Critical Vulnerabilities in F5 BIG-IP Products

Executive Summary

On October 15^th, vendor F5 publicly disclosed a security breach impacting their internal environment and resulting in a threat actor exfiltrating sensitive data about their BIG-IP product line. F5 confirmed that stolen data included portions of its Big-IP source code, internal engineering documentation, and sensitive unreleased product vulnerability data. Additionally, the vendor’s knowledge management platform was compromised, which contained sensitive configuration and organizational information “for a small percentage of customers.”

At the time of this advisory, F5 states that there is no evidence their consumer-facing product build or update pipeline was altered or that malicious code was inserted.

As part of their response to this incident, F5 has released software updates and mitigation guidance for the vulnerabilities involved in this incident. Most of the vulnerabilities addressed by F5 relate to Denial of Service (DoS) conditions, which may be exploited by threat actors by sending specifically crafted malicious traffic to subsystems within BIG-IP family appliances with certain exploitable features enabled. However, several of the disclosed vulnerabilities are more impactful than simple DoS and can result in arbitrary code execution or allow an attacker to deploy malicious implants. These vulnerabilities primarily exist in the various management interfaces of F5 appliances and most require authenticated access to enable exploitation. Please refer to the Technical Details section of this advisory for detailed analysis of these vulnerabilities and insight into potential impact.

Due to the nature of the attack and sensitivity of the information stolen, Beazley Security assesses that threat actors possessing this data will use the information as a precursor to conduct targeted attack campaigns and exploitation attempts against internet-facing F5 devices. Beazley Security strongly recommends that organizations with internet facing F5 devices should update devices immediately.

Affected Systems and Products

This incident affects all BIG-IP products including: BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM. F5 has stated that the NGINX development environment was not impacted.

Due to the large amount of internal development and (previously) undisclosed vulnerability data was stolen by the threat actors, F5 released a large amount of software updates across their entire product line.

An exhaustive list of every product fixed product is not in this document, but can be found in F5’s article: K000156572 Quarterly Security Notification (October 2025).

For more detailed analysis of the vulnerabilities disclosed and the potential impact, please review the Technical Details section of this advisory.

Mitigations and Workarounds

Beazley Security strongly recommends that organizations identify all BIG-IP hardware devices, specifically BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients and apply the most currently available patches.

F5 also has standard documentation on best practices for hardening your F5 system to mitigate attacks in general. That documentation can be found in F5’s article: K53108777 : Hardening your F5 system.

F5 has also made available an iHealth Diagnostic Tool that can automatically run hardening checks for client appliances.

Patches

Currently, F5 is actively working to publish updated firmware and software images for all products mentioned in K000156572 Quarterly Security Notification (October 2025). Refer to K84205182: Guide contents | BIG-IP update and upgrade guide for how to update different BIG-IP products.

Technical Details

According to F5 incident briefing and telemetry from partners assisting with this incident, threat actors exfiltrated portions of BIG-IP source code, internal vulnerability reports, and developer/debugging artifacts from F5’s internal engineering and issue-tracking system. The exfiltrated data included design documents, code snippets tied to control-plane and data-plane modules, and internal test cases and crash dumps that reveal execution paths and error handling.

While currently F5 has no evidence of build-pipeline tampering, these artifacts are highly actionable. Beazley Security expects attackers to study these development artifacts to search for zero-day vulnerabilities and develop weaponized exploits when possible.

Beazley Security is also aware that the threat actors involved in this attack campaign against F5 networks leveraged the BRICKSTORM implant detailed by Mandiant in September 2025. Beazley Security strongly recommends that organizations whose threat model includes potentially being targeted by Nation State threat actors for espionage leverage the tooling and detection guidance provided by Mandiant to look for presence of BRICKSTORM in their environments.

Given that the threat actors involved in this espionage campaign were able to access source code, Beazley Security assesses it is likely that these actors will use the source code to identify and weaponize currently unknown zero-day vulnerabilities in these appliances. Organizations with F5 appliances deployed should work to segment these devices, monitor for suspicious traffic to or from the systems, ensure management interfaces are not exposed to the internet, and monitor F5 vendor channels for security updates. Organizations should plan to apply future patches as soon as they are released for F5 relevant appliances.

Disclosed Vulnerability Analysis

In addition to the incident notification, F5 patched a significant number of vulnerabilities that may have been disclosed to the attackers. These vulnerabilities impact various product lines and are detailed in their Quarterly Security Notification for October (K000156572).

Beazley Security has reviewed the vulnerabilities to quantify risk and impact and has provided analysis into these vulnerabilities below:

High Impact BIG-IP Vulnerabilities

Note: Beazley Security labs believes that sophisticated attackers could chain multiple of these vulnerabilities together to escalate privileges, gain access to the appliance's underlying operating system, and deploy custom Linux implants. Please note that there is very limited public information about these vulnerabilities, and as such, Beazley Security labs analysis is reliant on how attacks such as these have unfolded in the past historically unfolded.

As an example, an attacker with limited privileges, such as a resource administrator, could combine CVE-2025-59481 or CVE-2025-61958 with CVE-2025-53868 to run bash commands with higher privileges, escalate to an SCP-enabled role, and use CVE-2025-53868 to install malicious software on the F5 BIG IP appliance OS.

Additionally, Beazley Security Labs believes that the reflected XSS vulnerability (CVE-2025-61933) may be exploited by unauthenticated attackers to compromise authenticated users’ session cookies. Attackers could then potentially leverage this vulnerability in conjunction with other exploits listed below to deploy malicious implants or establish a reverse shell.

CVE	Impact
CVE-2025-53868	Authenticated and privileged attacker with SCP or SFTP access can bypass “Appliance mode” and access underlying operating system
CVE-2025-59481	Authenticated attacker with at least a resource administrator and with access to the F5 REST API or the tmsh console utility can execute commands at system level and escalate their privileges.
CVE-2025-61958	Authenticated attacker with at least a resource administrator role can escape tmsh into bash and gain access to the underlying operating system. This enables attackers to cross a security boundary and escalate their privileges.
CVE-2025-59483	Authenticated and privileged attacker can perform arbitrary file uploads
CVE-2025-59268	Unauthenticated attacker can access “non-sensitive” information on the admin interface
CVE-2025-59269	Authenticated attacker can implant stored XSS with the potential for remote code execution (RCE) if a victim user has bash access
CVE-2025-61933	Unauthenticated attacker can trick a victim user into executing reflected XSS in the context of the victim browser. Under certain circumstances this could grant the attacker session cookies.
CVE-2025-54755	Authenticated attacker can access restricted files via directory traversal

High Impact F5OS-A/C Vulnerabilities

CVE	Impact
CVE-2025-61955	Authenticated attacker can escalate privileges
CVE-2025-57780	Authenticated attacker can escalate privileges
CVE-2025-60013	Authenticated attacker with Admin or Resource Admin role can bypass “Appliance mode” (restricted CLI) to execute arbitrary commands and escalate privileges
CVE-2025-53860	Authenticated, highly privileged attacker can access sensitive FIPS HSM information

Unauthenticated Denial of Service (DoS) Vulnerabilities (not grouped by product)

Note: many of the Denial of Service (DoS) vulnerabilities listed in this section result from memory corruption or related issues that can be triggered remotely by sending maliciously formatted traffic. It’s possible that in certain circumstances, such vulnerabilities could allow a highly skilled and well-resourced attacker to achieve objectives beyond simple service disruption. The potential for such capability development depends on factors such as the specific vulnerability context, whether the attacker can effectively manipulate memory in such a way to enable further access, and whether memory safety features are enabled.

Beazley Security Labs will continue to monitor these and provide updates if any of these vulnerabilities are abused beyond causing a Denial of Service condition.

CVE	Reference	Product/Component
CVE-2025-60016	K000139514	BIG-IP SSL/TLS
CVE-2025-48008	K000150614	BIG-IP MPTCP
CVE-2025-59781	K000150637	BIG-IP DNS cache
CVE-2025-41430	K000150667	BIG-IP SSL Orchestrator
CVE-2025-55669	K000150752	BIG-IP HTTP/2
CVE-2025-61951	K000151309	BIG-IP DTLS 1.2
CVE-2025-55036	K000151368	BIG-IP SSL Orchestrator
CVE-2025-54479	K000151475	BIG-IP PEM
CVE-2025-46706	K000151611	BIG-IP iRules
CVE-2025-59478	K000152341	BIG-IP AFM DoS protection profile
CVE-2025-61938	K000156624	BIG-IP Advanced WAF and ASM bd process
CVE-2025-54858	K000156621	BIG-IP Advanced WAF and ASM
CVE-2025-58120	K000156623	BIG-IP Next (CNF, SPK, and Kubernetes)
CVE-2025-53856	K000156707	BIG-IP TMM
CVE-2025-61974	K000156733	BIG-IP SSL/TLS
CVE-2025-58071	K000156746	BIG-IP IPsec
CVE-2025-53521	K000156741	BIG-IP APM
CVE-2025-61960	K000156597	BIG-IP APM portal access
CVE-2025-54854	K000156602	BIG-IP APM
CVE-2025-53474	K44517780	BIG-IP iRules
CVE-2025-61990	K000156912	BIG-IP TMM
CVE-2025-58096	K000156691	BIG-IP TMM
CVE-2025-61935	K000154664	BIG-IP Advanced WAF and ASM
CVE-2025-59778	K000151718	VELOS partition container network
CVE-2025-58474 (Medium Severity)	K000148512	Advanced WAF, ASM, and Nginx App Protect
CVE-2025-58153 (Medium Severity)	K000151658	BIG-IP High-Speed Bridge (HSB)

Authenticated Denial of Service (DoS) Vulnerabilities (not grouped by product)

CVE	Reference	Product/Component
CVE-2025-47148	K000148816	BIG-IP APM
CVE-2025-55670	K000154614	BIG-IP Next
CVE-2025-54805	K000151596	BIG-IP TMM
CVE-2025-60015	K000156796	F5OS
CVE-2025-47150	K000149820	F5OS

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

If you believe your organization may have been impacted by this attack campaign and needs support, please contact our Incident Response team.

Sources

F5 : K000154696 F5 Security Incident ‍
F5 : K000156572 Quarterly Security Notification (October 2025) ‍
K84205182: Guide contents | BIG-IP update and upgrade guide ‍
CISA : ED 26-01: Mitigate Vulnerabilities in F5 Devices
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team