I wonder if they’re just saying “nation-state” to make it seem less bad that they were compromised, without having proof that it was an actual nation state. (I mean it could well be a nation state, but just a thought.)
I'm not sure if item #2 in the linked advisory ("identify if the networked management interface is accessible directly from the public internet") indicates whether compromise is only likely in that situation or not, but... lots of remote workers are going to have some time for offline reflection in the next week, it seems regardless.
> Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties.
From the published CISA mitigation[0]:
A nation-state affiliated cyber threat actor has
compromised F5’s systems and exfiltrated files, which
included a portion of its BIG-IP source code and
vulnerability information. The threat actor’s access to
F5’s proprietary source code could provide that threat
actor with a technical advantage to exploit F5 devices and
software.
> Its the boogyman [sic] like terrorism.
Or maybe it is a responsible vulnerability disclosure whose impact is described thusly[0]:
This cyber threat actor presents an imminent threat to
federal networks using F5 devices and software. Successful
exploitation of the impacted F5 products could enable a
threat actor to access embedded credentials and Application
Programming Interface (API) keys, move laterally within an
organization’s network, exfiltrate data, and establish
persistent system access. This could potentially lead to a
full compromise of target information systems.
F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
Why would anyone have confidence in F5’s analysis?
I think it is more valuable for the attackers to have exfiltrated their code and analyze it for vulnerabilities.
Adding some malicious code to the BIG-IP software would require a long time for the attackers to persist in f5's systems undetected until they understood the current code. Not a zero percent chance, but pretty unlikely.
In October 2025, F5 rotated its signing certificates and keys used to cryptographically sign F5-produced digital objects.
As a result:
BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later are signed with new certificates and keys
BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later contain new public keys used to verify certain F5-produced objects released in October 2025 and later
BIG-IP and BIG-IQ TMOS product versions released in October 2025 and later may not be able to verify certain F5-produced objects released prior to October 2025
BIG-IP and BIG-IQ TMOS product versions released prior to October 2025 may not be able to verify certain F5-produced objects released in October 2025 and later
It took them 67 days to disclose that their premier product, which is used heavily in the industry, had been compromised. Does anyone know why it seems like we're seeing disclosures like this take longer and longer to be disclosed? I would think the adage "Bad news travels fast" would apply more often in these cases, if only to limit the scope of the damage.
This is an excellent argument against the British style request for a state level back door to encrypted data. It will be exploited and it will likely be quite some time until they learn of the exploit and even longer if ever until we do.
24 comments
[ 1.9 ms ] story [ 47.5 ms ] threadhttps://www.cisa.gov/news-events/directives/ed-26-01-mitigat...
It seems more likely that we do not KNOW how the access was used.
From the published CISA mitigation[0]:
> Its the boogyman [sic] like terrorism.Or maybe it is a responsible vulnerability disclosure whose impact is described thusly[0]:
0 - https://www.cisa.gov/news-events/directives/ed-26-01-mitigat...I don’t know why, but this sounds a bit like backdoors.
Why would anyone have confidence in F5’s analysis?
Adding some malicious code to the BIG-IP software would require a long time for the attackers to persist in f5's systems undetected until they understood the current code. Not a zero percent chance, but pretty unlikely.
https://my.f5.com/manage/s/article/K000157005
In October 2025, F5 rotated its signing certificates and keys used to cryptographically sign F5-produced digital objects.
As a result:
Translated =>
We don't know whether they have used or are going to use our NSA-mandated backdoors.