Latest F5 BIG-IP vulnerabilities #
On October 15, 2025, CISA issued an emergency directive to mitigate vulnerabilities on F5 Big-IP appliances. According to the directive, the general guidance is to "inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply newly released updates from F5."
What is F5 Big-IP? #
F5 Big-IP appliances provide application delivery and security services to enhance security and improve performance of network applications.
What is the impact? #
According to the directive, "a nation-state affiliated actor compromised F5 systems and exfiltrated data, including portions of the Big-IP proprietary source code and vulnerability information". The emergency directive specifically calls out "all instances of F5 BIG-IP hardware devices and F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IP IQ software, and BNK / CNF". Organizations should apply the latest vendor updates and disconnect any affected publicly-connected devices that have reached their end-of-support date.
For more information, refer directly to the CISA emergency directive.
How do I find F5 Big-IP assets with runZero? #
From the Asset Inventory, use the following query to locate potentially affected systems:
os:="F5%" OR software:="F5%//"May 2022: CVE-2022-1388 #
In May 2022, technology vendor F5 published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities included a mix of types and severities, a particular authentication bypass vulnerability that affected all BIG-IP modules was concerning enough that CISA specifically called it out.
What was the impact? #
Known as CVE-2022-1388 (CVSS “critical” score of 9.8), a vulnerable BIG-IP target could allow for takeover by an unauthenticated attacker via network connection or management port. Once connected to a vulnerable target, successful exploitation was achieved via a crafted HTTP request sent by the attacker, bypassing iControl REST authentication and providing the attacker full access and control. F5 did add that there was no data plane exposure via exploitation of this vulnerability, rather "this being a control plane issue only".
Were updates available? #
Patches were made available by F5 for CVE-2022-1388, as well for many of the other vulnerabilities included in their security advisory overview. Guidance also included mitigation steps if immediate or near-term patching was not an option.
