Last week cybersecurity company F5 Inc. disclosed a major breach thought to be carried out by China-affiliated threat actors. While many details about this incident are still emerging, one thing is clear: security teams are in rapid response mode to update all F5 products across their environments.
SixMap is helping customers preemptively mitigate the risks of this incident in several key ways. First, SixMap shows customers all of their assets and exposures, making it easy to quickly find all F5 BIG-IP instances visible from the Internet. Second, SixMap’s unique organization mapping approach assigns every asset to the entity that owns it, so customers know exactly who to contact about updating a specific instance of BIG-IP. And third, because SixMap’s processes are truly continuous, we can quickly notify customers when new BIG-IP instances are deployed or when existing BIG-IP exposures are taken offline.
This post will provide a quick overview of the incident, discuss the impact, and describe how SixMap helped customers to quickly find their F5 exposures and accelerate remediation. We’ll also provide several key strategies for preventing your organization from being affected by this event.
An Overview of the Incident
On October 15th, F5 published a blog post confirming a security incident in which “a nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems.” The post states the intrusion was first detected in August 2025.
The F5 breach resulted in the loss of sensitive data, including source code as well as undisclosed vulnerabilities for which the firm was developing fixes. According to the F5 post, the firm has “no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.”
While there are no new vulnerabilities being actively exploited, the unauthorized access of a development environment and exfiltration of source code mean the threat actors could have a much easier time compromising F5 products. As a result, F5 proactively released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM, and is urging all customers to update to the latest versions as quickly as possible.
Impact of the Incident
This incident is having an enormous impact for several reasons:
- the length of time that attackers maintained access to internal F5 systems
- the extent of the access that threat actors managed to obtain
- the ubiquity of F5 products in use across large organizations.
Lengthy Dwell Time
Independent reporting from Bloomberg states that attackers first breached the F5 network in August 2023, then remained dormant within the corporate environment for at least a year before acting on other objectives.
The breach was not discovered until some time in August 2025, meaning the threat actors remained undetected for roughly two years. While some of the malicious activity is known to investigators and digital forensics experts, it’s likely that some logs are no longer accessible or that threat actors simply deleted logs to cover their tracks.
Access To Sensitive Systems & Data
This incident is particularly alarming because of the extent of the access the threat actors had to F5 systems, including development environments. F5 states that there is “no evidence of modification to our software supply chain, including our source code and our build and release pipelines.” This is a positive sign.
However, given the lengthy dwell time and the fact that some past activity may be all but untraceable at this late stage, some security professionals are urging caution and encouraging increased monitoring of all F5 products.
Many Affected Organizations
Lastly, this incident has a wide-reaching impact, as F5’s website claims their products are used by more than 4 out of 5 Fortune 500 companies, as well as many US federal government agencies.
This led CISA to publish an emergency directive on October 15th, with CISA Acting Director Madhu Gottumukkala explaining that the “alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies.”
Responding to the Incident
The recent CISA Emergency Directive, ED 26-01, requires all federal agencies to update the following F5 products:
- Hardware: BIG-IP iSeries, rSeries, or any other F5 device that has reached end of support
- Software: All devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, BIG-IQ, and BIG-IP Next for Kubernetes (BNK)/Cloud-Native Network Functions (CNF)
While commercial enterprises are not required to abide by CISA directives, CISOs and other security leaders at private sector organizations are treating the event as critical and making F5 updates their top priority.
It’s important to emphasize once again that there is currently no evidence of new 0-day vulnerabilities in F5 products being actively exploited. But, given the severity and long lifespan of the F5 breach, running previous versions of select F5 products will “present an unacceptable risk”, according to CISA.
The deadline for updating is October 22, 2025, just one calendar week after the CISA Directive was published.
How SixMap Helped Customers Accelerate Remediation
To put it plainly, responding to the F5 incident has just one action item: update all F5 BIG-IP products as quickly as possible. Of course, like many things in cybersecurity, this is much easier said than done.
SixMap recently helped two large organizations, one public sector and one private sector, find all of their Internet-facing F5 BIG-IP exposures. The public sector customer, a US state government, coordinates and supports security programs across hundreds of entities: state agencies, hospitals, universities, counties, and more. The private enterprise customer, a global electronics manufacturer, also has many entities to protect: subsidiaries, business units, product lines, and more.
With such complex organizational structures and enormous digital estates, both of these customers needed support in responding to the F5 incident. SixMap helped in 3 major ways: visibility, ownership, and continuous monitoring.
Getting Visibility On Exposures
The first step is to identify all of the instances of BIG-IP exposed to the external Internet across both massive digital estates. SixMap automates this entire process with a high degree of precision, saving time and increasing operational efficiency.
One of SixMap’s core differentiators is the completeness and accuracy of the data we provide. Our discovery process finds all assets and exposures without leaving unknown infrastructure in the shadows or misattributing third-party assets to the customer.
Understanding Ownership
SixMap’s organization mapping approach assigns ownership of every asset back to the entity that is responsible for securing it. As a result, all IT assets (networks, IP addresses, domains) and all exposures (open ports, services in use, known CVEs) are structured and easier to manage.
This approach saves security teams a significant amount of time when triaging and remediating vulnerabilities. They know exactly which entity is in control of the asset, so they know who to contact about updating a vulnerable software product. Ultimately, this speeds up Mean Time To Remediate (MTTR).
Continuous Monitoring
SixMap’s discovery and assessment processes are truly continuous. When one job ends, the next begins. For SMBs, this can mean daily completions. For larger organizations, the process can run once or twice weekly.
The continuous delivery of SixMap’s capabilities help security teams quickly see what’s changed in their environment between any two assessments. When viewing the delta between the two most recent assessments, security teams can see all of the new assets and exposures that have appeared over the last few days, as well as any previous assets or exposures that are no longer online. This makes it easy for security teams to see if any new BIG-IP instances have been deployed or if any existing BIG-IP exposures were decommissioned.
Additional Strategies For Staying Secure
In addition to updating all F5 products as discussed above, there are several steps that security teams can take to make sure their organization stays secure.
Continuous Exposure Assessment
Continuously monitor your external assets and exposures. This ensures you will quickly spot any new F5 instances visible from the web, as well as any other external risks that require rapid remediation. Learn more about the SixMap platform’s preemptive exposure management capabilities here.
Proactive Threat Hunting
It’s possible that threat actors have already exploited some F5 exposures so, if your security program has a threat hunting function, this is the perfect use case for a proactive hunt. Direct your team to look for IoCs associated with the BRICKSTORM malware, a backdoor known to be used by China-nexus threat actors like the ones that compromised F5. Comb through the logs on F5 systems and those adjacent to F5 systems to find anomalies and any signs of malicious activity.
Enhanced Logging & Monitoring
Increase the verbosity of logs on any F5 devices or servers running F5 software. If you’d like to exercise an abundance of caution, increase the verbosity of all adjacent systems, as well. Monitor those systems carefully and quickly respond to any suspicious activity.
Conclusion
SixMap’s mission is to empower defenders to empower cyber defenders with trusted data so they can stop attacks before they happen. The recent F5 incident demonstrates our commitment to the mission and serves as an excellent case study of how we help customers respond faster, preemptively block attacks, and keep their organizations secure.
