Critical Risk: 269,000 F5 BIG-IP Devices Exposed After Nation-State Hack

by ddos · October 22, 2025

A total of 269,000 F5 BIG-IP devices have been found exposed to remote access on the internet, despite the company’s recent admission of a large-scale compromise of its infrastructure. The discovery was made by the non-profit organization Shadowserver, which specializes in network security monitoring. According to its data, nearly 143,000 vulnerable instances are located in the United States, with the remainder spread across Europe and Asia. The extent of their protection against potential attacks remains unknown.

Just a day earlier, F5 officially confirmed that it had fallen victim to a state-sponsored hacking operation. During the breach, attackers gained access to source code and undisclosed vulnerabilities in the company’s BIG-IP product line. Although there is no evidence yet of these vulnerabilities being exploited in active attacks, F5 has released updates addressing 44 affected components, including those directly linked to the compromise.

Users have been strongly urged to immediately update the firmware of BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. In private communications to customers, F5 attributed the incident to the Chinese threat group UNC5291, though this assessment has not yet been made public.

The company also distributed a detailed forensic guide for identifying signs of intrusion, referencing the Brickstorm malware — a Go-based backdoor first documented by Google in 2024 during its investigation into UNC5291’s cyber operations. Internal sources at F5 suggest that the attackers may have maintained access to the company’s infrastructure for over a year.

UNC5291 has previously been linked to zero-day attacks targeting Ivanti products used by government agencies. The group’s toolkit includes custom-built malware such as Zipline and Spawnant, both designed for stealthy persistence and data exfiltration.

In response to the disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring all federal agencies to install the latest F5 patches. Agencies must apply updates to F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF by October 22, while updates for other F5 products must be completed by October 31.

CISA also instructed organizations to decommission all end-of-life F5 devices, as they no longer receive security patches and can be easily compromised. Agencies are required to conduct a full inventory of all F5 systems within their networks, assess the internet exposure of their management interfaces, and ensure that all current updates are applied.

Over the years, BIG-IP vulnerabilities have repeatedly served as entry points for both cybercriminals and state-sponsored groups. Exploits have been used to gain access to internal servers, steal sensitive data, deploy espionage tools, wipe critical information, and maintain long-term persistence within compromised infrastructures. A breached BIG-IP device can expose passwords, API keys, and even allow attackers to move laterally within a victim’s network.

F5, a member of the Fortune 500, serves more than 23,000 clients worldwide, including 48 of the 50 largest U.S. corporations.