A Strategic Response to the F5 BIG-IP Nation-State Breach

In mid-October 2025, the cybersecurity landscape was dealt a severe blow. F5 disclosed a long-term, sophisticated breach by a nation-state threat actor. This was not a typical vulnerability disclosure. The attackers exfiltrated a strategic critical pair of assets: portions of BIG-IP source code, and internal details of undisclosed (unpatched) vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately labeled this an “imminent threat.” The reason is simple: The adversary now possesses a technical advantage, allowing them to analyze the source code and weaponize unpatched flaws far faster than any defender can reverse-engineer a patch.

For enterprise vulnerability management and risk management teams, this incident is a code-red scenario. It demands a response that goes far beyond a standard patch cycle.

Security and risk practitioners must now execute a comprehensive, multi-phased response. The details below will guide your organization through this process:

• Inventory All F5 Assets (Immediately): You cannot protect what you don’t know you have. Initiate an exhaustive inventory of all F5 instances, including physical appliances, Virtual Editions (VEs), and cloud-native deployments.
• Execute an Aggressive Patching Strategy (Now): F5 released a massive quarterly patch bundle (K000156572) with 44 new CVEs (27 High, 16 Medium, and 1 Low CVEs). This release was likely accelerated to close the exact windows of opportunity the stolen data revealed. All critical, internet-facing devices must be patched immediately, followed by all other in-scope devices.
• Harden the Management Plane (Top Priority): The most dangerous misconfiguration is an internet-facing management interface. Any BIG-IP management plane (TMUI or SSH) accessible from the public internet must be disconnected or firewalled off immediately.

Patching and mitigating known flaws is just the beginning. A deeper investigation is required, starting with a comprehensive configuration audit. Teams must validate settings using tools like F5’s iHealth, and ensure critical controls, such as “port lockdown,” are enforced on self-IPs. Concurrently, organizations must assume compromise and launch a proactive threat hunt, such as identifying malicious outbound connections from the BIG-IP to internal servers, anomalous admin accounts, and unauthorized configuration changes.

The Risk-Velocity Mismatch: F5 Patching Decelerates as Attacker Insight Accelerates

At the Qualys Threat Research Unit, we analyzed vulnerability data for six critical, weaponized CVEs related to F5 Big-IP, all of which are part of CISA’s KEV catalog. We looked into their vulnerability lifecycle events across enterprise environments, drawing on data from tens of thousands of detections. What our data showed was a chronic, concerning problem: organizations are getting slower at patching these critical F5 appliances. 

This creates a significant risk-velocity mismatch. The attacker’s time-to-weaponize has shrunk from months (for a typical public CVE) to hours or days (using stolen source code). Our data shows that the industry’s response velocity is lagging significantly behind this new threat velocity. This unpatched population of devices represents a persistent and exploitable attack surface. Adversaries are aware that these assets are difficult to patch and can now leverage their knowledge from the stolen data to target them more effectively. 

The new 44-CVE bundle (K000156572) is not a routine patch cycle; it’s an urgent containment effort. Because this bundle was released to close the exact windows of opportunity revealed by the stolen data, all 44 of these CVEs must be treated with the same urgency as actively known flaws. These are the vulnerabilities that the adversary already has deep insight into. 

Analyzing remediation history back to 2020 is essential for two critical insights. First, CVE-2020-5902 establishes our ‘best-case’ patching baseline (a 21-day median), which is necessary to prove the subsequent trend. More importantly, these vulnerabilities define the ‘long-tail risk.’ Any asset still unpatched against these old, known flaws represents the most severe risk—these are the proven, neglected, and hard to patch devices that attackers, now armed with stolen source code, will target with precision. 

Our data shows a consistent deceleration in patching speed for these critical and weaponized vulnerabilities over the past five years. The median survival time (the time it takes for 50% of organizations to patch), marked by the triangle indicators at the chart’s top, has increased from 21 days (CVE-2020-5902) to 175 days (CVE-2023-46748).  

This trend appears to be specific to F5 Big-IP, a critical network-edge appliance, rather than a general market-wide issue. This suggests that patching these particular devices is becoming increasingly complex, possibly due to operational complexity, concerns about service disruption, and challenges in asset visibility. 

We are also seeing a substantial and growing long-tail risk period. Looking at the 12-month (365-day) mark, 7.8% to 15.5% of these vulnerable instances remain unpatched. It’s highly recommended to triage by mitigation if patching is not an immediate option. As a viable action, execute compensating controls, like hardening the management plane, before attempting to patch. To that end, the Qualys Threat Research Unit is actively monitoring the remediation of the new 44-CVE bundle. Stay tuned, as we will release our initial survival curve analysis for this latest patch cycle in the coming weeks to share the most current data on these patch rates. 

This represents a persistent population of devices that are challenging to remediate and require a different strategy beyond simple scanning and reporting. That is precisely the problem the Risk Operations Center (ROC) is designed to solve. The ROC isn’t another tool to find more vulnerabilities; it’s an engine to provide the context and risk-based prioritization to finally escape this chaos.  

How Qualys Helps You Discover F5 Assets and Detect Related Vulnerabilities

Discover F5 Assets Using Qualys CyberSecurity Asset Management (CSAM)

The first step in addressing this critical vulnerability is to gain complete visibility into all F5 assets across your environment both internal and internet-facing. Using Qualys CyberSecurity Asset Management (CSAM) 3.0, integrated with External Attack Surface Management (EASM), organizations can automatically discover every exposed F5 instance.

CSAM not only identifies where these assets reside but also highlights end-of-life (EoL) or end-of-support (EoS) versions, ensuring security teams can prioritize the highest-risk systems for remediation. By combining CSAM’s real-time asset discovery with Qualys Vulnerability Management, Detection, and Response (VMDR), you can quickly detect, assess, and mitigate F5-related vulnerabilities before they can be exploited.

Free Trial

Identify internet-facing instances with vulnerable versions of F5 Big-IP

Start 15-Day Trial

In the following example, we aim to identify all F5 BIG-IP assets:

operatingSystem:"F5 BIG-IP" and hardware.manufacturer:`F5`

In the following example, we aim to identify assets with OS version greater than 12:

operatingSystem.version>12 and operatingSystem.publisher:`F5`

Enhance Your Security Posture with Qualys Vulnerability Management, Detection, and Response (VMDR)

Qualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond to, prioritize, and mitigate the associated risks.

Qualys has released detections for the CVEs published by F5. All QIDs require authenticated remote scanning. For more details about the vulnerable versions, please refer to our threatprotect post.

Leverage the power of Qualys VMDR alongside TruRisk and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing the vulnerabilities highlighted above.

Query for all CVEs, use this QQL statement:

vulnerabilities.vulnerability.cveIds:[CVE-2025-58474, CVE-2025-55036, CVE-2025-61938, CVE-2025-41430, CVE-2025-53474, CVE-2025-59268, CVE-2025-59269, CVE-2025-47148, CVE-2025-59478, CVE-2025-60016, CVE-2025-58153, CVE-2025-48008, CVE-2025-55669, CVE-2025-46706, CVE-2025-59781, CVE-2025-58424, CVE-2025-54479, CVE-2025-53856, CVE-2025-61951, CVE-2025-61935, CVE-2025-58071, CVE-2025-53868, CVE-2025-54858, CVE-2025-58096, CVE-2025-53521, CVE-2025-61958, CVE-2025-61933, CVE-2025-54854, CVE-2025-61960, CVE-2025-59481, CVE-2025-61974, CVE-2025-59483, CVE-2025-54755, CVE-2025-61990]

Alternatively, you can query for all associated QIDs:

vulnerabilities.vulnerability.qid:[385574, 385571, 385573, 385572, 385544, 385543, 385560, 385562, 385556, 385567, 385548, 385561, 385540, 385547, 385566, 385555, 385541, 385568, 385559, 385550, 385553, 385552, 385563, 385557, 385564, 385542, 385558, 385554, 385545, 385565, 385551, 385569, 385549, 385546]

Conclusion

The F5 BIG-IP breach is a stark reminder that in our interconnected ecosystem, your security is inextricably linked to the security of your critical suppliers. This incident is a clear and present danger that demands a response far beyond a typical patch cycle.

An effective defense requires a holistic program, which is impossible without a foundation of strong asset management, threat intelligence, and risk-based prioritization. This foundation is what guides a focused response, enabling immediate tactical remediation to patch, harden, and decommission your most critical assets first, followed by thorough configuration audits and proactive threat hunting to address hidden risks.

Get started with Qualys solutions today.