Frequently Asked Questions About The August 2025 F5 Security Incident

Frequently asked questions about the August 2025 security incident at F5 and the release of multiple BIG-IP product patches.

Background

Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a recently disclosed security incident affecting F5. Alongside the disclosure of the security incident, F5 also released its October 2025 Quarterly Security Notification.

FAQ

What is the F5 Security Incident? Starting August 9, 2025, F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. This included access to F5’s BIG-IP product development systems and “engineering knowledge management platforms.” On October 15, F5 released knowledge base (KB) article K000154696 providing current details on the known impacts of the breach, including an acknowledgement that they have not observed further unauthorized activity and believe they have successfully contained the breach. What data was stolen in this breach? According to F5, files from their BIG-IP engineering knowledge management systems and product development environments were accessed by the threat actor. The stolen data included details on undisclosed security vulnerabilities that were currently being investigated by F5 as well as source code for its BIG-IP product. What is the risk of undisclosed vulnerability data being stolen? With access to vulnerability reports and source code, the threat actor could use that information to develop exploits for issues that have not yet been patched or remediated. While F5 states they “have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” the risk remains that the attackers could use the stolen data to identify other vulnerabilities. Was any source code modified? Is there a risk of a supply-chain attack? According to F5, they have “no evidence of modification” to its supply chain, source code, including NGINX source code, build and release pipelines and the F5 Distributed Cloud Services or Silverline systems. These findings have reportedly been independently verified by two security research firms, NCC Group and IOActive. What are the vulnerabilities associated with the breach? At this time, F5 has not indicated that any vulnerabilities were exploited by the threat actor in order to gain access to their systems. However, on October 15, in conjunction with its security incident notice, F5 released several patches in KB article K000156572: Quarterly Security Notification (October 2025). While there is no notice in these security advisories that any of the CVEs have been exploited, we strongly recommend applying all available patches. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released emergency directive (ED) 26-01: Mitigate Vulnerabilities in F5 Devices on October 15, which includes recommendations to apply all available updates. While the ED is aimed at Federal Civilian Executive Branch (FCEB) agencies, the guidance should be applicable to any organization with F5 devices or software in their environment. What actions should I take if my environment contains F5 software/devices? According to both F5 and the CISA ED, inventorying and updating all affected BIG-IP instances is of utmost importance. While it’s always recommended that security updates are applied quickly, in light of the breach, F5 urges “updating your BIG-IP software as soon as possible.” In addition, guidance from CISA suggests hardening any public facing BIG-IP devices and removing any unsupported devices from your network. Which threat actors are responsible for this attack? While no specific threat actor has been linked to the F5 breach, F5 says this incident involved a “highly sophisticated” nation-state threat actor. Are patches or mitigations available for the F5 October Quarterly Security Notification? Yes, F5 released its quarterly security notification for October 15, which includes fixes for the following products: BIG-IP (All Modules):

F5OS-A

F5OS-C

BIG-IP Product Specific

*This KB article represents a BIG-IP AFM Security Exposure and is not associated with a CVE. BIG-IP Next

Other F5 Products

Has Tenable released any product coverage for these vulnerabilities? A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released: CVE-2025-53868 CVE-2025-60016 CVE-2025-48008 CVE-2025-59781 CVE-2025-61951 CVE-2025-46706 CVE-2025-53856 CVE-2025-61974 CVE-2025-58071 CVE-2025-61990 CVE-2025-58096 CVE-2025-59481 CVE-2025-61958 CVE-2025-59269 CVE-2025-58153 CVE-2025-59483 CVE-2025-59268 CVE-2025-54755 CVE-2025-58424 CVE-2025-61955 CVE-2025-57780 CVE-2025-47150 CVE-2025-60015 CVE-2025-60013 CVE-2025-53860 CVE-2025-59778 CVE-2025-53521 CVE-2025-61960 CVE-2025-54854 CVE-2025-53474 CVE-2025-47148 CVE-2025-61933 CVE-2025-61938 CVE-2025-54858 CVE-2025-61935 CVE-2025-55669 CVE-2025-58474 CVE-2025-41430 CVE-2025-55036 CVE-2025-54479 CVE-2025-59478 CVE-2025-58120 CVE-2025-55670 CVE-2025-54805 This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

F5: K000154696: F5 Security Incident F5: K000156572: Quarterly Security Notification (October 2025) CISA: ED 26-01: Mitigate Vulnerabilities in F5 Devices Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

First seen on securityboulevard.com

Jump to article: securityboulevard.com/2025/10/frequently-asked-questions-about-the-august-2025-f5-security-incident/