US tech company F5 confirmed a data breach in which nation-state attackers stole the source code and vulnerability information related to its BIG-IP family of networking and security products. BIG-IP is a critical infrastructure component used by enterprises for traffic management, load balancing, and security, making this breach particularly severe. The stolen data could enable adversaries to identify and exploit undiscovered flaws in BIG-IP systems, potentially leading to supply-chain attacks, unauthorized network access, or large-scale disruptions in organizations relying on F5’s solutions. The breach underscores the escalating risks of state-sponsored cyber espionage targeting foundational IT infrastructure, with implications for global cybersecurity resilience. F5 has not disclosed whether customer data was compromised, but the theft of proprietary code and vulnerability details poses a long-term threat to its product ecosystem and the broader digital supply chain.
TPRM report: https://www.rankiteo.com/company/f5
"id": "f50032500101925",
"linkid": "f5",
"type": "Breach",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Enterprise Software',
'location': 'USA',
'name': 'Oracle',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'Global (Windows/Teams Users)',
'industry': 'Technology',
'location': 'USA',
'name': 'Microsoft',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'BIG-IP Customers',
'industry': 'Networking/Security',
'location': 'USA',
'name': 'F5',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'Experience Manager Users',
'industry': 'Software',
'location': 'USA',
'name': 'Adobe',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'Vanilla Tempest Targets',
'industry': 'Cross-Sector',
'location': 'Global',
'name': 'Multiple Organizations',
'size': 'Varies',
'type': 'Corporations/Institutions'},
{'customers_affected': 'IOS/IOS XE Users',
'industry': 'Networking',
'location': 'Global',
'name': 'Cisco Customers',
'size': 'Varies',
'type': 'Corporations/Governments'},
{'customers_affected': '$15B in Bitcoin Seized',
'industry': 'Finance',
'location': 'Global',
'name': 'Unnamed Crypto Scam Victims',
'type': 'Individuals/Institutions'},
{'customers_affected': 'G1 Robot Owners',
'industry': 'Robotics',
'location': 'China',
'name': 'Unitree Robotics',
'size': 'Medium',
'type': 'Corporation'},
{'customers_affected': 'Patients (72% Disrupted)',
'industry': 'Healthcare',
'location': 'USA',
'name': 'U.S. Healthcare Organizations',
'size': 'Varies (93% of orgs)',
'type': 'Hospitals/Clinics'}],
'attack_vector': ['Remote Exploitation',
['CVE-2025-24990 (Unknown)',
'CVE-2025-59230 (Unknown)',
'CVE-2025-47827 (Unknown)'],
'Nation-State Cyber Espionage',
'Misconfiguration Exploitation',
'Malicious Software Signing Certificates',
'CVE-2025-20352 (IOS/IOS XE)',
'Cryptocurrency Scam (Forced Labor)',
'Bluetooth Exploitation',
['Cloud Account Compromise',
'Ransomware',
'Supply Chain Intrusions',
'Business Email Compromise']],
'customer_advisories': ["Oracle: 'Apply CVE-2025-61884 patch within 48 "
"hours.'",
"Microsoft: 'October 2025 updates include critical "
"zero-day fixes.'",
"F5: 'No evidence of customer data exposure, but "
"monitor systems.'",
"Adobe: 'Audit AEM Forms configurations for "
"CVE-2025-54253.'",
"Microsoft: 'Verify Teams installer signatures.'",
"Cisco: 'Update IOS/IOS XE devices to mitigate "
"rootkit risk.'",
"Unitree: 'Avoid public Wi-Fi; update robot "
"firmware.'",
"CDC: 'Healthcare orgs must treat cybersecurity as "
"patient safety issue.'"],
'data_breach': {'data_encryption': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'data_exfiltration': [None,
None,
'Yes (Source Code)',
None,
None,
None,
None,
'Yes (China-Linked)',
'Likely (Ransomware)'],
'file_types_exposed': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'number_of_records_exposed': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'personally_identifiable_information': [None,
None,
None,
None,
None,
None,
None,
None,
'Yes (Patient Data)'],
'sensitivity_of_data': [None,
None,
'High (Proprietary Code)',
None,
None,
None,
None,
'High (Espionage Risk)',
'High (PHI/PII)'],
'type_of_data_compromised': [None,
None,
'Source Code & Vulnerability '
'Details',
None,
None,
None,
None,
'Robot Sensor Data',
['Patient Records',
'Cloud Credentials',
'PII']]},
'date_detected': ['2025-10-01 (Patch Tuesday)'],
'date_publicly_disclosed': ['2025-10-01 (Patch Tuesday)'],
'date_resolved': ['2025-10-01 (Patches Released)',
'2025-10-01 (Certificates Revoked)',
'2025-10-01 (Seizure)'],
'description': ['Oracle disclosed a remotely exploitable vulnerability '
'(CVE-2025-61884) in its E-Business Suite, requiring '
'immediate attention.',
"Microsoft's October 2025 Patch Tuesday addressed 175+ "
'vulnerabilities, including three zero-days (CVE-2025-24990, '
'CVE-2025-59230, CVE-2025-47827) actively exploited by '
'attackers.',
'F5 confirmed a breach where nation-state attackers stole '
'source code and vulnerability details for its BIG-IP '
'networking/security products.',
'CISA added CVE-2025-54253 (Adobe Experience Manager '
'misconfiguration) to its Known Exploited Vulnerabilities '
'catalog due to in-the-wild exploitation.',
'Microsoft revoked 200 software-signing certificates used by '
'Vanilla Tempest ransomware group to distribute malicious '
'Microsoft Teams installers.',
'Threat actors exploited CVE-2025-20352 (Cisco IOS/IOS XE) to '
'deploy Linux rootkits on vulnerable network switches.',
'The U.S. government seized $15 billion in Bitcoin tied to a '
'forced-labor crypto scam and human trafficking operation.',
'Alias Robotics revealed vulnerabilities in Unitree G1 '
'humanoid robots, enabling Bluetooth hacks and data leaks to '
'China.',
'Proofpoint reported 93% of U.S. healthcare organizations '
'faced cyberattacks (avg. 43 incidents/organization), with '
'72% disrupting patient care.'],
'impact': {'brand_reputation_impact': [None,
None,
'High (F5)',
None,
'High (Microsoft)',
'High (Cisco)',
'Severe (Crypto Scam)',
'High (Unitree/Alias Robotics)',
'Severe (Healthcare Sector)'],
'conversion_rate_impact': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'customer_complaints': [None,
None,
None,
None,
None,
None,
None,
None,
'High (Healthcare)'],
'data_compromised': [None,
None,
'BIG-IP Source Code & Vulnerability Info',
None,
None,
None,
None,
'Robot Sensor/Data Leaks',
['Patient Data',
'Cloud Account Credentials',
'Operational Data']],
'downtime': [None,
None,
None,
None,
None,
None,
None,
None,
'Patient Care Disruptions (72% of Incidents)'],
'financial_loss': [None,
None,
None,
None,
None,
None,
'$15 billion (Seized)',
None,
None],
'identity_theft_risk': [None,
None,
None,
None,
None,
None,
None,
None,
'High (Patient Data)'],
'legal_liabilities': [None,
None,
None,
None,
None,
None,
'Criminal Charges (Forced Labor)',
None,
'HIPAA/Regulatory Violations'],
'operational_impact': [None,
None,
'Source Code Integrity Risk',
None,
'Malware Distribution Infrastructure',
'Network Compromise (Rootkits)',
'Fraud Operation Shutdown',
'Espionage Risk (China-Linked)',
['Patient Care Delays',
'Clinical Workflow Disruptions',
'Supply Chain Compromises']],
'payment_information_risk': [None,
None,
None,
None,
None,
None,
'High',
None,
None],
'revenue_loss': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'systems_affected': ['Oracle E-Business Suite',
'Microsoft Products (Multiple)',
'F5 BIG-IP Networking/Security Products',
'Adobe Experience Manager (JEE)',
'Microsoft Teams (Malicious Installers)',
'Cisco Network Switches (IOS/IOS XE)',
'Cryptocurrency Wallets/Exchanges',
'Unitree G1 Humanoid Robots',
['Healthcare IT Systems',
'Cloud Accounts',
'Medical Devices']]},
'initial_access_broker': {'backdoors_established': [None,
None,
None,
None,
None,
'Linux Rootkits',
None,
None,
'Likely (Ransomware)'],
'data_sold_on_dark_web': [None,
None,
None,
None,
None,
None,
'Likely (Scam Proceeds)',
'Likely (Espionage)',
'Likely (Patient Data)'],
'entry_point': [None,
['CVE-2025-24990',
'CVE-2025-59230',
'CVE-2025-47827'],
None,
'Misconfigured AEM JEE',
'Compromised Software Signing '
'Certificates',
'CVE-2025-20352 (IOS/IOS XE)',
'Phishing/Social Engineering '
'(Forced Labor Scam)',
'Bluetooth Interface',
['Phishing Emails',
'Stolen Cloud Credentials',
'Supply Chain Compromises']],
'high_value_targets': [None,
None,
'BIG-IP Source Code',
None,
'Microsoft Teams '
'Distribution Channels',
'Cisco Network Devices',
'Cryptocurrency Wallets',
'Robot Sensor Data',
['Patient Databases',
'EHR Systems',
'Billing Systems']],
'reconnaissance_period': [None,
None,
None,
None,
None,
None,
'Months (Scam)',
None,
None]},
'investigation_status': ['Ongoing (Oracle)',
'Closed (Microsoft Patches)',
'Ongoing (F5)',
'Ongoing (Adobe)',
'Closed (Certificates Revoked)',
'Ongoing (Cisco)',
'Closed (Assets Seized)',
'Ongoing (Unitree)',
'Ongoing (Healthcare Sector)'],
'lessons_learned': ['Proactive vulnerability management is critical for '
'enterprise software (Oracle).',
'Zero-day exploits underscore the need for rapid patch '
'deployment (Microsoft).',
'Nation-state threats target high-value intellectual '
'property (F5).',
'Misconfigurations in enterprise software remain a top '
'attack vector (Adobe).',
'Certificate abuse highlights risks in software supply '
'chains (Microsoft Teams).',
'Network device vulnerabilities can enable persistent '
'rootkit infections (Cisco).',
'Cryptocurrency fraud operations require cross-agency '
'coordination (DOJ).',
'IoT/robotics security lags behind espionage risks '
'(Unitree G1).',
'Healthcare cybersecurity gaps directly impact patient '
'safety (Proofpoint).'],
'motivation': ['Cyber Espionage (Source Code Theft)',
'Financial Gain (Ransomware)',
'Financial Gain (Crypto Fraud)',
'Espionage/Data Theft',
['Financial Gain', 'Disruption (Patient Care)', 'Data Theft']],
'post_incident_analysis': {'corrective_actions': ['Oracle: Accelerate '
'vulnerability disclosure '
'timelines.',
'Microsoft: Expand zero-day '
'detection capabilities.',
'F5: Enhance code '
'repository security '
'controls.',
'Adobe: Automate '
'configuration audits for '
'AEM.',
'Microsoft: Implement '
'certificate transparency '
'logging.',
'Cisco: Harden IOS/XE '
'against rootkit '
'persistence.',
'FinCEN: Update crypto '
'transaction reporting '
'rules.',
'Unitree: Partner with '
'security firms for '
'firmware audits.',
['HHS: Enforce '
'cybersecurity minimum '
'standards for healthcare.',
'CMS: Tie Medicare '
'reimbursements to '
'cybersecurity compliance.',
'FDA: Mandate medical '
'device security '
'updates.']],
'root_causes': ['Unpatched Oracle EBS '
'vulnerability.',
'Zero-day exploitation before '
'patches (Microsoft).',
'Insufficient source code '
'protection (F5).',
'Adobe AEM misconfiguration '
'oversight.',
'Certificate authority process '
'gaps (Microsoft).',
'Delayed Cisco IOS/XE patching.',
'Lack of crypto transaction '
'monitoring (DOJ).',
'Insecure Bluetooth implementation '
'(Unitree).',
['Underfunded healthcare IT '
'security.',
'Legacy system vulnerabilities.',
'Third-party risk management '
'failures.']]},
'ransomware': {'data_encryption': [None,
None,
None,
None,
None,
None,
None,
None,
'Likely (Ransomware)'],
'data_exfiltration': [None,
None,
None,
None,
None,
None,
None,
None,
'Likely (Double Extortion)'],
'ransom_demanded': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'ransom_paid': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'ransomware_strain': [None,
None,
None,
None,
'Vanilla Tempest',
None,
None,
None,
None]},
'recommendations': ['Prioritize patching for remotely exploitable '
'vulnerabilities (Oracle EBS).',
'Accelerate zero-day response timelines with automated '
'patch management (Microsoft).',
'Isolate and monitor high-value code repositories (F5).',
'Audit Adobe Experience Manager configurations for '
'CVE-2025-54253.',
'Implement certificate transparency monitoring (Microsoft '
'Teams).',
'Deploy network traffic anomaly detection for Cisco '
'devices (CVE-2025-20352).',
'Enhance AML controls for cryptocurrency transactions '
'(DOJ).',
'Hardware vendors must adopt secure-by-design principles '
'(Unitree).',
['Mandate HIPAA-compliant encryption for healthcare apps.',
'Conduct third-party risk assessments for cloud '
'providers.',
'Implement healthcare-specific SOCs with 24/7 '
'monitoring.']],
'references': [{'date_accessed': '2025-10-14', 'source': 'Help Net Security'},
{'date_accessed': '2025-10-01',
'source': 'Oracle Security Alert'},
{'date_accessed': '2025-10-01',
'source': 'Microsoft Security Update Guide',
'url': 'https://msrc.microsoft.com/update-guide'},
{'date_accessed': '2025-10-01',
'source': 'F5 Security Advisory'},
{'date_accessed': '2025-10-01',
'source': 'CISA KEV Catalog',
'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog'},
{'date_accessed': '2025-10-01',
'source': 'Microsoft Security Blog (Vanilla Tempest)'},
{'date_accessed': '2025-10-01',
'source': 'Cisco Security Advisory (CVE-2025-20352)'},
{'date_accessed': '2025-10-01',
'source': 'U.S. Department of Justice Press Release'},
{'date_accessed': '2025-10-01',
'source': 'Alias Robotics Unitree G1 Analysis'},
{'date_accessed': '2025-10-01',
'source': 'Proofpoint 2025 Healthcare IT Report'}],
'regulatory_compliance': {'fines_imposed': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'legal_actions': [None,
None,
None,
None,
None,
None,
'Criminal Prosecution (Forced '
'Labor)',
None,
'Potential HIPAA Enforcement'],
'regulations_violated': [None,
None,
None,
None,
None,
None,
'Anti-Money Laundering '
'(AML)',
None,
['HIPAA',
'State Data Breach Laws']],
'regulatory_notifications': [None,
None,
None,
'CISA KEV Catalog',
None,
None,
None,
None,
None]},
'response': {'adaptive_behavioral_waf': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'communication_strategy': [None,
'Patch Tuesday Announcement',
'Public Breach Disclosure',
'CISA KEV Catalog Update',
'Microsoft Security Blog',
'Cisco Security Advisory',
'DOJ Press Release',
'Alias Robotics Advisory',
'Healthcare IT Alerts'],
'containment_measures': [None,
'Patches Released',
None,
None,
'Certificate Revocation',
None,
'Asset Seizure',
None,
['Incident Response Teams',
'Cloud Security Lockdowns']],
'enhanced_monitoring': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'incident_response_plan_activated': [None,
'Yes (Microsoft Patch '
'Tuesday)',
None,
None,
'Yes (Certificate '
'Revocation)',
None,
'Yes (DOJ Seizure)',
None,
'Varies (Healthcare '
'Sector)'],
'law_enforcement_notified': [None,
None,
None,
None,
None,
None,
'Yes (DOJ)',
None,
None],
'network_segmentation': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'on_demand_scrubbing_services': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'recovery_measures': [None,
None,
None,
None,
None,
None,
None,
None,
None],
'remediation_measures': ['Patch for CVE-2025-61884',
'October 2025 Security Updates',
None,
'AEM JEE Misconfiguration Fix',
'Malicious Cert Blacklisting',
'Cisco IOS/IOS XE Patches',
None,
'Bluetooth Protocol Updates',
['HIPAA Compliance Reviews',
'Staff Training']],
'third_party_assistance': [None,
None,
None,
None,
None,
None,
'Law Enforcement (DOJ)',
None,
None]},
'stakeholder_advisories': ['Oracle customers urged to apply patches '
'immediately.',
'Microsoft recommends prioritizing zero-day '
'patches.',
'F5 advises BIG-IP customers to monitor for '
'suspicious activity.',
'Adobe urges AEM JEE users to verify '
'configurations.',
'Microsoft Teams users warned of malicious '
'installers.',
'Cisco issues advisory for IOS/IOS XE users.',
'DOJ warns financial institutions about crypto '
'scam indicators.',
'Alias Robotics recommends disabling Bluetooth on '
'Unitree G1.',
'HHS issues alert on healthcare cyberattack '
'surge.'],
'threat_actor': ['Nation-State Attackers',
'Vanilla Tempest (Ransomware Group)',
'Cryptocurrency Fraud Syndicate',
['Unspecified (Healthcare Targeted)',
'Cloud Account Hijackers',
'Ransomware Operators']],
'title': ['Oracle E-Business Suite Remotely Exploitable Vulnerability '
'(CVE-2025-61884)',
'Microsoft Zero-Day Exploits (CVE-2025-24990, CVE-2025-59230, '
'CVE-2025-47827)',
'F5 Data Breach: Nation-State Attackers Stole BIG-IP Source Code',
"Adobe Experience Manager 'Perfect' Vulnerability (CVE-2025-54253)",
'Microsoft Revokes 200 Certificates Used for Malicious Teams '
'Installers (Vanilla Tempest Ransomware)',
'Cisco Zero-Day Rootkit Deployment on Network Switches '
'(CVE-2025-20352)',
'U.S. Seizes $15B in Bitcoin Linked to Forced-Labor Crypto Scam',
'Unitree G1 Humanoid Robot Bluetooth Vulnerability (Espionage Risk)',
'Healthcare Cybersecurity Breakdown: 93% of U.S. Organizations '
'Attacked (Patient Care Disruptions)'],
'type': ['Vulnerability',
'Zero-Day Exploits',
'Data Breach',
'Vulnerability',
'Malware Distribution (Ransomware)',
'Zero-Day Exploit (Rootkit)',
'Cryptocurrency Fraud',
'Hardware Vulnerability (Espionage)',
'Cyberattack Campaign (Healthcare)'],
'vulnerability_exploited': ['CVE-2025-61884 (Oracle EBS)',
['CVE-2025-24990',
'CVE-2025-59230',
'CVE-2025-47827'],
'CVE-2025-54253 (AEM Misconfiguration)',
'CVE-2025-20352 (Cisco IOS/IOS XE)',
'Bluetooth Protocol Flaws']}