor exfiltrated files from the BIG-IP product development environment and engineering knowledge management platforms”).
- [T1608] Stage Capabilities – Theft of source code and undisclosed vulnerability information could enable rapid development of exploits and additional capabilities (“theft of source code and previously undisclosed vulnerabilities is significant and could potentially facilitate rapid exploitation of vulnerabilities”).
- [T1592] Gather Victim Network Information – Exfiltrated knowledge management files contained configuration/implementation information for a small percentage of customers, revealing target-specific details (“some of the exfiltrated files from the knowledge management platform contained configuration or implementation information for a small percentage of customers”).
Indicators of Compromise
- [Exposed Assets] Internet-exposed F5 BIG-IP instances – Cortex Xpanse identifies over 600,000 exposed BIG-IP instances.
- [Vulnerabilities] Disclosed CVEs related to the incident – CVE-2025-53868 (BIG-IP SCP/SFTP), CVE-2025-61955 (F5OS appliance mode), CVE-2025-57780 (F5OS appliance mode).
- [Configurations] Customer configuration/implementation files – some exfiltrated knowledge management files contained configuration or implementation information for a subset of customers (examples not published).
Read more: https://unit42.paloaltonetworks.com/nation-state-threat-actor-steals-f5-source-code/