Security Affairs
Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

F5 breach exposes 262,000 BIG-IP systems worldwide

Over 262K F5 BIG-IP devices exposed after threat actors stole source code and data on undisclosed flaws in a recent F5 breach. Over 262,000 F5 BIG-IP devices are exposed online after F5 confirmed a breach by nation-state actors who stole source code and data on undisclosed flaws. The Shadowserver Foundation found 262,269 F5 BIG-IP systems […]

NGINX F5 BIG-IP NGINX

Over 262K F5 BIG-IP devices exposed after threat actors stole source code and data on undisclosed flaws in a recent F5 breach.

Over 262,000 F5 BIG-IP devices are exposed online after F5 confirmed a breach by nation-state actors who stole source code and data on undisclosed flaws.

The Shadowserver Foundation found 262,269 F5 BIG-IP systems exposed online, with over 130,000 in the US. It remains unclear how many have been secured against potential exploitation of the recently disclosed BIG-IP vulnerabilities, raising concerns over widespread exposure and delayed patching efforts.

In mid-October, cybersecurity firm F5 disclosed that a highly sophisticated nation-state actor that occurred in August 2025. Threat actors breached its systems and stole BIG-IP’s source code and information related to undisclosed vulnerabilities.

The attackers accessed the company’s BIG-IP development and engineering systems, but F5 highlights that containment efforts were successful, with no further unauthorized activity observed.

The company reported the incident to law enforcement and is investigating the security breach with the help of leading cybersecurity firms.

F5 found no signs of compromise in its CRM, financial, or cloud systems, nor tampering with its source code or supply chain. The company states that some stolen files contained limited customer configuration data. The cybersecurity firm is notifying impacted clients.

The company also filed a Form 8-K report with the U.S. Securities and Exchange Commission (SEC).

F5 responded to the breach with extensive containment and hardening measures to protect its systems and customers. The company rotated credentials, tightened access controls, automated patch management, and improved monitoring and network security.

The cybersecurity firm also enhanced protections in its product development environment and continues in-depth code reviews and penetration tests with NCC Group and IOActive. Additionally, F5 partnered with CrowdStrike to deploy Falcon EDR and threat hunting for BIG-IP, offering customers a free EDR subscription to bolster defenses.

Users should promptly install the latest updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients to ensure full protection.

Cybersecurity agencies UK’s NCSC and US CISA advise F5 customers to locate all F5 products, secure exposed management interfaces, and assess for compromise. F5 delayed disclosure at the U.S. government’s request to protect critical systems.

F5 privately linked the breach to the China-nexus group UNC5221, which was active in its network for at least a year. The company warned customers about the Go-based Brickstorm backdoor, tied to the same group known for exploiting Ivanti zero-days and using custom malware like Zipline and Spawnant, according to Bloomberg and Google’s earlier findings.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, F5)