24 comments

[ 1.9 ms ] story [ 47.5 ms ] thread
“No one will ever find these vulns without source access! Fix deferred” oh wait…
I wonder if they’re just saying “nation-state” to make it seem less bad that they were compromised, without having proof that it was an actual nation state. (I mean it could well be a nation state, but just a thought.)
I'm not sure if item #2 in the linked advisory ("identify if the networked management interface is accessible directly from the public internet") indicates whether compromise is only likely in that situation or not, but... lots of remote workers are going to have some time for offline reflection in the next week, it seems regardless.
oh that's handy, they can add them to the big pile of disclosed BIG-IP flaws
I am having a hard time believing that an attacker maintained long term access to their system and never used it.

It seems more likely that we do not KNOW how the access was used.

[flagged]
> Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties.

From the published CISA mitigation[0]:

  A nation-state affiliated cyber threat actor has 
  compromised F5’s systems and exfiltrated files, which 
  included a portion of its BIG-IP source code and 
  vulnerability information. The threat actor’s access to 
  F5’s proprietary source code could provide that threat 
  actor with a technical advantage to exploit F5 devices and 
  software. 
> Its the boogyman [sic] like terrorism.

Or maybe it is a responsible vulnerability disclosure whose impact is described thusly[0]:

  This cyber threat actor presents an imminent threat to 
  federal networks using F5 devices and software. Successful 
  exploitation of the impacted F5 products could enable a 
  threat actor to access embedded credentials and Application 
  Programming Interface (API) keys, move laterally within an 
  organization’s network, exfiltrate data, and establish 
  persistent system access. This could potentially lead to a 
  full compromise of target information systems.
0 - https://www.cisa.gov/news-events/directives/ed-26-01-mitigat...
It’s also just a fact. We don’t need a bogeyman when other nations are actually executing these attacks every day.
I'm slightly questioning the security of a cybersecurity company that has systems that allow people long term access.
> undisclosed F5 vulnerabilities

I don’t know why, but this sounds a bit like backdoors.

F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.

Why would anyone have confidence in F5’s analysis?

I think it is more valuable for the attackers to have exfiltrated their code and analyze it for vulnerabilities.

Adding some malicious code to the BIG-IP software would require a long time for the attackers to persist in f5's systems undetected until they understood the current code. Not a zero percent chance, but pretty unlikely.

Looks like they rotated all signings keys a day earlier:

https://my.f5.com/manage/s/article/K000157005

In October 2025, F5 rotated its signing certificates and keys used to cryptographically sign F5-produced digital objects.

As a result:

    BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later are signed with new certificates and keys
    BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later contain new public keys used to verify certain F5-produced objects released in October 2025 and later
    BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later may not be able to verify certain F5-produced objects released prior to October 2025
    BIG-IP and BIG-IQ TMOS product versions released prior to October 2025 may not be able to verify certain F5-produced objects released in October 2025 and later
Aka outsourcing work to third world countries has come back to bite us ;-)
"We have no knowledge the vulnerabilities discovered through exfiltration were not used"

Translated =>

We don't know whether they have used or are going to use our NSA-mandated backdoors.

It took them 67 days to disclose that their premier product, which is used heavily in the industry, had been compromised. Does anyone know why it seems like we're seeing disclosures like this take longer and longer to be disclosed? I would think the adage "Bad news travels fast" would apply more often in these cases, if only to limit the scope of the damage.
A cybersecurity company was hacked — what an irony
This is an excellent argument against the British style request for a state level back door to encrypted data. It will be exploited and it will likely be quite some time until they learn of the exploit and even longer if ever until we do.
If the orgs/products responsible for saving the orgs are getting their source code exfiltrated then we all are on the mercy of hackers.
I have only heard bad things about F5 XC