Don’t miss CTRL/ACT: 2 day virtual event + earn CPE creditsRegister Now

F5 security incident: How to scope and take action

Oct 20, 20254 min

Axonius

Last update: 17:05 ET, October 17, 2025

TL;DR: This post provides guidance on how to identify and implement recommended actions for BIG-IP assets at risk due to the recent exfiltration of source code and information on unpatched vulnerabilities disclosed by F5.

Summary

On October 15, 2025, F5 disclosed a major security incident detected in August 2025 where a nation-state threat actor gained access to F5's internal systems and downloaded IP from F5, including: source code, engineering knowledge base, and information about undisclosed vulnerabilities.

While F5 is not aware of active exploitation of any undisclosed vulnerabilities, the access to source code and proprietary knowledge allows the threat actor to potentially develop zero-day vulnerabilities and targeted exploits.

This led the UK's NCSC to release guidance and CISA to issue an Emergency Directive (ED) 26-01, highlighting an imminent threat to federal networks and civilian organizations, and mandating immediate action.

Impacted systems

This incident potentially affects the entire F5 BIG-IP ecosystem. F5, CISA, and NCSC called out the following products as being at risk:

  • Hardware/appliances: All BIG-IP hardware devices, including (but not limited to) BIG-IP iSeries, rSeries, or any other F5 device that has reached end of support.

  • OS: All instances of BIG-IP F5OS, BIG-IP TMOS, Virtual Edition (VE).

  • Software: All instances of BIG-IP F5OS, BIG-IP TMOS, Virtual Edition (VE), BIG-IP Next, BIG-IQ software, BIG-IP Next for Kubernetes (BNK) / Cloud-Native Network Functions (CNF).

Recommended actions

As of the time of writing, F5, NSCS, and CISA provide a series of actions, starting from taking inventory of your entire F5 infrastructure (inclusive of hardware appliances, software appliances, containers, and installed software) and then taking actions including (but not limited to) updating versions, hardening assets, and disconnecting end-of-support systems. For detailed guidance and the latest information, visit the Emergency Directive (ED) 26-01, the F5 security advisory, and the NCSC guidance.

1. How to take inventory with Axonius

Before you begin, it's highly recommended to run a full discovery to ensure you're working with the most current data from your environment. From there, use the steps below to list your inventory:

1.1. Find F5 hard and soft appliances

To find F5 hardware or software appliances, head over to Assets > Compute > Devices, and then search for signals of F5 through Device Manufacturer, Model, and Preferred OS: Full String attributes: 

("specific_data.data.device_manufacturer" == regex("F5", "i")) or ("contains.[specific_data.data.device_model]" in ["BIG-IP","Big ip","F5","iSeries","rSeries"]) or ("contains.[specific_data.data.os.os_str_preferred]" in ["BIG-IP","F5"])

Save the query.

1.2. Find F5 containers

If you leverage Axonius adapters that retrieve containers (such as Kubernetes, Cilium, OpenShift, Docker Engine, and others), head over to Assets > Compute > Containers, and then search for signals of BIG-IP Next for Kubernetes (BNK): 

("specific_data.data.name" in ["f5ingress","k8s-bigip-ctlr"]) and ("specific_data.data.name" == regex("^f5\-", "i"))

Save the query.

1.3. Find F5 software

To find devices using Big-IP software (like TMOS, Big IQ, and Big IP next), head over to Assets > Applications > Software, and then search for signals of F5 and Big-IP:

{"software":"((\"specific_data.data.installed_software.name\" == regex(\"tmsh\", \"i\")) or (\"contains.[specific_data.data.installed_software.name_version]\" in [\"BIG-IP\",\"BIG-IP Next\",\"BIG-IQ\",\"Big ip\",\"BigIQ\",\"TMOS\"])) and not (\"specific_data.data.installed_software.name_version\" == regex(\"Edge Client\", \"i\"))","devices":""}

Save the query.

Note: The query above excludes the F5 VPN client (Big-IP Edge Client) from the results, as current security guidance (as of Oct-17) does not specifically indicate that the BIG-IP Edge Client itself was directly affected. If you want to include the Big-IP Edge Client in the results, just remove the exclusion of the “Edge Client” from your query.

2. How to take action with Axonius

At this point, you have three queries covering your F5 inventory across appliances, containers, and software. For these systems, you should take the additional recommendations from CISA, F5, and NCSC. While each institution provides different guidance steps (i.e., F5 recommends updating the SIEM monitoring, CISA recommends subsequent updates to F5 within a week of release), they all share common guidance around:

To accelerate alerts and remediation with Axonius, use the queries from steps 1-3 to trigger automatic investigation, remediation, and action. For example, whenever a new F5 asset at risk is identified, you can automatically mobilize the system owner within the infrastructure to take the corrective measures above, while at the same time raising SIEM/SOC monitoring and changing the security policy within your endpoint and network protection to mitigate risk while the fix is in deployment.

Through the same queries, you also leverage dashboards to continuously report the status to stakeholders.

Learn more

If you're not an Axonius customer and want to know more about how we can help you, schedule a meeting with a security specialist.

Categories

  • Threats & Vulnerabilities
Get Started

Get Started

Discover what’s achievable with a product demo, or talk to an Axonius representative.

  • Request a demo
  • Speak with sales
F5 Security Incident: How to scope and take action | Axonius