{“lastseen”:”2025-10-18T02:05:14″,”description”:”In mid-October 2025, the cybersecurity landscape was dealt a severe blow. F5 disclosed a long-term, sophisticated breach by a nation-state threat actor. This was not a typical vulnerability disclosure. The attackers exfiltrated a strategic critical pair of assets: portions of BIG-IP source code, and internal details of undisclosed (unpatched) vulnerabilities.\\n\\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately labeled this an \\”imminent threat.\\” The reason is simple: The adversary now possesses a technical advantage, allowing them to analyze the source code and weaponize unpatched flaws far faster than any defender can reverse-engineer a patch.\\n\\nFor enterprise vulnerability management and risk management teams, this incident is a code-red scenario. It demands a response that goes far beyond a standard patch cycle.\\n\\nSecurity and risk practitioners must now execute a comprehensive, multi-phased response. The details below will guide your organization through this process:\\n\\n * **Inventory All F5 Assets (Immediately):** You cannot protect what you don’t know you have. Initiate an exhaustive inventory of all F5 instances, including physical appliances, Virtual Editions (VEs), and cloud-native deployments.\\n * **Execute an Aggressive Patching Strategy (Now):** F5 released a massive quarterly patch bundle (K000156572) with 44 new CVEs (27 High, 16 Medium, and 1 Low CVEs). This release was likely accelerated to close the exact windows of opportunity the stolen data revealed. All critical, internet-facing devices must be patched immediately, followed by all other in-scope devices.\\n * **Harden the Management Plane (Top Priority): **The most dangerous misconfiguration is an internet-facing management interface. Any BIG-IP management plane (TMUI or SSH) accessible from the public internet must be disconnected or firewalled off immediately.\\n\\n\\n\\nPatching and mitigating known flaws is just the beginning. A deeper investigation is required, starting with a comprehensive configuration audit. Teams must validate settings using tools like F5’s iHealth, and ensure critical controls, such as \\”port lockdown,\\” are enforced on self-IPs. Concurrently, organizations must assume compromise and launch a proactive threat hunt, such as identifying malicious outbound connections from the BIG-IP to internal servers, anomalous admin accounts, and unauthorized configuration changes.\\n\\n## **How Qualys Helps You Discover F5 Assets and Detect Related Vulnerabilities**?\\n\\n### **Discover F5 Assets Using Qualys CyberSecurity Asset Management (CSAM)**\\n\\nThe initial and crucial step in managing this critical vulnerability and mitigating associated risks involves pinpointing all assets susceptible to this specific issue. Use CSAM 3.0 with External Attack Surface Management to identify your organization\u2019s internet-facing instances or are at their End of Life (EoL) or End of Support (EoS).\\n\\nIn the following example, we aim to identify all F5 BIG-IP assets:\\n \\n \\n operatingSystem:\\”F5 BIG-IP\\” and hardware.manufacturer:`F5`\\n\\n\\n\\n### **Enhance Your Security Posture with Qualys Vulnerability Management, Detection, and Response (VMDR)**\\n\\nQualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond to, prioritize, and mitigate the associated risks.\\n\\nQualys has released detections for the CVEs published by F5. All QIDs require authenticated remote scanning. For more details about the vulnerable versions, please refer to our threatprotect post.\\n\\nLeverage the power of Qualys VMDR alongside TruRisk and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing the vulnerabilities highlighted above.\\n\\nQuery for all CVEs, use this QQL statement:\\n \\n \\n vulnerabilities.vulnerability.cveIds:[CVE-2025-58474, CVE-2025-55036, CVE-2025-61938, CVE-2025-41430, CVE-2025-53474, CVE-2025-59268, CVE-2025-59269, CVE-2025-47148, CVE-2025-59478, CVE-2025-60016, CVE-2025-58153, CVE-2025-48008, CVE-2025-55669, CVE-2025-46706, CVE-2025-59781, CVE-2025-58424, CVE-2025-54479, CVE-2025-53856, CVE-2025-61951, CVE-2025-61935, CVE-2025-58071, CVE-2025-53868, CVE-2025-54858, CVE-2025-58096, CVE-2025-53521, CVE-2025-61958, CVE-2025-61933, CVE-2025-54854, CVE-2025-61960, CVE-2025-59481, CVE-2025-61974, CVE-2025-59483, CVE-2025-54755, CVE-2025-61990]\\n\\nAlternatively, you can query for all associated QIDs:\\n \\n \\n vulnerabilities.vulnerability.qid:[385574, 385571, 385573, 385572, 385544, 385543, 385560, 385562, 385556, 385567, 385548, 385561, 385540, 385547, 385566, 385555, 385541, 385568, 385559, 385550, 385553, 385552, 385563, 385557, 385564, 385542, 385558, 385554, 385545, 385565, 385551, 385569, 385549, 385546]\\n\\n\\n\\n## **Conclusion**\\n\\nThe F5 BIG-IP breach is a stark reminder that in our interconnected ecosystem, your security is inextricably linked to the security of your critical suppliers. This incident is a clear and present danger that demands a response far beyond a typical patch cycle.\\n\\nAn effective defense requires a holistic program, which is impossible without a foundation of strong asset management, threat intelligence, and risk-based prioritization. This foundation is what guides a focused response, enabling immediate tactical remediation to patch, harden, and decommission your most critical assets first, followed by thorough configuration audits and proactive threat hunting to address hidden risks.\\n\\n* * *\\n\\n**Get started with Qualys solutions today.**\\n\\nTry Today\\n\\n* * *”,”published”:”2025-10-18T00:49:07″,”modified”:”2025-10-18T00:49:07″,”type”:”qualysblog”,”title”:”A Strategic Response to the F5 BIG-IP Nation-State Breach”,”source”:””,”references”:””,”id”:”QUALYSBLOG:84868ADF276AF501A87D1D25921D67F3″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-41430″,”CVE-2025-46706″,”CVE-2025-47148″,”CVE-2025-48008″,”CVE-2025-53474″,”CVE-2025-53521″,”CVE-2025-53856″,”CVE-2025-53868″,”CVE-2025-54479″,”CVE-2025-54755″,”CVE-2025-54854″,”CVE-2025-54858″,”CVE-2025-55036″,”CVE-2025-55669″,”CVE-2025-58071″,”CVE-2025-58096″,”CVE-2025-58153″,”CVE-2025-58424″,”CVE-2025-58474″,”CVE-2025-59268″,”CVE-2025-59269″,”CVE-2025-59478″,”CVE-2025-59481″,”CVE-2025-59483″,”CVE-2025-59781″,”CVE-2025-60016″,”CVE-2025-61933″,”CVE-2025-61935″,”CVE-2025-61938″,”CVE-2025-61951″,”CVE-2025-61958″,”CVE-2025-61960″,”CVE-2025-61974″,”CVE-2025-61990″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:N\/SC:N\/VI:N\/SI:N\/VA:H\/SA:L”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.qualys.com\/category\/vulnerabilities-threat-research”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-18T02:05:14″,”description”:”In mid-October 2025, the cybersecurity landscape was dealt a severe blow. F5 disclosed a long-term, sophisticated breach by a nation-state threat actor. This was not…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,19,12,15,13,120,7,11,5],"class_list":["post-22286","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-high","tag-news","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n