F5 BIG-IP Security Previous Breaches

F5 disclosed a security incident that internal corporate environment had been breached stating that in August 2025 a nation-state threat actor established foothold and maintained long-term, persistent access to specific F5 systems. In previous breaches, threat actor designated UNC5174 leveraged a chain of two vulnerabilities to achieve unauthenticated remote code execution. Their tactics, techniques, and procedures (TTPs) include the deployment of custom, in-memory malware such as the SNOWLIGHT downloader and the GOHEAVY tunneler, which are designed to evade traditional disk-based antivirus and forensic analysis.

Threat alert
October 16, 2025

The attack begins with CVE-2023-46747, a critical authentication bypass, which is then used to exploit CVE-2023-46748, an authenticated command injection vulnerability, to gain full control of the device.

Initial Access (CVE-2023-46747):
  • This is a critical (CVSS 9.8) unauthenticated remote code execution (RCE) vulnerability in the BIG-IP's Traffic Management User Interface (TMUI) which allows an unauthenticated attacker with network access to bypass all authentication controls and execute arbitrary code.
  • It works through AJP request smuggling, where a manipulated HTTP request bypasses authentication by tricking the front-end server into forwarding a malicious payload to the backend.
  • The primary goal is to impersonate an administrator and create a new, persistent admin account on the device.
  • It affects BIG-IP software versions 13.x through 17.x.

Command Execution (CVE-2023-46748):
  • This is a high-severity (CVSS 8.8) authenticated SQL injection vulnerability, also in the TMUI.
  • After creating an admin account using the first exploit, the attacker uses this authenticated session to exploit the second vulnerability.
  • This flaw allows the attacker to execute arbitrary system commands with root-level privileges.

Observed Tactics, Techniques, and Procedures (TTPs)

Analysis of UNC5174's campaigns reveals a methodical and security-conscious operational playbook. Their TTPs demonstrate a clear focus on achieving their objectives while evading detection and maintaining persistence.

  • Initial Access: The actor's primary initial access vector in this campaign is the exploitation of CVE-2023-46747 on internet-facing F5 BIG-IP appliances.
  • Execution: After gaining initial access, UNC5174 executes bash commands through the F5 Traffic Management Shell (TMSH) or by making POST requests to the iControl REST API endpoint /mgmt/tm/util/bash.
  • Persistence: A key persistence technique is the creation of new administrative accounts on the compromised BIG-IP device. The actor uses legitimate-sounding usernames such as F5support3, F5_admin, and f5_support to blend in with normal administrative activity and avoid suspicion.
  • Defence Evasion: UNC5174 employs several advanced defence evasion techniques:
  • In-Memory Execution: The actor uses a custom downloader, SNOWLIGHT, which leverages Linux's memfd_create system call to load and execute subsequent malware payloads directly in memory. This technique avoids writing malicious files to disk, thereby bypassing most traditional file-based antivirus scanners and complicating forensic analysis.
  • Vulnerability Patching: UNC5174 has been observed running the official F5 mitigation script to patch the CVE-2023-46747 vulnerability after they have successfully established their own persistence mechanisms. This action serves two purposes: it prevents other, competing threat actors from exploiting the same vulnerability to gain access to the compromised device, and it removes the most obvious indicator of compromise, making their presence much harder for defenders to discover.
Data Exfiltration by Threat Actor

The exfiltrated data included:

  • Portions of BIG-IP Source Code: The actor successfully downloaded parts of the proprietary source code for the BIG-IP suite of products.
  • Information on Undisclosed Vulnerabilities: Data pertaining to vulnerabilities that F5 was actively working to remediate, but which had not yet been publicly disclosed, was also stolen.
  • Limited Customer Configuration Data: Files from the knowledge management platform contained configuration or implementation information for a small subset of customers. F5 has committed to notifying these affected customers directly.

F5's investigation found no evidence that the threat actor had modified the software supply chain, this includes the source code itself, as well as the build and release pipelines, mitigating the immediate risk of a trojanised software update being distributed to customers. The investigation also found no evidence of compromise to other F5 assets, including the NGINX source code and development environment, F5 Distributed Cloud Services, or Silverline systems.

Vulnerable Versions & Mitigations:

Product Branch Vulnerable Version Range Fixes Introduced In
17.x 17.1.0 – 17.1.1 17.1.1.1, 17.1.1 + Hotfix-BIGIP-17.1.1.0.2.6-ENG, 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG
16.x 16.1.0 – 16.1.4 16.1.4.2, 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG
15.x 15.1.0 – 15.1.10 15.1.10.3, 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG
14.x 14.1.0 – 14.1.5 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG
13.x 13.1.0 – 13.1.5 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG

For systems where immediate patching is not feasible, F5 has provided temporary mitigations that must be applied as an urgent priority:

  • For CVE-2023-46747: A mitigation script is available from F5 that can be run on BIG-IP versions 14.1.0 and later. This script modifies the configuration to prevent the AJP smuggling attack. It is critical to note that this script must not be run on versions prior to 14.1.0.
  • For CVE-2023-46748: The primary mitigation is to strictly limit access to the TMUI, as detailed in the following section.

Recommendations:

The following priority actions are recommended for all F5 BIG-IP customers:

  1. Immediate Patching and Mitigation: Apply the security updates and engineering hotfixes provided by F5 for all affected products without delay. For systems that cannot be immediately patched, apply the vendor-provided temporary mitigations, including the execution of the mitigation script for CVE-2023-46747.
  1. Isolate Management Interfaces: Immediately remove the BIG-IP Traffic Management User Interface (TMUI) and other management ports from public internet exposure. Access to the control plane must be restricted to a segmented, secure management network, ideally accessible only via a VPN with multi-factor authentication.
  1. Secure Remote Access: All remote administrative access to the BIG-IP management plane must be routed through a secure virtual private network (VPN) that requires multi-factor authentication (MFA).
  1. Utilise Port Lockdown: F5 provides a feature called "Port Lockdown" on its self-IP configurations. This should be set to Allow None by default for all self-IPs that are not explicitly intended for management traffic. If specific ports are required, use the Allow Custom setting and explicitly deny access to the TMUI port (typically TCP 443).