F5 Says Hackers Stole Undisclosed BIG-IP Flaws, Source Code (bleepingcomputer.com)
- Reference: 0179802860
- News link: https://it.slashdot.org/story/25/10/15/2214235/f5-says-hackers-stole-undisclosed-big-ip-flaws-source-code
- Source link: https://www.bleepingcomputer.com/news/security/hackers-breach-f5-to-steal-undisclosed-big-ip-flaws-source-code/
> U.S. cybersecurity company F5 [1]disclosed that nation-state hackers [2]breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code . The company states that it first became aware of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term access to its system, including the company's BIG-IP product development environment and engineering knowledge management platform.
>
> F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management, and application delivery networking (ADN) applications. The company has 23,000 customers in 170 countries, and 48 of the Fortune 50 entities use its products. BIG-IP is the firm's flagship product used for application delivery and traffic management by many large enterprises worldwide. [...]
>
> F5 is still reviewing which customers had their configuration or implementation details stolen and will contact them with guidance. To help customers secure their F5 environments against risks stemming from the breach, the company released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Despite any evidence "of undisclosed critical or remote code execution vulnerabilities," the company urges customers to prioritize installing the new BIG-IP software updates.
[1] https://my.f5.com/manage/s/article/K000154696
[2] https://www.bleepingcomputer.com/news/security/hackers-breach-f5-to-steal-undisclosed-big-ip-flaws-source-code/
tech giant specializing in cybersecurity (Score:2)
Usually the internal security of these companies is more like theatre and checkboxes filling than real security. They will buy static analysis tools that cover things like OWASP and file a quarterly report for external auditors so they can get there certifications.
During that time the product managers file feature requests with aggressive timelines that do not leave time for doing a secure implementation, until a customer complains that their own pen testing found holes.
I've worked at few high tech corporat
Hey F5 (Score:2)
You're doing it wrong.
WTF (Score:2)
If they knew it had flaws and sat on it, that's sue-worthy.
Funny! (Score:2)
"F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management" and "attackers had gained long-term access to its system"
Always fun when "security" companies get hacked (Score:2)
And then not even notice for a long time. Does not really go together with competence...
Just a few years after their last major compromise (Score:2)
In 2020 BIG-IP already had a critical compromise that allowed unauthenticated hackers to take full control of the device and use it to attack the rest of the internal network:
[1]https://www.helpnetsecurity.co... [helpnetsecurity.com]
That was enough for my company at the time to abandon F5 VPN, since hackers used the exploit to ransomware the company before we could have reasonably found out about and patched the vulnerability.
[1] https://www.helpnetsecurity.com/2020/07/06/exploit-cve-2020-5902/
Awkward (Score:2)
Surely they've been diligently working on fixing those undisclosed flaws. Right?
Re:Awkward (Score:4, Informative)
Super awkward, a cyber security company being hacked and worse not being aware of it for a considerable time.
Re: (Score:2)
Even more awkward that they had undisclosed exploits for in own "security" product in the cupboard. Might it be that their sort of security products are keeping their customers' subscription software safe from its' users? That would be the most harmless assumption compared to alternate business models...