Color Health and Google Cloud are partnering on an accessible breast cancer screening initiative in recognition of Breast Cancer Awareness Month.
The companies are combining Color Health’s oncologist-led Virtual Cancer Clinic with Google Cloud to…


On Oct. 15, 2025, F5 — a U.S. technology company — disclosed that a nation-state threat actor conducted a significant long-term compromise of their corporate networks. In this incident, attackers stole source code from their BIG-IP suite of products and information about undisclosed vulnerabilities. F5’s BIG-IP suite is commonly used by large organizations, primarily in the U.S. but also globally, for availability, access control and security. Organizations including government agencies and Fortune 500 companies rely on BIG-IP.
Cortex Xpanse currently identifies over 600,000 F5 Big-IP instances exposed to the internet.
F5’s investigation revealed that the attackers maintained long-term access to the company’s product development environment and engineering knowledge management platform. This enabled attackers to access highly sensitive data.
F5 also released details of several vulnerabilities of varying severity. Some of the key vulnerabilities are:
While details of what exactly was exfiltrated are not publicly available, the theft of source code and previously undisclosed vulnerabilities is significant and could potentially facilitate rapid exploitation of vulnerabilities.
Unit 42 highly recommends following F5 public guidance in its public Security Notification and Quarterly Security Notification.
Palo Alto Networks customers receive protections from and mitigations for these CVEs in the following ways:
According to F5, the compromise of their corporate networks was conducted by an unspecified sophisticated nation-state actor. Attacks in recent years have illustrated the allure of technology companies as not just a viable target, but a force multiplier in increasing the efficiency and timeline of espionage activity.
F5 also released details of several vulnerabilities of varying severity. Some of the key vulnerabilities are:
There is a history of nation-state actors going after high value targets in the technology industry. Given the reach of F5’s BIG-IP suite, well-resourced, sophisticated actors have focused on it in the past.
In late 2023, a critical vulnerability (CVE-2023-46747) emerged within the BIG-IP Traffic Management User Interface (TMUI), allowing for an authentication bypass. UNC5174, a China-nexus threat actor, actively exploited this flaw. Mandiant’s investigation revealed that the group leveraged this vulnerability to create backdoor administrator accounts, ultimately gaining command execution on compromised devices.
For three years, a Chinese state-sponsored group reported as Velvet Ant used malicious software to exploit outdated F5 BIG-IP equipment. This allowed persistent access and exfiltration of data from a targeted organization’s network.
In July 2025, a critical vulnerability (CVE-2022-1388) became the gateway for another sophisticated attack. The China-nexus group known as Fire Ant — overlapping with UNC3886 — exploited an iControl REST authentication bypass flaw in F5 BIG-IP devices. This allowed them to deploy web shells, tunnel traffic between network segments and execute arbitrary system commands.
The threat actor exfiltrated files from the BIG-IP product development environment and engineering knowledge management platforms. F5’s post as of Oct. 16 stated that the company has found no evidence of access to — or exfiltration of — data from its CRM, financial, support case management or iHealth systems. However, some of the exfiltrated files from the knowledge management platform contained configuration or implementation information for a small percentage of customers.
F5 stated that the stolen files contained some BIG-IP source code and information about undisclosed vulnerabilities. F5 stated it currently has no knowledge of undisclosed critical or remote code vulnerabilities. It also has not observed active exploitation of any undisclosed F5 vulnerabilities.
There has been no evidence of modification to F5’s software supply chain, including source code and build and release pipelines. There is also no evidence that the threat actor accessed or modified the NGINX source code or product development environment. Finally, there was no evidence that the threat actor accessed or modified the F5 Distributed Cloud Services or Silverline systems.
Generally, if an attacker steals source code it takes time to find exploitable issues. In this case, the threat actor also stole information on previously undisclosed vulnerabilities that F5 was actively working to patch. This could provide the ability for threat actors to exploit vulnerabilities that have no public patch, potentially increasing speed to exploit creation.
The disclosure of 45 vulnerabilities in this quarter versus just six last quarter suggests F5 is moving as fast as they can to actively patch as many flaws as possible before the threat actors can exploit them.
Unit 42 highly recommends following F5 public guidance in its public Security Notification and Quarterly Security Notification. This guidance includes:
F5 strongly recommends updating BIG-IP software as soon as possible. F5 support is providing a threat hunting guide to strengthen detection and monitoring. It also published best practices for hardening F5 systems, adding automated hardening checks to the F5 iHealth Diagnostic Tool. This tool can help surface gaps, prioritize actions and provide links to remediation guidance.
Lastly, F5 recommends the following:
The potential impact of this compromise is unique due to the theft of confidential information regarding previously undisclosed vulnerabilities that F5 was actively in the process of patching. This data potentially grants threat actors the capacity to exploit vulnerabilities for which no public patch currently exists, which could accelerate the creation of exploits.
According to public information, the compromise was identified in early August 2025. While F5 stated they had not yet seen evidence of in-the-wild exploitation, the timing suggests that these vulnerabilities could have been exploited for upwards of two months. This highlights the need to immediately address mitigation guidance.
F5’s prompt disclosure and mitigation guidance are crucial first steps. The top priority for any organization using F5 BIG-IP is to implement mitigation and hardening guidance without delay and begin threat hunting activities immediately.
This underscores the need for a defense-in-depth strategy in the face of unknown, emerging and previously-identified vulnerabilities.
Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Cortex Xpanse has existing attack surface rules that can be used to assist customers in identifying publicly accessible F5 devices.

When the weather app informed me that it “felt like 38 degrees” outside when I left my apartment this morning, I couldn’t help but wonder: Is it officially Ugg season?
Sarah Jessica Parker confirmed my suspicions today when she traded…

Color Health and Google Cloud are partnering on an accessible breast cancer screening initiative in recognition of Breast Cancer Awareness Month.
The companies are combining Color Health’s oncologist-led Virtual Cancer Clinic with Google Cloud to…

Pakistan’s federal cabinet on Thursday approved the sale of its…

Music and art came together for one special night last week at ZIV Gallery, an iconic art space in São Paulo, Brazil. The occasion? The launch of Spotify’s playlist cover…

Google’s John Mueller answered a question about removing hacked URLs that are showing in the index. He explained how to remove the sites from appearing in the search results and then discussed the nuances involved in dealing with this specific…

Bismack Biyombo, in his lone season in Toronto, pulled down the most rebounds in a playoff game for the Raptors.
The Raptors franchise goes back 31 seasons, debuting in 1995. They’ve made 13 playoff appearances in that time, including winning…