WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) has identified a significant cyber threat targeting federal networks utilizing certain F5 devices and software. A nation-state cyber threat actor poses an imminent risk, with the potential to exploit vulnerabilities in F5 products to gain unauthorized access to embedded credentials and Application Programming Interface (API) keys. Such exploitation could allow the threat actor to move laterally within an organization’s network, exfiltrate sensitive data, and establish persistent system access, potentially leading to a full compromise of targeted information systems.
In response to this threat, CISA has issued Emergency Directive 26-01. This directive, the third issued under the Trump Administration, follows F5’s disclosure that a nation-state threat actor had long-term persistent access to and exfiltrated files from the company’s BIG-IP development environment and engineering knowledge management platforms. CISA has determined that these conditions present an unacceptable risk to Federal Civilian Executive Branch (FCEB) Agencies. All agencies must apply the latest vendor-provided update for at-risk F5 virtual and physical devices and downloaded software, including F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF, by October 22, 2025, and follow the instructions in F5’s Quarterly Security Notification.
“Despite the government shutdown and the lapse of the Cybersecurity Information Sharing Act of 2015, CISA remains steadfast in its commitment to protect our federal networks from nation-state adversaries,” said CISA Acting Director Madhu Gottumukkala. “The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies. These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems. We emphatically urge all entities to implement the actions outlined in this Emergency Directive without delay.”
As federal civilian agencies implement this mandate, CISA will assess and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.
For more information on CISA Directives, visit Cybersecurity Directives.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.