CISA warns of imminent risk posed by thousands of F5 products in federal agencies | CyberScoop<\/title> <meta name=\"description\" content=\"Cyber authorities issued their second emergency directive in three weeks. This one requires agencies to mitigate or disconnect potentially compromised F5 devices and services.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-f5-breach\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA warns of imminent risk posed by thousands of F5 products in federal agencies\"> <meta property=\"og:description\" content=\"Cyber authorities issued their second emergency directive in three weeks. This one requires agencies to mitigate or disconnect potentially compromised F5 devices and services.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-f5-breach\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-15T18:26:24+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-15T18:26:26+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1024\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1760439954g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86372\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86372\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-emergency-directive-f5-breach%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-emergency-directive-f5-breach%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86372 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-f5-breach\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.670349907919\">\n<div class=\"single-article__header-content\" readability=\"34.64\">\n<p> Cyber authorities issued their second emergency directive in three weeks. This one requires agencies to mitigate or disconnect potentially compromised F5 devices and services. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86372\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"341\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies.jpg?resize=640%2C341&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"CISA, DHS, Department of Homeland Security, RSA 2019\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-2.jpg?resize=300,160 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-2.jpg?resize=768,410 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-2.jpg?resize=1024,546 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-2.jpg?resize=1536,819 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-2.jpg?resize=600,320 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-2.jpg?resize=1200,640 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-2.jpg?resize=1500,800 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> The DHS and CISA booth at the 2019 RSA conference in San Francisco. (Scoop News Group photo) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"35.955006031363\"><body readability=\"73.770419426049\"><\/p>\n<p>Federal cyber authorities issued an <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/ed-26-01-mitigate-vulnerabilities-f5-devices\">emergency directive<\/a> Wednesday requiring federal agencies to identify and apply security updates to F5 devices after the cybersecurity vendor said a nation-state attacker had <a href=\"https:\/\/cyberscoop.com\/f5-breach-nation-state-actor-sec-8k-justice-department\/\">long-term, persistent access<\/a> to its systems.<\/p>\n<p>The order, which mandates federal civilian executive branch agencies take action by Oct. 22, marked the second emergency directive issued by the Cybersecurity and Infrastructure Security Agency in three weeks. CISA issued both of the emergency directives months after impacted vendors were first made aware of attacks on their internal systems or products.<\/p>\n<p>F5 said it first learned of unauthorized access to its systems Aug. 9, resulting in data theft including segments of BIG-IP source code and details on vulnerabilities the company was addressing internally at the time. CISA declined to say when F5 first alerted the agency to the intrusion.<\/p>\n<p>CISA officials said they\u2019re not currently aware of any federal agencies that have been compromised, but similar to the emergency directive issued following an <a href=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-cisco-zero-days\/\">attack spree involving zero-day vulnerabilities affecting Cisco firewalls<\/a>, they expect the response and mitigation efforts to provide a better understanding of the scope of any potential compromise in federal networks.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Many federal agencies and private organizations could be impacted. CISA said there are thousands of F5 product types in use across executive branch agencies. <\/p>\n<p>These attacks on widely used vendors and their customers are part of a broader campaign targeting key elements of America\u2019s technology supply chain, extending the potential downstream effect to federal agencies, critical infrastructure providers and government officials, Nick Andersen, executive assistant director for cybersecurity at CISA, said during a media briefing. <\/p>\n<p>CISA declined to name the country or specific threat groups behind the attack on F5\u2019s systems. Generally, the broader goal of nation-state attackers is to maintain persistent access within the targeted victim\u2019s network to hold those systems hostage, launch a future attack, or gather sensitive information, Andersen said.<\/p>\n<p>CISA\u2019s order requires federal agencies to apply security patches F5 released in response to the attack, disconnect non-supported devices or services, and provide CISA a report including a detailed inventory of all instances of F5 products within scope of the directive.<\/p>\n<p>Officials referred questions about the effectiveness of F5\u2019s security patches back to the vendor and declined to independently verify if the software updates have fixed the vulnerabilities attackers gained information on during the breach. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Neither CISA nor F5 have explained how the attackers gained access to F5\u2019s internal systems. <\/p>\n<p>Officials repeatedly insisted that the government shutdown and multiple waves of <a href=\"https:\/\/cyberscoop.com\/swalwell-letter-cisa-workforce-cuts-personnel-shift\/\">reductions to CISA\u2019s workforce<\/a> did not negatively affect or delay the government\u2019s ability to coordinate with partners, respond to this threat and issue the emergency directive. Andersen declined to say how many CISA employees have been dismissed with reduction-in-force orders since the federal government shut down two weeks ago. <\/p>\n<p>\u201cThis is really part of getting CISA back on mission,\u201d Andersen said.<\/p>\n<p>\u201cWhile, yes, this may be the third emergency directive that\u2019s been issued since the beginning of the Trump administration, this is the core operational mission for CISA,\u201d Andersen said. \u201cThat\u2019s really what we should be doing, and we\u2019re able to continue to perform that mission in collaboration with our asset partners right now.\u201d<\/p>\n<p> <\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.4442307692308\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-f5-breach\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA warns of imminent risk posed by thousands of F5<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5033,1472,282,78,452,1861,3889,4992,3119,117,288],"tags":[5035,1473,286,86,454,1862,3892,4994,3120,119,294],"class_list":["post-8082","post","type-post","status-publish","format-standard","hentry","category-attack","category-cyberattack","category-cybercrime","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-emergency-directive","category-f5","category-f5-networks","category-firewall","category-government","category-threats","tag-attack","tag-cyberattack","tag-cybercrime","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-emergency-directive","tag-f5","tag-f5-networks","tag-firewall","tag-government","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/attack\/\" rel=\"category tag\">attack<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyberattack\/\" rel=\"category tag\">cyberattack<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/emergency-directive\/\" rel=\"category tag\">emergency directive<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/f5\/\" rel=\"category tag\">F5<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/f5-networks\/\" rel=\"category tag\">F5 Networks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/firewall\/\" rel=\"category tag\">firewall<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8082"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8082\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8082"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8082,"date":"2025-10-15T13:26:24","date_gmt":"2025-10-15T18:26:24","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86372"},"modified":"2025-10-15T13:26:24","modified_gmt":"2025-10-15T18:26:24","slug":"cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/15\/cisa-warns-of-imminent-risk-posed-by-thousands-of-f5-products-in-federal-agencies\/","title":{"rendered":"CISA warns of imminent risk posed by thousands of F5 products in federal agencies"},"content":{"rendered":"