WASHINGTON – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive compelling federal agencies to address major security flaws in software management devices made by F5, a technology company. The order follows a security breach where nation-state-affiliated hackers reportedly accessed F5’s internal systems, stealing source code and customer data.
In the directive released on October 15, CISA warned that a foreign government-affiliated group compromised F5’s networks and exfiltrated sensitive files. This stolen data included parts of the source code for BIG-IP, F5’s flagship product, along with information about known vulnerabilities.
CISA stated that this access gives the hackers a significant advantage, allowing them to analyze the code for undiscovered flaws, or “zero-day vulnerabilities,” and develop targeted attacks against F5 devices and software.
Imminent Threat to Federal Networks
According to the directive, this cyber threat actor poses an “imminent threat” to all federal networks that use F5 products. If hackers successfully exploit the vulnerabilities, they could gain access to embedded login details and API keys, which would allow them to move undetected within a network, steal data, and establish long-term access. CISA warns this could lead to a “full compromise” of an organization’s information systems.
Due to what it calls an “unacceptable risk,” CISA has mandated immediate action for agencies using a range of F5 products.
Affected F5 Products:
The directive applies to the following hardware and software:
- Hardware: BIG-IP iSeries, rSeries, and any other F5 devices that are no longer supported by the company.
- Software: All devices running BIG-IP (F5OS and TMOS), Virtual Edition (VE), BIG-IP Next, BIG-IQ, and BIG-IP Next for Kubernetes (BNK)/Cloud-Native Network Functions (CNF).
The directive’s requirements are designed to address the immediate risk and help agencies defend against anticipated attacks targeting these systems.
Required Actions for Federal Agencies
CISA has outlined several mandatory actions for all federal agencies to complete on a strict timeline.
- Inventory All F5 Devices: Agencies must immediately identify all instances of affected BIG-IP hardware and software on their networks.
- Secure Public-Facing Devices: For any F5 BIG-IP devices accessible from the public internet, agencies must check if the management interface is exposed. If it is, they are required to follow the guidelines in CISA’s Binding Operational Directive (BOD) 23-02, which details how to mitigate risks from exposed management interfaces.
- Update All Software and Hardware: By October 22, 2025, agencies must install the latest updates for F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF. For all other F5 devices, the latest software patch must be applied by October 31, 2025. Agencies are also required to apply all future updates within one week of their release. An exception is made for devices where the management interface is secured on an internal network, accessible only via a secure jump box. These can follow the agency’s regular update schedule.
- Disconnect Outdated Devices: All public-facing F5 devices that have reached their end-of-support date must be disconnected and taken out of service. If an agency cannot disconnect a device due to a “mission critical need,” it must report this to CISA and provide a plan for its eventual decommissioning.
- Address Cookie Leakage Vulnerabilities: If CISA notifies an agency about a specific BIG-IP “cookie leakage” vulnerability, the agency must follow the provided instructions to fix it.
- Report Compliance to CISA: All agencies must submit a summary of their in-scope products by October 29, 2025, followed by a detailed inventory report by December 3, 2025.
These requirements apply to all federal information systems, including those hosted by third-party cloud service providers. Agencies are responsible for ensuring compliance across all environments where their information is stored or processed.
