Recent findings from The Shadowserver Foundation reveal that over 269,000 F5 devices are exposed to the public internet daily. This significant exposure coincides with F5’s disclosure of a sophisticated nation-state attack that compromised its development environment, leading to the theft of source code and details on undisclosed vulnerabilities in BIG-IP products.
Approximately 134,000 of these exposed devices are located in the United States, raising alarms for organizations worldwide that rely on F5’s application delivery controllers for secure network operations. The breach, detected in August 2024, involved long-term unauthorized access, underscoring vulnerabilities in F5’s infrastructure that could now amplify risks for exposed devices.
Cybersecurity experts warn that the stolen information may enable attackers to craft targeted exploits, potentially leading to remote code execution or data exfiltration on unpatched systems. As federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) issue emergency directives, the sheer volume of internet-facing F5 hardware amplifies the threat landscape for enterprises in finance, government, and critical infrastructure sectors.
F5 Networks confirmed on October 15, 2025, that advanced persistent threat actors had infiltrated its BIG-IP development systems, exfiltrating proprietary source code and vulnerability data not yet publicly disclosed or patched. This incident, described by F5 as involving “highly sophisticated” nation-state hackers, targeted engineering platforms and could compromise the integrity of future product releases.
While no direct evidence points to customer networks being breached yet, the access to undisclosed flaws, potentially zero-days, heightens the urgency for immediate inventorying and updating of all BIG-IP instances. CISA’s Emergency Directive 26-01 mandates federal agencies to harden public-facing F5 devices and remove unsupported hardware, signaling the breach’s national security implications.
The compromise affects products like BIG-IP iSeries, rSeries, F5OS-A, and BIG-IQ, with recent quarterly patches addressing related Common Vulnerabilities and Exposures (CVEs) such as CVE-2025-61955 and CVE-2025-60013.
F5 Devices Exposed Online
Security firms like Sophos and Tenable emphasize monitoring for exploitation attempts, noting the potential for credential theft and lateral movement in affected environments. The Shadowserver Foundation’s Device Identification Report highlights the scale of the problem, scanning and identifying approximately 269,000 F5 device IPs daily accessible from the internet, with device_vendor filtered to F5.
This data, shared via public reports, reveals a geographical concentration: the U.S. dominates with 134,000 exposures, followed by countries like Japan, China, Germany, and the UK. Such visibility makes these devices prime targets for scanning and exploitation, especially post-breach when attackers may leverage stolen insights for precision strikes.
Experts from organizations like Eclypsium stress that exposed iControl REST APIs, a common misconfiguration in F5 setups, have historically led to unauthenticated access vulnerabilities. With the recent theft of flaw details, unpatched or internet-facing BIG-IP systems face elevated risks of denial-of-service, buffer overflows, or full system takeover.
Organizations must act swiftly by applying F5’s October 2025 security notifications, which include fixes for multiple modules in BIG-IP and F5OS platforms. The Shadowserver report provides daily IP feeds for proactive scanning, urging users to cross-reference with internal logs for indicators of compromise.
As the F5 incident unfolds, this mass exposure serves as a clarion call for robust network segmentation and regular vulnerability assessments. With nation-state actors in play, the cybersecurity community anticipates increased exploit activity, making device visibility and rapid patching non-negotiable for global defenders.
