Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: F5 Security Incident & Multiple Vulnerabilities in F5 Products, Patch Immediately!
Image
Published : 16/10/2025
* Last update: 16/10/2025
* Affected products:
→ Hardware: BIG-IP iSeries, rSeries, or any other F5 device that has reached end of support
→ Software: All devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, BIG-IQ, and BIG-IP Next for Kubernetes (BNK)/Cloud-Native Network Functions (CNF)* Type: F5’s security bulletin released October 15, 2025, tied to the disclosure of a breach of its internal development systems provides fixes for multiple vulnerabilities across various F5 product lines.
* CVE/CVSS:
- CVE-2025-53868: CVSS 8.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)
- CVE-2025-61955: CVSS 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- CVE-2025-57780: CVSS 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Sources
F5 Quarterly Security Notification - https://my.f5.com/manage/s/article/K000156572
F5 Security Incident - https://my.f5.com/manage/s/article/K000154696
Risks
In August 2025, a highly sophisticated nation-state actor gained persistent, long-term access to F5’s internal systems, including the BIG-IP product development environment and engineering knowledge management platforms.
The attacker exfiltrated portions of BIG-IP source code, information about undisclosed vulnerabilities, and a small subset of customer configuration data. This combination of stolen intellectual property and vulnerability information provides the adversary with a significant technical advantage, enabling accelerated discovery and weaponization of zero-day vulnerabilities, targeted exploitation of specific deployments, and potential access to credentials and API keys.
While there is no evidence of modification to software, build pipelines, or production systems, the strategic implications are severe, prompting emergency guidance from CISA for federal networks and high-risk customers globally.
F5’s Quarterly Security Notification (October 2025) disclosed multiple vulnerabilities, affecting BIG-IP, F5OS, BIG-IP Next, BIG-IQ, and APM clients. These include privilege escalation, appliance-mode bypass, and denial-of-service flaws. The timing of these disclosures immediately following the disclosure of the breach underscores the urgency: the same vulnerabilities referenced in internal development materials may now be patched but could be quickly weaponized against unpatched systems. F5 confirmed to BleepingComputer that “today’s security updates do address impact from the incident,” indicating that these fixes are directly tied to the compromised data.
Description
The attacker accessed F5’s internal development systems without detection for an extended period.
Analysis confirms exfiltration of:
BIG-IP source code: Allows for deep static and dynamic analysis to identify logical flaws, protocol-handling issues, privilege escalation paths, and potential zero-day exploits.
Internal vulnerability research: Provides a roadmap to previously undisclosed vulnerabilities under investigation by F5, eliminating research time for adversaries and enabling rapid exploit development.
Customer configuration data (small subset): Enables targeted, surgical attacks tailored to specific network topologies, security policies, and administrative settings of high-value targets.
Independent cybersecurity reviews validated that the software supply chain, source code, and build/release pipelines were not modified. No evidence exists that the attacker accessed CRM, financial, iHealth, NGINX, F5 Distributed Cloud Services, or Silverline systems. F5 has proactively released patches for all affected products to mitigate the intelligence advantage gained by the attacker.
The October 2025 security updates address a significant number of vulnerabilities across F5’s product suite, many of which are likely related to the data exfiltrated during the recent breach. These include:
CVE-2025-53868 (CVSS 8.5 – High, Access Control Bypass): Impacts all BIG-IP modules. Allows a highly privileged, authenticated user with SCP or SFTP access to bypass Appliance Mode restrictions, enabling configuration changes or administrative actions that should otherwise be blocked.
CVE-2025-61955 (CVSS 8.5 – Privilege Escalation) and CVE-2025-57780 (CVSS 8.5 – Privilege Escalation): Affect F5OS platforms, where an authenticated local attacker could elevate privileges across security boundaries, potentially compromising the host system.
Additional vulnerabilities in protocol handling, authentication logic, and input validation introduce risks of denial-of-service (DoS), unauthorized access, or information disclosure under certain configurations. These include improper session validation and resource exhaustion flaws that could disrupt service availability or expose sensitive data.
Although F5 reports no evidence of active exploitation, the timing and nature of these disclosures suggest that the vulnerabilities patched in this release overlap with the information accessed by the threat actor. As a result, there is a heightened risk that these flaws could be weaponized in short order against unpatched systems, making immediate remediation critical.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Recommended Actions:
Immediate patching: Apply vendor-released updates for all affected products, including BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Prioritize high-severity vulnerabilities as documented in the October 2025 Quarterly Security Notification (K000156572).
Harden management interfaces:
- Ensure that public-facing management interfaces are either disconnected from the Internet or restricted.
- Apply F5 iHealth Diagnostic Tool automated hardening checks and follow remediation guidance.
Credential and key rotation:
- If your organization is among the “small percentage” F5 directly notifies, rotate all embedded credentials, API keys, and privileged account configurations, especially for systems corresponding to potentially exposed customer configurations. More information in the article from F5 on: https://my.f5.com/manage/s/article/K000157005
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Bleeping Computer - https://www.bleepingcomputer.com/news/security/f5-releases-big-ip-patches-for-stolen-security-vulnerabilities/
CISA - https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
Picus - https://www.picussecurity.com/resource/blog/f5-confirms-breach-of-internal-systems
Tenable - https://www.tenable.com/blog/frequently-asked-questions-about-the-august-2025-f5-security-incident
CERT-EU - https://cert.europa.eu/publications/security-advisories/2025-037/