Monday November 03, 2025

TLP: CLEAR - [ngCERT SECURITY ADVISORY ON EXPLOITATION OF VULNERABILITIES IN F5 DEVICES AND NETWORKS]

Advisory ID:   ngCERT-2025-100010

SUMMARY

ngCERT writes to alert on the exploitation of vulnerabilities in F5 Devices and Networks by threat actors. Notably, the threat actors compromised F5’s systems and exfiltrated files, including a portion of its BIG-IP source code and vulnerability information, enabling targeted exploits for credential access and network infiltration. The attack has implications for data exfiltration, financial losses and reputational damage. Reportedly, these vulnerabilities pose an imminent threat to government networks and organisations using F5 products, with no specific CVEs disclosed. It is worth noting that F5 rotated signing certificates and keys in October 2025 to address risks from the breach. Thus, ngCERT urges all government agencies and organizations using F5 products to act promptly to prevent compromise of their systems and networks.

Damage:      Critical

Probability:  High 

Platform(s): F5’s BIG-IP development and engineering platforms

DESCRIPTION

The breach, exploited through vulnerable internet-exposed software due to non-compliance with F5's own security guidelines, allowed long-term access to development and engineering platforms. Exfiltrated data includes BIG-IP source code and vulnerability information, facilitating static/dynamic analysis for flaws, exploit development, and access to embedded credentials/API keys. No specific CVEs have been disclosed yet, but the incident is related to F5's October 2025 Quarterly Security Notification and certificate/key rotation. Affected products include F5 BIG-IP hardware devices, F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IQ software, and BNK/CNF, with risks amplified for end-of-support devices. Exploitation requires no user interaction and can be remote if devices are internet-exposed. No public PoC exists, but the actor's knowledge increases the exploitation likelihood.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

    1. Inventory and Assessment: Identify all F5 products (hardware, software, virtualised); conduct compromise assessments on internet-exposed management interfaces.
    2. Apply Updates and Patches: Install the latest F5 security updates from the October 2025 Quarterly Notification, validating MD5 checksums; prioritize for key products by October 22, 2025, and others by October 31, 2025.
    3. Certificate and Key Rotation: Rotate F5-associated digital certificates and keys per guidance; update BIG-IP image verification processes to recognise new signing keys.
    4. Harden Systems: Restrict management access, follow F5 hardening best practices such as K53108777 and disconnect or replace end-of-support devices.
    5. Monitoring and Reporting: Perform continuous threat hunting and report suspected compromises to ngCERT.

SOLUTION/MITIGATION

ngCERT recommends the following:

    1. Inventory and Assessment: Identify all F5 products (hardware, software, virtualised); conduct compromise assessments on internet-exposed management interfaces.
    2. Apply Updates and Patches: Install the latest F5 security updates from the October 2025 Quarterly Notification, validating MD5 checksums; prioritize for key products by October 22, 2025, and others by October 31, 2025.
    3. Certificate and Key Rotation: Rotate F5-associated digital certificates and keys per guidance; update BIG-IP image verification processes to recognise new signing keys.
    4. Harden Systems: Restrict management access, follow F5 hardening best practices such as K53108777 and disconnect or replace end-of-support devices.
    5. Monitoring and Reporting: Perform continuous threat hunting and report suspected compromises to ngCERT.

HYPERLINK