The Cybersecurity and Infrastructure Security Agency on Wednesday issued a sweeping emergency order directing all federal agencies to immediately patch critical vulnerabilities in certain devices and software made by F5, a technology vendor, after confirming a nation-state cyber actor gained unauthorized access to F5’s source code.
CISA — a part of the Department of Homeland Security that manages risks to the U.S.’s cyber and physical infrastructure — issued Emergency Directive 26-01 following the company’s disclosure that a foreign threat actor had maintained long-term, persistent access to its internal development and engineering environments using source code.
Officials warned that attackers could exploit the vulnerabilities to steal credentials, move laterally through networks, and potentially take full control of targeted systems. F5 said it first discovered the attack in August but did not disclose exactly when it began.
“This directive addresses an imminent risk,” Nick Anderson, CISA’s executive assistant director for cybersecurity, said during a news briefing Wednesday. “A nation-state actor could exploit these flaws to gain unauthorized access to embedded credentials and API keys. That’s an unacceptable risk to federal networks.”
F5 is a publicly traded American technology company headquartered in Seattle, Washington.
Justice Department delayed breach announcement
Earlier Wednesday, F5 disclosed the breach in a filing with the Securities and Exchange Commission.
In the SEC 8-K report, F5 said the Justice Department on Sept. 12 “determined that a delay in public disclosure was warranted.” It’s one of the first times a company has publicly acknowledged DOJ intervention under the SEC’s cybersecurity disclosure rules.
The rules were adopted in July 2023 and require companies to report cybersecurity incidents within four business days of determining that a material event has occurred.
“Under item 1.05(c), the Department may grant a delay after finding that a disclosure required by Item 1.05 would pose a substantial risk to national security or public safety,” a Department of Justice spokesperson told CBS News in a statement.
F5 CEO François Locoh-Donou signed the filing, which said the company learned of the attack on Aug. 9 and launched an investigation alongside cybersecurity firms CrowdStrike, Mandiant and others, with assistance from federal law enforcement and unnamed “government partners.”
“During the course of its investigation, the Company determined that the threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform,” F5 wrote in its filing.
What’s in the CISA emergency order
CISA’s order directed federal civilian executive branch agencies — which include the Department of Justice, Department of State, Department of the Treasury and the Federal Trade Commission, among others — to inventory F5 BIG-IP products, which are application delivery and security services.
The federal agencies need to evaluate if their networks are accessible from the public internet, and apply newly released updates from F5 by Oct. 22, the emergency order stated. They must also complete scoping reports identifying affected devices by Oct. 29.
There are currently thousands of F5 devices in use across federal networks, Anderson told CBS News. The cybersecurity agency said it expects to know more about the scope of exposure by the end of the month.
CISA Acting Director Madhu Gottumukkala said in a statement that the agency remains “steadfast” in its mission to defend U.S. networks, even amid the ongoing government shutdown and the lapse of the Cybersecurity Information Sharing Act of 2015.
“The alarming ease with which these vulnerabilities can be exploited demands immediate and decisive action,” Gottumukkala said. “These same risks extend beyond federal systems — to any organization using this technology.”
No confirmed compromises yet, but broader campaign underway
Anderson confirmed that CISA is not aware of any current data breaches within federal agencies, though the directive is designed to uncover any potential compromises. He said the campaign appears to be part of a broader nation-state effort targeting elements of the U.S. technology supply chain, not just one vendor.
“The broader goal here is persistent access — to gather intelligence, hold infrastructure hostage, or position themselves for future attacks,” Anderson told CBS News during Wednesday’s briefing.
CISA declined to name the country behind the attack, citing ongoing investigations.
“The U.S. government is not making a public attribution at this time,” said Marcy McCarthy, CISA’s director of public affairs.
In a statement to CBS News, the head of threat intelligence for Unit 42, a team of cybersecurity experts and researchers at Palo Alto Networks, said the theft of F5 BIG-IP source code is “significant, as it potentially facilitates rapid exploitation of vulnerabilities.”
“Generally, if an attacker steals source code, it takes time to find exploitable issues,” Unit 42 Chief Technology Officer Michael Sikorski said. “In this case, they also stole information on undisclosed vulnerabilities that F5 was actively working to patch. This provides the ability for threat actors to exploit vulnerabilities that have no public patch, potentially increasing speed to exploit creation.”
Working through the government shutdown
Pressed on the government’s ability to respond amid furloughs and staffing reductions at CISA, Anderson acknowledged the agency’s challenges but said it remains operational.
“We’re sustaining essential functions and providing timely guidance like this to mitigate risk,” he said. “This is core mission work for CISA — exactly what we should be doing.”
Anderson also said the lapse of the Cybersecurity Information Sharing Act of 2015, a law that had governed federal-private sector cyber information sharing before sunsetting, did not delay coordination with F5 or impact the agency’s response.
While the directive applies only to federal agencies, CISA is strongly urging state, local and private sector organizations using F5 technologies to follow the same patching and mitigation steps. F5’s products, including its BIG-IP line, are widely used in both government and commercial networks to manage internet traffic and security.
