A Strategic Response to the F5 BIG-IP Nation-State Breach
In mid-October 2025, the cybersecurity landscape was dealt a severe blow. F5 disclosed a long-term, sophisticated breach by a nation-state threat actor. This was not a typical vulnerability disclosure. The attackers exfiltrated a strategic critical pair of assets: portions of BIG-IP source code, and internal details of undisclosed (unpatched) vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately labeled this an “imminent threat.” The reason is simple: The adversary now possesses a technical advantage, allowing them to analyze the source code and weaponize unpatched flaws far faster than any defender can reverse-engineer a patch.
For enterprise vulnerability management and risk management teams, this incident is a code-red scenario. It demands a response that goes far beyond a standard patch cycle.
Security and risk practitioners must now execute a comprehensive, multi-phased response. The details below will guide your organization through this process:
- Inventory All F5 Assets (Immediately): You cannot protect what you don’t know you have. Initiate an exhaustive inventory of all F5 instances, including physical appliances, Virtual Editions (VEs), and cloud-native deployments.
- Execute an Aggressive Patching Strategy (Now): F5 released a massive quarterly patch bundle (K000156572) with 44 new CVEs (27 High, 16 Medium, and 1 Low CVEs). This release was likely accelerated to close the exact windows of opportunity the stolen data revealed. All critical, internet-facing devices must be patched immediately, followed by all other in-scope devices.
- Harden the Management Plane (Top Priority): The most dangerous misconfiguration is an internet-facing management interface. Any BIG-IP management plane (TMUI or SSH) accessible from the public internet must be disconnected or firewalled off immediately.
Patching and mitigating known flaws is just the beginning. A deeper investigation is required, starting with a comprehensive configuration audit. Teams must validate settings using tools like F5’s iHealth, and ensure critical controls, such as “port lockdown,” are enforced on self-IPs. Concurrently, organizations must assume compromise and launch a proactive threat hunt, such as identifying malicious outbound connections from the BIG-IP to internal servers, anomalous admin accounts, and unauthorized configuration changes.
How Qualys Helps You Discover F5 Assets and Detect Related Vulnerabilities?
Discover F5 Assets Using Qualys CyberSecurity Asset Management (CSAM)
The first step in addressing this critical vulnerability is to gain complete visibility into all F5 assets across your environment both internal and internet-facing. Using Qualys CyberSecurity Asset Management (CSAM) 3.0, integrated with External Attack Surface Management (EASM), organizations can automatically discover every exposed F5 instance.
CSAM not only identifies where these assets reside but also highlights end-of-life (EoL) or end-of-support (EoS) versions, ensuring security teams can prioritize the highest-risk systems for remediation. By combining CSAM’s real-time asset discovery with Qualys Vulnerability Management, Detection, and Response (VMDR), you can quickly detect, assess, and mitigate F5-related vulnerabilities before they can be exploited.
Free Trial
Identify internet-facing instances with vulnerable versions of F5 Big-IP
In the following example, we aim to identify all F5 BIG-IP assets:
operatingSystem:"F5 BIG-IP" and hardware.manufacturer:`F5`
In the following example, we aim to identify assets with OS version greater than 12:
operatingSystem.version>12 and operatingSystem.publisher:`F5`
Enhance Your Security Posture with Qualys Vulnerability Management, Detection, and Response (VMDR)
Qualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond to, prioritize, and mitigate the associated risks.
Qualys has released detections for the CVEs published by F5. All QIDs require authenticated remote scanning. For more details about the vulnerable versions, please refer to our threatprotect post.
Leverage the power of Qualys VMDR alongside TruRisk and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing the vulnerabilities highlighted above.
Query for all CVEs, use this QQL statement:
vulnerabilities.vulnerability.cveIds:[CVE-2025-58474, CVE-2025-55036, CVE-2025-61938, CVE-2025-41430, CVE-2025-53474, CVE-2025-59268, CVE-2025-59269, CVE-2025-47148, CVE-2025-59478, CVE-2025-60016, CVE-2025-58153, CVE-2025-48008, CVE-2025-55669, CVE-2025-46706, CVE-2025-59781, CVE-2025-58424, CVE-2025-54479, CVE-2025-53856, CVE-2025-61951, CVE-2025-61935, CVE-2025-58071, CVE-2025-53868, CVE-2025-54858, CVE-2025-58096, CVE-2025-53521, CVE-2025-61958, CVE-2025-61933, CVE-2025-54854, CVE-2025-61960, CVE-2025-59481, CVE-2025-61974, CVE-2025-59483, CVE-2025-54755, CVE-2025-61990]
Alternatively, you can query for all associated QIDs:
vulnerabilities.vulnerability.qid:[385574, 385571, 385573, 385572, 385544, 385543, 385560, 385562, 385556, 385567, 385548, 385561, 385540, 385547, 385566, 385555, 385541, 385568, 385559, 385550, 385553, 385552, 385563, 385557, 385564, 385542, 385558, 385554, 385545, 385565, 385551, 385569, 385549, 385546]
Conclusion
The F5 BIG-IP breach is a stark reminder that in our interconnected ecosystem, your security is inextricably linked to the security of your critical suppliers. This incident is a clear and present danger that demands a response far beyond a typical patch cycle.
An effective defense requires a holistic program, which is impossible without a foundation of strong asset management, threat intelligence, and risk-based prioritization. This foundation is what guides a focused response, enabling immediate tactical remediation to patch, harden, and decommission your most critical assets first, followed by thorough configuration audits and proactive threat hunting to address hidden risks.
Get started with Qualys solutions today.