A network scan has uncovered over 200,000 publicly available F5 BIG-IP devices, and after the discovery of code leaks and internal artifacts from the manufacturer, experts are warning of the real possibility of future critical compromises – companies should immediately inventory, patch and isolate management interfaces.
As a result of the large-scale incident, F5 confirmed the exfiltration of files from the BIG–IP development environment – including parts of the source code and information about undeclared vulnerabilities. Shortly after the disclosure, network services Censys and Shadowserver marked hundreds of thousands of IP addresses with exposed F5 services (TMUI, iControl REST, APM, etc.), with about 262 thousand such hosts located in the US alone. F5 has already released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, and related components, and CISA has issued an emergency directive to federal agencies requiring them to address the risks in a short time. Since published artifacts can help create new exploits, unplanned or unpatched systems remain vulnerable to potential zero-day attacks and chain compromises.
F5 is a provider of critical infrastructure for load balancing and traffic protection; their products are used by cloud providers, telecom operators, and large enterprises. Software supply chains and internal documentation leaks have repeatedly become the starting point for large-scale attacks: knowledge of internal architecture and closed mechanisms gives attackers an advantage in writing exploits and bypassing protections.
Urgent:
Inventory all F5 assets (appliances, VMs, cloud deployments);
Install official F5 updates for BIG-IP, F5OS, BIG-IQ, and APM;
Restrict access to management interfaces (TMUI, iControl REST, APM) only from trusted networks/via VPN;
Check configurations for signs of unauthorized changes;
Remove public access to management interfaces and implement multi-factor authentication for admins;
Implement enhanced anomaly monitoring and IDS/EDR for possible attempts to exploit published artifacts; 7) Prepare an exploit response plan, including a checklist for quickly isolating vulnerable nodes.
