F5 Networks, a leading provider of application security and delivery solutions, has disclosed a significant security breach involving a nation-state threat actor, prompting the release of critical updates for its core products.
Detected in August 2025, the incident exposed internal systems to prolonged unauthorized access, leading to the theft of BIG-IP source code and undisclosed vulnerability data.
In response, F5 has rolled out patches across BIG-IP, F5OS, BIG-IQ, APM clients, and BIG-IP Next for Kubernetes to safeguard customers amid heightened risks.
The intrusion came to light on August 9, 2025, when F5 identified suspicious activity within its BIG-IP product development environment and engineering knowledge platforms.
The advanced adversary maintained persistent access, exfiltrating sensitive files including portions of source code and configuration details for a limited number of customers.
No evidence suggests alterations to the software supply chain or impacts on production systems, but the stolen intellectual property raises concerns about potential zero-day exploits targeting unpatched deployments.
F5 swiftly contained the threat through comprehensive measures, halting further unauthorized actions and confirming no ongoing intrusions.
The company enlisted top cybersecurity firms like CrowdStrike and Mandiant for investigation support, while collaborating with law enforcement and government agencies.
This proactive stance aligns with F5’s vulnerability management practices, now intensified to bolster enterprise and product security postures.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded with Emergency Directive ED 26-01, mandating federal agencies to patch and isolate affected F5 assets immediately.
F5 Security Updates
On October 15, 2025, F5 published its Quarterly Security Notification, detailing 44 vulnerabilities addressed in the latest releases, many tied to the breach’s implications.
High-severity CVEs dominate, with scores up to 8.7 under CVSS v3.1, affecting components like SCP/SFTP in BIG-IP (CVE-2025-53868) and F5OS platforms (CVE-2025-61955).
These flaws enable potential denial-of-service, privilege escalation, and remote code execution, particularly in appliance modes where risks escalate.
Medium and low-risk issues include iControl REST vulnerabilities (CVE-2025-59481) and configuration utility exposures, fixed in versions such as BIG-IP 17.5.1.3 and F5OS-C 1.8.2.
High Severity Vulnerabilities
| CVE ID | CVSS Score (v3.1 / v4.0) | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|---|
| CVE-2025-53868 | 8.7 / 8.5 | BIG-IP (all modules) | 17.5.0, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-61955 | 7.8 (standard) / 8.8 (appliance) / 8.5 | F5OS-A, F5OS-C | F5OS-A: 1.8.0^3, 1.5.1-1.5.3; F5OS-C: 1.8.0-1.8.1, 1.6.0-1.6.2^3 | F5OS-A: 1.8.3, 1.5.4; F5OS-C: 1.8.2, 1.6.4 |
| CVE-2025-57780 | 7.8 (standard) / 8.8 (appliance) / 8.5 | F5OS-A, F5OS-C | F5OS-A: 1.8.0^3, 1.5.1-1.5.3; F5OS-C: 1.8.0-1.8.1, 1.6.0-1.6.2^3 | F5OS-A: 1.8.3, 1.5.4; F5OS-C: 1.8.2, 1.6.4 |
| CVE-2025-60016 | 7.5 / 8.7 | BIG-IP (all modules), BIG-IP Next SPK, BIG-IP Next CNF | BIG-IP: 17.1.0-17.1.1; Next SPK: 1.7.0-1.9.2; Next CNF: 1.1.0-1.3.3 | BIG-IP: 17.1.2; Next SPK: 2.0.0; Next CNF: 2.0.0, 1.4.0 |
| CVE-2025-48008 | 7.5 / 8.7 | BIG-IP (all modules), BIG-IP Next SPK, BIG-IP Next CNF | BIG-IP: 17.1.0-17.1.2, 16.1.0-16.1.5, 15.1.0-15.1.10; Next SPK: 1.7.0-1.9.2; Next CNF: 1.1.0-1.4.1 | BIG-IP: 17.1.2.2, 16.1.6, 15.1.10.8; Next SPK: None; Next CNF: None |
| CVE-2025-59781 | 7.5 / 8.7 | BIG-IP (all modules), BIG-IP Next CNF | BIG-IP: 17.1.0-17.1.2, 16.1.0-16.1.5, 15.1.0-15.1.10; Next CNF: 1.1.0-1.4.0 | BIG-IP: 17.1.2.2, 16.1.6, 15.1.10.8; Next CNF: 1.4.0 EHF-3^4 |
| CVE-2025-41430 | 7.5 / 8.7 | BIG-IP SSL Orchestrator | 17.5.0, 17.1.0-17.1.2, 16.1.0-16.1.3, 15.1.0-15.1.9 | 17.5.1, 17.1.3, 16.1.4 |
| CVE-2025-55669 | 7.5 / 8.7 | BIG-IP ASM | 17.1.0-17.1.2, 16.1.0-16.1.5 | 17.1.2.2, 16.1.6 |
| CVE-2025-61951 | 7.5 / 8.7 | BIG-IP (all modules) | 17.5.0, 17.1.0-17.1.2, 16.1.0-16.1.6 | 17.5.1, 17.1.3, 16.1.6.1 |
| CVE-2025-55036 | 7.5 / 8.7 | BIG-IP SSL Orchestrator | 17.1.0-17.1.2, 16.1.0-16.1.5, 15.1.0-15.1.10 | 17.1.3, 16.1.6, 15.1.10.8 |
| CVE-2025-54479 | 7.5 / 8.7 | BIG-IP PEM, BIG-IP Next CNF, BIG-IP Next for Kubernetes | BIG-IP PEM: 17.5.0, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10; Next CNF: 2.0.0-2.1.0, 1.1.0-1.4.0; Next K8s: 2.0.0-2.1.0 | BIG-IP PEM: 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8; Next CNF: 2.1.0 EHF-1^4, 2.0.2 EHF-2^4, 2.0.0 EHF-2^4, 1.4.0 EHF-3^4; Next K8s: 2.1.0 EHF-2^4 |
| CVE-2025-46706 | 7.5 / 8.7 | BIG-IP (all modules), BIG-IP Next SPK, BIG-IP Next CNF | BIG-IP: 17.1.0-17.1.2, 16.1.0-16.1.5; Next SPK: 1.7.0-1.9.2; Next CNF: 1.1.0-1.4.1 | BIG-IP: 17.1.2.2, 16.1.6; Next SPK: 2.0.0, 1.7.14 EHF-2^4; Next CNF: 2.0.0, 1.4.0 EHF-3^4 |
| CVE-2025-59478 | 7.5 / 8.7 | BIG-IP AFM | 17.5.0, 17.1.0-17.1.2, 15.1.0-15.1.10 | 17.5.1, 17.1.3, 15.1.10.8 |
| CVE-2025-61938 | 7.5 / 8.7 | BIG-IP Advanced WAF/ASM | 17.5.0, 17.1.0-17.1.2 | 17.5.1, 17.1.3 |
| CVE-2025-54858 | 7.5 / 8.7 | BIG-IP Advanced WAF/ASM | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-58120 | 7.5 / 8.7 | BIG-IP Next SPK, BIG-IP Next CNF, BIG-IP Next for Kubernetes | Next SPK: 2.0.0, 1.7.0-1.7.14; Next CNF: 2.0.0, 1.1.0-1.4.1; Next K8s: 2.0.0 | Next SPK: 2.0.1, 1.7.14 EHF-2^4; Next CNF: 2.0.1; Next K8s: 2.1.0 |
| CVE-2025-53856 | 7.5 / 8.7 | BIG-IP (all modules) | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-61974 | 7.5 / 8.7 | BIG-IP (all modules), BIG-IP Next SPK, BIG-IP Next CNF, BIG-IP Next for Kubernetes | BIG-IP: 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10; Next SPK: 2.0.0-2.0.2, 1.7.0-1.9.2; Next CNF: 2.0.0-2.1.0, 1.1.0-1.4.1; Next K8s: 2.0.0-2.1.0 | BIG-IP: 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8; Next SPK: 2.1.0 EHF-1^4, 2.0.2 EHF-2^4, 2.0.0 EHF-2^4, 1.7.14 EHF-2^4; Next CNF: 2.1.0 EHF-1^4, 2.0.2 EHF-2^4, 2.0.0 EHF-2^4, 1.4.0 EHF-3^4; Next K8s: 2.1.0 EHF-1^4 |
| CVE-2025-58071 | 7.5 / 8.7 | BIG-IP (all modules), BIG-IP Next CNF, BIG-IP Next for Kubernetes | BIG-IP: 17.5.0, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10; Next CNF: 2.0.0-2.1.0, 1.1.0-1.4.1; Next K8s: 2.0.0-2.1.0 | BIG-IP: 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8; Next CNF: 2.1.0 EHF-1^4, 2.0.2 EHF-2^4, 2.0.0 EHF-2^4, 1.4.0 EHF-3^4; Next K8s: 2.1.0 EHF-1^4 |
| CVE-2025-53521 | 7.5 / 8.7 | BIG-IP APM | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-61960 | 7.5 / 8.7 | BIG-IP APM | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6 | 17.5.1.3, 17.1.3, 16.1.6.1 |
| CVE-2025-54854 | 7.5 / 8.7 | BIG-IP APM | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-53474 | 7.5 / 8.7 | BIG-IP APM | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-61990 | 7.5 / 8.7 | BIG-IP (all modules), BIG-IP Next SPK, BIG-IP Next CNF, BIG-IP Next for Kubernetes | BIG-IP: 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10; Next SPK: 2.0.0-2.0.2, 1.7.0-1.9.2; Next CNF: 2.0.0-2.1.0, 1.1.0-1.4.1; Next K8s: 2.0.0-2.1.0 | BIG-IP: 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8; Next SPK: 2.1.0 EHF-1^4, 2.0.2 EHF-2^4, 2.0.0 EHF-2^4, 1.7.15 EHF-2^4; Next CNF: 2.1.0 EHF-1^4, 2.0.2 EHF-2^4, 2.0.0 EHF-2^4, 1.4.0 EHF-3^4; Next K8s: 2.1.0 EHF-1^4 |
| CVE-2025-58096 | 7.5 / 8.7 | BIG-IP (all modules) | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-61935 | 7.5 / 8.7 | BIG-IP Advanced WAF/ASM | 17.5.0, 17.1.0-17.1.2, 15.1.0-15.1.10 | 17.5.1, 17.1.3, 15.1.10.8 |
| CVE-2025-59778 | 7.5 / 7.7 | F5OS-C | 1.8.0-1.8.1, 1.6.0-1.6.2^3 | 1.8.2, 1.6.4 |
Medium Severity Vulnerabilities
| CVE ID | CVSS Score (v3.1 / v4.0) | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|---|
| CVE-2025-59481 | 6.5 (standard) / 8.7 (appliance) / 8.5 | BIG-IP (all modules) | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-61958 | 6.5 (standard) / 8.7 (appliance) / 8.5 | BIG-IP (all modules) | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.1, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-47148 | 6.5 / 7.1 | BIG-IP APM, APM with SWG, SSL Orchestrator, SSL Orchestrator with SWG | 17.5.0, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-47150 | 6.5 / 7.1 | F5OS-A, F5OS-C | F5OS-A: 1.8.0-1.8.1^3, 1.5.1-1.5.2; F5OS-C: 1.6.0-1.6.2^3, 1.8.0 | F5OS-A: 1.8.3, 1.5.3; F5OS-C: 1.6.4 |
| CVE-2025-55670 | 6.5 / 7.1 | BIG-IP Next SPK, BIG-IP Next CNF, BIG-IP Next for Kubernetes | Next SPK: 1.7.0-1.9.2; Next CNF: 1.1.0-1.4.1; Next K8s: 2.0.0 | Next SPK: None; Next CNF: None; Next K8s: 2.1.0 |
| CVE-2025-54805 | 6.5 / 6.0 | BIG-IP Next SPK, BIG-IP Next CNF, BIG-IP Next for Kubernetes | Next SPK: 1.7.0-1.9.2; Next CNF: 1.1.0-1.4.1; Next K8s: 2.0.0 | Next SPK: 2.0.0; Next CNF: 2.0.0; Next K8s: 2.1.0 |
| CVE-2025-59269 | 6.1 / 8.4 | BIG-IP (all modules) | 17.5.0, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-58153 | 5.9 / 8.2 | BIG-IP (all modules) | 17.5.0, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1, 16.1.6.1, 15.1.10.8 |
| CVE-2025-60015 | 5.7 / 6.9 | F5OS-A, F5OS-C | F5OS-A: 1.8.0^3, 1.5.1-1.5.3; F5OS-C: 1.8.0-1.8.1, 1.6.0-1.6.2^3 | F5OS-A: 1.8.3, 1.5.4; F5OS-C: 1.8.2, 1.6.4 |
| CVE-2025-59483 | 6.5 / 8.5 | BIG-IP (all modules) | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-60013 | 5.7 / 4.6 | F5OS-A | 1.8.0^3, 1.5.1-1.5.3 | 1.8.3, 1.5.4 |
| CVE-2025-59268 | 5.3 / 6.9 | BIG-IP (all modules) | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-58474 | 5.3 / 6.9 | BIG-IP Advanced WAF/ASM, NGINX App Protect WAF | BIG-IP: 17.1.0-17.1.1; NGINX: 4.5.0-4.6.0 | BIG-IP: 17.1.2; NGINX: 4.7.0 |
| CVE-2025-61933 | 6.1 / 5.1 | BIG-IP APM | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-54755 | 4.9 / 6.9 | BIG-IP (all modules) | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8 |
| CVE-2025-53860 | 4.1 / 5.6 | F5OS-A | 1.8.0^3, 1.5.1-1.5.2 | 1.8.3, 1.5.3 |
Low Severity Vulnerabilities
| CVE ID | CVSS Score (v3.1 / v4.0) | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|---|
| CVE-2025-58424 | 3.7 / 6.3 | BIG-IP (all modules), F5 Silverline (all services) | BIG-IP: 17.1.0-17.1.2, 16.1.0-16.1.5, 15.1.0-15.1.10; Silverline: N/A | BIG-IP: 17.1.2.2^3, 16.1.6^3, 15.1.10.8^3; Silverline: N/A |
Security Exposures
| Exposure ID | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|
| K000150010: BIG-IP AFM security exposure | BIG-IP AFM | 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10 | 17.5.1.1, 17.1.3 |
BIG-IP Next for Kubernetes receives targeted hotfixes, like 2.1.0 EHF-14, to mitigate TMM and SSL/TLS weaknesses. Security exposures in BIG-IP AFM are also resolved, emphasizing the need for swift upgrades across all supported versions.
F5 stresses that while no active exploitation of undisclosed flaws is known, updating is essential to prevent lateral movement and data exfiltration in customer networks.
Customers should prioritize applying these updates, enabling event streaming to SIEM tools, and isolating management interfaces from public access.
Decommissioning end-of-life products further reduces exposure. F5’s transparency underscores the evolving nation-state threats, where stolen code could fuel sophisticated attacks on critical infrastructure.
By patching promptly, organizations can maintain robust defenses against this and future incidents. For full details, refer to F5’s official notification.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post F5 Released Security Updates Covering Multiple Products Following Recent Hack appeared first on Cyber Security News.
