F5

F5, a global provider of application security and multi-cloud management services, disclosed a breach by a nation-state threat actor that compromised its BIG-IP source code and undisclosed vulnerabilities. The hackers maintained long-term persistent access to F5’s development environment and exfiltrated files, including customer configuration data and API keys. While F5 stated no active exploitation of undisclosed vulnerabilities was detected, the stolen information could enable lateral movement within networks, data exfiltration, and persistent system access, risking full compromise of targeted systems. The breach also exposed implementation details for a small percentage of customers, heightening supply chain risks. CISA issued an emergency directive mandating federal agencies to patch F5 devices by October 22, 2024, and report all instances by October 29, 2024, citing potential downstream impacts on federal networks and critical infrastructure. F5 is collaborating with CrowdStrike, Mandiant, and government agencies to mitigate risks but acknowledged the incident could erode trust and pose ongoing threats to organizations relying on BIG-IP products.

Source: https://federalnewsnetwork.com/cybersecurity/2025/10/cisa-directs-agencies-to-address-significant-cyber-threat/

TPRM report: https://www.rankiteo.com/company/f5

"id": "f52892228101525",
"linkid": "f5",
"type": "Breach",
"date": "10/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Small percentage (configuration '
                                              'data exposed)',
                        'industry': 'Application Security/Network Delivery',
                        'location': 'Global (HQ: Seattle, WA, USA)',
                        'name': 'F5, Inc.',
                        'size': 'Large (Fortune 500, 80% of Fortune 500 '
                                'clients)',
                        'type': 'Technology Company'},
                       {'industry': 'Public Sector',
                        'location': 'United States',
                        'name': 'U.S. Federal Civilian Executive Branch (FCEB) '
                                'Agencies',
                        'size': 'Multiple Agencies (15+ executive branch '
                                'agencies, including DoD)',
                        'type': 'Government'}],
 'attack_vector': ['Exploitation of Undisclosed Vulnerabilities',
                   'Long-Term Persistent Access',
                   'Source Code Theft'],
 'customer_advisories': ['Urgent patching guidance',
                         'Threat intelligence sharing',
                         'Hardening recommendations'],
 'data_breach': {'data_exfiltration': True,
                 'file_types_exposed': ['Source Code Files',
                                        'Knowledge Management Documents',
                                        'Customer Implementation Guides'],
                 'sensitivity_of_data': 'High (Source Code, Vulnerability '
                                        'Details, Customer-Specific '
                                        'Configurations)',
                 'type_of_data_compromised': ['Source Code',
                                              'Customer Configuration Data',
                                              'Undisclosed Vulnerability '
                                              'Details',
                                              'API Keys',
                                              'Embedded Credentials']},
 'date_detected': '2024-08-09',
 'date_publicly_disclosed': '2024-10-08',
 'description': 'CISA issued an emergency directive requiring federal agencies '
                "to address vulnerabilities in F5's BIG-IP platform after the "
                'company disclosed a breach by a nation-state threat actor. '
                'The hackers accessed source code, customer data, and '
                'undisclosed vulnerabilities, potentially enabling lateral '
                'movement, data exfiltration, and persistent system access. F5 '
                'confirmed the breach occurred on August 9, 2024, with '
                'long-term persistence in its systems, including the BIG-IP '
                'development environment. While no active exploitation of '
                'undisclosed vulnerabilities was detected, stolen files '
                'included customer configuration details and API keys. '
                'Agencies were directed to identify and patch affected devices '
                'by October 22, 2024, and report findings by October 29, 2024.',
 'impact': {'brand_reputation_impact': 'High (Trust Erosion, Public Disclosure '
                                       'of Breach)',
            'data_compromised': ['BIG-IP Source Code',
                                 'Customer Configuration/Implementation Data',
                                 'Undisclosed Vulnerability Details',
                                 'API Keys',
                                 'Embedded Credentials'],
            'operational_impact': ['Potential Lateral Movement in Federal '
                                   'Networks',
                                   'Risk of Full System Compromise',
                                   'Mandatory Patching/Remediation for Federal '
                                   'Agencies'],
            'systems_affected': ['F5 BIG-IP Hardware/Software',
                                 'BIG-IP Development Environment',
                                 'Engineering Knowledge Management Platform']},
 'initial_access_broker': {'high_value_targets': ['BIG-IP Source Code',
                                                  'Undisclosed Vulnerability '
                                                  'Research',
                                                  'Customer Configuration '
                                                  'Data'],
                           'reconnaissance_period': 'Prolonged (long-term '
                                                    'persistent access '
                                                    'confirmed)'},
 'investigation_status': 'Ongoing (F5 coordinating with CrowdStrike, Mandiant, '
                         'and government partners)',
 'lessons_learned': '1. Supply chain risks require proactive vendor '
                    'monitoring. 2. Delayed disclosure (via national security '
                    'exemption) balances transparency and investigation needs. '
                    '3. Federal coordination is critical for widespread '
                    'vulnerabilities. 4. Persistent access highlights need for '
                    'continuous threat hunting.',
 'motivation': ['Espionage',
                'Intellectual Property Theft',
                'Potential Future Exploitation'],
 'post_incident_analysis': {'corrective_actions': ['Source code and build '
                                                   'pipeline validation.',
                                                   'Enhanced access controls '
                                                   'for development '
                                                   'environments.',
                                                   'Proactive vulnerability '
                                                   'disclosure process '
                                                   'improvements.',
                                                   'Federal agency patching '
                                                   'compliance enforcement.'],
                            'root_causes': ['Undisclosed vulnerabilities in '
                                            'BIG-IP development environment.',
                                            'Insufficient protection of '
                                            'engineering knowledge management '
                                            'systems.',
                                            "Nation-state actor's advanced "
                                            'persistent threat (APT) '
                                            'tactics.']},
 'ransomware': {'data_exfiltration': True},
 'recommendations': ['Immediate patching of F5 BIG-IP systems (prioritize '
                     'internet-facing devices).',
                     'Review and rotate embedded credentials/API keys in '
                     'BIG-IP deployments.',
                     'Enhance monitoring for lateral movement indicators.',
                     'Conduct supply chain risk assessments for critical '
                     'vendors.',
                     'Validate software build pipelines post-breach.',
                     'Share threat intelligence with CISA and peers.'],
 'references': [{'date_accessed': '2024-10-08',
                 'source': 'Federal News Network',
                 'url': 'https://federalnewsnetwork.com'},
                {'date_accessed': '2024-10-08', 'source': 'F5 SEC Filing'},
                {'date_accessed': '2024-10-08',
                 'source': 'CISA Emergency Directive',
                 'url': 'https://www.cisa.gov'},
                {'date_accessed': '2024-10-08',
                 'source': 'F5 Advisory',
                 'url': 'https://www.f5.com'}],
 'regulatory_compliance': {'regulatory_notifications': ['SEC Filing (National '
                                                        'Security Exemption '
                                                        'Granted)',
                                                        'CISA Emergency '
                                                        'Directive']},
 'response': {'communication_strategy': ['SEC Filing',
                                         'Public Advisory on F5 Website',
                                         'CISA Emergency Directive',
                                         'Press Briefing'],
              'containment_measures': ['Isolation of Affected Systems',
                                       'Revocation of Compromised '
                                       'Credentials/Keys'],
              'enhanced_monitoring': 'Likely (per CISA directive)',
              'incident_response_plan_activated': True,
              'law_enforcement_notified': True,
              'recovery_measures': ['Customer Notifications',
                                    'Source Code/Build Pipeline Validation'],
              'remediation_measures': ['Patching BIG-IP Software (deadline: '
                                       '2024-10-22)',
                                       'Hardening F5 Systems'],
              'third_party_assistance': ['CrowdStrike',
                                         'Mandiant',
                                         'Other Cybersecurity Firms']},
 'stakeholder_advisories': ['CISA Emergency Directive to Federal Agencies',
                            'F5 Customer Notifications (targeted)',
                            'Public Press Briefing'],
 'threat_actor': 'Nation-State Actor (unattributed publicly)',
 'title': 'Nation-State Hack Targeting F5 BIG-IP Vulnerabilities',
 'type': ['Supply Chain Attack', 'Data Breach', 'Unauthorized Access'],
 'vulnerability_exploited': ['Undisclosed BIG-IP Vulnerabilities (under '
                             'investigation)',
                             'Embedded Credentials in BIG-IP',
                             'API Key Exposure']}

F5

Anne Arundel Dermatology P.A.: Anne Arundel Dermatology $2.4M Data Breach Settlement

Spring Independent School District: Spring ISD employees on leave after mistakenly leaking sensitive data in email, district says

CPUID: HWMonitor and CPU-Z developer CPUID breached by unknown attackers — cyberattack forced users to download malware instead of valid apps for six hours