A nation-state actor has breached F5’s systems and stolen proprietary files, including portions of the BIG-IP source code and vulnerability details. This access gives the attacker a significant advantage, enabling them to discover new flaws and develop targeted exploits for F5 devices and software.
This TR applies to a wide range of F5 products, including BIG-IP iSeries and rSeries hardware, as well as BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, and BIG-IQ software.
We strongly recommend reviewing all your deployed BIG-IP products and applying the recommendations from the vendor as mentionned in K000156572: Quarterly Security Notification (October 2025).
Known affected software in Luxembourg
A significant number of BIG-IP devices were discovered in Luxembourg, and notifications have been sent to the ISPs and available contact points.
Based on the information available from the disclosure, we have not found any compromised or abused systems. Many of the vulnerabilities are related to potential Denial-of-Service (DoS) attacks, which should also be monitored. We also recommend looking closely at your logs.
References
- F5 - K000156572: Quarterly Security Notification (October 2025)
- CIRCL - F5 - K000156572: Quarterly Security Notification (October 2025 - CVE Allocated)
- CIRCL - RULEZET.org - Threat Hunting Methodology: F5 Security Incident (K000154696)
- CISA - ED 26-01: Mitigate Vulnerabilities in F5 Devices
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.1 - TLP:CLEAR - Second version - 16th October 2025 - RULEZET bundle added
- Version 1.0 - TLP:CLEAR - First version - 15th October 2025