CISA Emergency Directive on F5 Device Vulnerabilities Exploited by Nation-State Actors
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to immediately patch critical vulnerabilities in F5 devices and software following the discovery of a nation-state cyber intrusion. CISA identified that a sophisticated threat actor, linked to China, has been actively exploiting vulnerabilities in F5 products, posing an imminent threat to federal networks. The vulnerabilities allow attackers to gain unauthorized access to embedded credentials and API keys, which can be leveraged to move laterally within affected networks. This access enables the exfiltration of sensitive data and the establishment of persistent access, potentially resulting in a full compromise of targeted information systems. F5 disclosed that the threat actor had maintained long-term, persistent access to its BIG-IP development environment and engineering knowledge management platforms, leading to the exfiltration of files. CISA’s Emergency Directive 26-01 mandates that all Federal Civilian Executive Branch (FCEB) agencies apply the latest vendor-provided updates to at-risk F5 devices and software, including F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF, by October 22, 2025. Agencies are also instructed to follow F5’s Quarterly Security Notification for further mitigation steps. The directive was issued despite ongoing challenges such as a government shutdown and the lapse of the Cybersecurity Information Sharing Act of 2015, underscoring the urgency and severity of the threat. CISA’s acting director emphasized the alarming ease with which these vulnerabilities can be exploited and warned that the risks extend beyond federal agencies to any organization using F5 technology. The agency highlighted the potential for catastrophic compromise of critical information systems if the vulnerabilities are not addressed promptly. The directive is part of a broader effort to protect federal networks from nation-state adversaries and to ensure the security of sensitive government data. CISA’s response follows a pattern of nation-state actors targeting widely used enterprise technologies to gain access to high-value networks. The agency’s public statements and technical guidance stress the importance of immediate action and cross-sector vigilance. F5’s own disclosures and cooperation with CISA have been critical in identifying the scope of the intrusion and the necessary remediation steps. The incident has raised concerns about the security of supply chains and the potential for similar attacks on other technology vendors. Federal agencies are being closely monitored for compliance with the directive, and CISA is providing ongoing support and threat intelligence updates. The event highlights the persistent and evolving nature of nation-state cyber threats targeting critical infrastructure and government systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Reports link the F5 intrusion to China-backed actors
Media reports, citing sources, said Chinese state-sponsored actors were behind the F5 breach, with one report naming UNC5221. Neither F5 nor CISA publicly confirmed the attribution at the time, and China denied the allegations.
CISA issues emergency directive on F5 vulnerabilities
CISA issued an emergency directive ordering federal civilian agencies to patch or otherwise secure vulnerable F5 devices, citing critical vulnerabilities and the risk posed by the intrusion. Agencies were instructed to secure or disconnect affected systems by October 22, 2025.
F5 releases patches and notifies affected customers
Following the breach, F5 issued patches for affected products and began directly notifying impacted customers. The company also increased monitoring, strengthened security controls, and launched code reviews and penetration testing.
F5 detects the breach and begins containment
F5 detected the compromise in August 2025 and began containment and remediation efforts. The company later said it had no evidence that stolen undisclosed vulnerabilities were being actively exploited.
Nation-state actors infiltrate F5 internal systems
A nation-state intrusion compromised F5's internal development and engineering environment and reportedly persisted for more than a year. The attackers stole sensitive proprietary information, including source code and internal vulnerability research tied to BIG-IP products.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
China reportedly behind F5 cyberattack
scworld.com
Open sourceUS Scrambles to Patch F5 Amid China-Linked Breach
bankinfosecurity.com
Open sourceCybersecurity Snapshot: F5 Breach Prompts Urgent U.S. Gov’t Warning, as OpenAI Details Disrupted ChatGPT Abuses
tenable.com
Open sourceCISA orders government to patch F5 products after ‘nation-state’ cyber intrusion
nextgov.com
Open sourceCISA Issues Emergency Directive to Address Critical Vulnerabilities in F5 Devices
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Federal Response to F5 Breach Hampered by Government Shutdown
A likely Chinese nation-state actor breached F5's internal systems, stealing sensitive files including portions of BIG-IP source code and details of undisclosed vulnerabilities, according to U.S. cybersecurity officials. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive warning that these stolen details could be used to craft custom exploits, and research identified over 680,000 F5 BIG-IP devices exposed online, many of which are linked to U.S. government agencies. The federal response to this incident has been severely hindered by the ongoing government shutdown, which has resulted in major staffing cuts, furloughs, and delays in patching and emergency remediation work. CISA, operating with a reduced staff and without a Senate-confirmed director, has struggled to provide adequate support to agencies and private sector operators during this critical period. Senior federal cyber leaders have highlighted that the shutdown has exacerbated existing challenges in defending against urgent cyber threats, as routine patching, threat hunting, and vendor support have all been disrupted. The situation underscores the broader impact of government shutdowns on cybersecurity readiness, with delayed remediation times and limited ability to respond to emerging vulnerabilities, leaving federal networks at increased risk of compromise. The F5 breach and the hampered response illustrate the compounding risks posed by both sophisticated cyberattacks and operational disruptions within government cybersecurity teams.
Mar 21, 2026
F5 Breach Involving Advanced Brickstorm Malware and Supply Chain Risks
F5, a major application delivery and security provider, disclosed a significant breach in which malicious actors maintained persistent access to critical systems, including the BIG-IP product development environment and engineering knowledge management platform. The breach, which began in August and was deemed material by September, prompted F5 to delay public notification due to national security concerns. Upon disclosure, F5 released security patches for affected products, and CISA issued an emergency directive requiring federal agencies to patch vulnerable F5 devices immediately. The advanced 'Brickstorm' malware, attributed to Chinese threat actors, was detected as part of this breach, raising concerns about the potential for long-term exploitation of stolen technical specifications and code. While there is currently no evidence that the stolen information has been used to exploit F5 devices or alter the codebase, the incident highlights the ongoing risks associated with software supply chain attacks. The breach underscores the challenges organizations face in securing complex supply chains, as even widely adopted security frameworks may not fully mitigate such threats. The F5 incident draws parallels to previous high-profile supply chain compromises, emphasizing the need for more robust and comprehensive security measures to protect critical infrastructure and sensitive data from sophisticated nation-state actors.
Mar 21, 2026
F5 Breach Exposes BIG-IP Source Code and Undisclosed Vulnerabilities
F5, a leading provider of application security and delivery technology, confirmed that it suffered a significant cybersecurity breach attributed to a highly sophisticated nation-state threat actor. The company first detected unauthorized access to its systems on August 9, 2025, and immediately initiated incident response protocols, including engaging external cybersecurity experts such as CrowdStrike and Mandiant. Investigations revealed that the attackers maintained long-term, persistent access to critical F5 environments, specifically the BIG-IP product development environment and the engineering knowledge management platform. During this period, the threat actors exfiltrated files containing portions of the BIG-IP source code and information about vulnerabilities that had not yet been publicly disclosed or patched. Additionally, some configuration and implementation information for a limited number of customers was also stolen, though F5 stated that affected customers would be notified directly. The breach did not impact F5’s software supply chain, as independent reviews found no evidence of malicious modifications to source code, build, or release pipelines. There was also no indication that the attackers accessed or tampered with the NGINX product line, Distributed Cloud Services, Silverline systems, or customer data in CRM, financial, or support case management systems. F5 emphasized that, as of the latest investigation, there is no evidence that the stolen vulnerability information has been used in active exploitation or that the private information has been publicly disclosed. The company’s containment measures, implemented promptly after discovery, have been effective, with no signs of further unauthorized activity since their deployment. The U.S. Department of Justice authorized F5 to delay public disclosure of the breach due to national security concerns, as permitted under SEC rules. The UK National Cyber Security Centre highlighted the risk that attackers could use the stolen source code to identify additional vulnerabilities and develop targeted exploits. F5’s flagship BIG-IP product is widely used by major enterprises, including 48 of the Fortune 50, raising concerns about the potential impact of the breach. The company continues to monitor for any signs of exploitation and is working closely with law enforcement and cybersecurity partners. F5 has reassured customers that the breach did not compromise the integrity of its software updates or supply chain. The incident underscores the ongoing threat posed by nation-state actors to critical technology providers and the importance of rapid detection and response to sophisticated intrusions.
Apr 14, 2026