Frequently Asked Questions About The August 2025 F5 Security Incident
Frequently asked questions about the August 2025 security incident at F5 and the release of multiple BIG-IP product patches.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a recently disclosed security incident affecting F5. Alongside the disclosure of the security incident, F5 also released its October 2025 Quarterly Security Notification.
FAQ
What is the F5 Security Incident?
Starting August 9, 2025, F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. This included access to F5’s BIG-IP product development systems and “engineering knowledge management platforms.” On October 15, F5 released knowledge base (KB) article K000154696 providing current details on the known impacts of the breach, including an acknowledgement that they have not observed further unauthorized activity and believe they have successfully contained the breach.
What data was stolen in this breach?
According to F5, files from their BIG-IP engineering knowledge management systems and product development environments were accessed by the threat actor. The stolen data included details on undisclosed security vulnerabilities that were currently being investigated by F5 as well as source code for its BIG-IP product.
What is the risk of undisclosed vulnerability data being stolen?
With access to vulnerability reports and source code, the threat actor could use that information to develop exploits for issues that have not yet been patched or remediated. While F5 states they “have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” the risk remains that the attackers could use the stolen data to identify other vulnerabilities.
Was any source code modified? Is there a risk of a supply-chain attack?
According to F5, they have “no evidence of modification” to its supply chain, source code, including NGINX source code, build and release pipelines and the F5 Distributed Cloud Services or Silverline systems. These findings have reportedly been independently verified by two security research firms, NCC Group and IOActive.
What are the vulnerabilities associated with the breach?
At this time, F5 has not indicated that any vulnerabilities were exploited by the threat actor in order to gain access to their systems. However, on October 15, in conjunction with its security incident notice, F5 released several patches in KB article K000156572: Quarterly Security Notification (October 2025). While there is no notice in these security advisories that any of the CVEs have been exploited, we strongly recommend applying all available patches.
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released emergency directive (ED) 26-01: Mitigate Vulnerabilities in F5 Devices on October 15, which includes recommendations to apply all available updates. While the ED is aimed at Federal Civilian Executive Branch (FCEB) agencies, the guidance should be applicable to any organization with F5 devices or software in their environment.
What actions should I take if my environment contains F5 software/devices?
According to both F5 and the CISA ED, inventorying and updating all affected BIG-IP instances is of utmost importance. While it’s always recommended that security updates are applied quickly, in light of the breach, F5 urges “updating your BIG-IP software as soon as possible.” In addition, guidance from CISA suggests hardening any public facing BIG-IP devices and removing any unsupported devices from your network.
Which threat actors are responsible for this attack?
While no specific threat actor has been linked to the F5 breach, F5 says this incident involved a “highly sophisticated” nation-state threat actor.
Are patches or mitigations available for the F5 October Quarterly Security Notification?
Yes, F5 released its quarterly security notification for October 15, which includes fixes for the following products:
BIG-IP (All Modules):
F5OS-A
| F5 KB Article | Associated CVEs |
|---|---|
| K000156767 | CVE-2025-61955 |
| K000156771 | CVE-2025-57780 |
| K000149820 | CVE-2025-47150 |
| K000156796 | CVE-2025-60015 |
| K000154661 | CVE-2025-60013 |
| K000148625 | CVE-2025-53860 |
F5OS-C
| F5 KB Article | Associated CVEs |
|---|---|
| K000156767 | CVE-2025-61955 |
| K000156771 | CVE-2025-57780 |
| K000151718 | CVE-2025-59778 |
| K000149820 | CVE-2025-47150 |
| K000156796 | CVE-2025-60015 |
BIG-IP Product Specific
| Product | F5 KB Article | Associated CVEs |
|---|---|---|
| BIG-IP APM | ||
| Advanced WAF/ASM | ||
| SSL Orchestrator | ||
| BIG-IP PEM | K000151475 | CVE-2025-54479 |
| BIG-IP AFM | CVE-2025-59478 |
*This KB article represents a BIG-IP AFM Security Exposure and is not associated with a CVE.
BIG-IP Next
| Product | F5 KB Article | Associated CVEs |
|---|---|---|
| BIG-IP Next SPK | ||
| BIG-IP Next CNF | ||
| BIG-IP Next for Kubernetes |
Other F5 Products
| Product | F5 KB Article | Associated CVEs |
|---|---|---|
| NGINX App Protect WAF | K000148512 | CVE-2025-58474 |
| F5 Silverline |
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
- CVE-2025-53868
- CVE-2025-60016
- CVE-2025-48008
- CVE-2025-59781
- CVE-2025-61951
- CVE-2025-46706
- CVE-2025-53856
- CVE-2025-61974
- CVE-2025-58071
- CVE-2025-61990
- CVE-2025-58096
- CVE-2025-59481
- CVE-2025-61958
- CVE-2025-59269
- CVE-2025-58153
- CVE-2025-59483
- CVE-2025-59268
- CVE-2025-54755
- CVE-2025-58424
- CVE-2025-61955
- CVE-2025-57780
- CVE-2025-47150
- CVE-2025-60015
- CVE-2025-60013
- CVE-2025-53860
- CVE-2025-59778
- CVE-2025-53521
- CVE-2025-61960
- CVE-2025-54854
- CVE-2025-53474
- CVE-2025-47148
- CVE-2025-61933
- CVE-2025-61938
- CVE-2025-54858
- CVE-2025-61935
- CVE-2025-55669
- CVE-2025-58474
- CVE-2025-41430
- CVE-2025-55036
- CVE-2025-54479
- CVE-2025-59478
- CVE-2025-58120
- CVE-2025-55670
- CVE-2025-54805
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
- F5: K000154696: F5 Security Incident
- F5: K000156572: Quarterly Security Notification (October 2025)
- CISA: ED 26-01: Mitigate Vulnerabilities in F5 Devices
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Senior Staff Research Engineer, Research Special Operations
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Research Special Operations team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Related articles
The Human Cost of Cyber Risk: How Exposure Management Can Ease Security Burnout
The true cost of cyber risk is a human one. Siloed tools and disjointed operations aren’t just endangering your business, they’re also taking a real toll on your teams. It’s long past time to take the friction out of cybersecurity with a unified, proactive approach.
Microsoft’s October 2025 Patch Tuesday Addresses 167 CVEs (CVE-2025-24990, CVE-2025-59230)
Microsoft addresses 167 CVEs in its largest Patch Tuesday to date, including three zero-day vulnerabilities, two of which were exploited in the wild.
Relying on EDR for Exposure Management? Here’s What You Need to Know
Endpoint detection and response tools may serve you well when it comes to handling incident response. But, when used for exposure management, they can leave you blind to large portions of your attack surface.
- Exposure Management
- Vulnerability Management
Contact our sales team