{
	"id": "0d14b3e1-3e82-4d07-8dde-9bb639ae0837",
	"created_at": "2026-04-06T00:11:52.583128Z",
	"updated_at": "2026-04-10T03:24:34.00466Z",
	"deleted_at": null,
	"sha1_hash": "e3156f30229251669b34c907766c876875e2f9d1",
	"title": "F5 BIG-IP Source Code Leaked in State-Linked Cyberattack (BRICKSTORM Malware) – Qualys ThreatPROTECT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62978,
	"plain_text": "F5 BIG-IP Source Code Leaked in State-Linked Cyberattack\r\n(BRICKSTORM Malware) – Qualys ThreatPROTECT\r\nBy Author: Diksha Ojha Senior Technical Writer View all posts by Diksha Ojha\r\nPublished: 2025-10-17 · Archived: 2026-04-06 00:04:28 UTC\r\nF5 Networks warned its users about a widespread cyberattack that compromised its systems and led to the theft of\r\nBIG-IP source code and details of unpatched security vulnerabilities.\r\nIn the article, F5 describes becoming aware of the breach in August 2025. A highly sophisticated nation-state\r\nthreat actor maintained long-term, persistent access to, and downloaded files from, specific F5 systems, including\r\nthe BIG-IP product development environment and engineering knowledge management platforms.\r\nF5 mentioned in the article that “we are taking proactive measures to protect our customers and strengthen the\r\nsecurity posture of our enterprise and product environments. We have engaged CrowdStrike, Mandiant, and other\r\nleading cybersecurity experts to support this work, and we are actively engaged with law enforcement and our\r\ngovernment partners.”\r\nIn its October 2025 Quarterly Security Notification, F5 released updates for BIG-IP, F5OS, and BIG-IP Next for\r\nKubernetes, BIG-IQ, and APM clients.\r\nDiscovery\r\nThe data breach started with threat actors extracting files from the BIG-IP product development environment and\r\nengineering knowledge management platforms. Those files contained some of the BIG-IP source code and\r\ninformation about undisclosed vulnerabilities existing in BIG-IP.\r\nThe vendor has no evidence of access to, or extraction of, data from their CRM, financial, support case\r\nmanagement, or iHealth systems. However, some of the extracted files from the knowledge management platform\r\ncontained configuration or implementation information for a small percentage of customers.\r\nCISA Emergency Directive (ED 26-01)\r\nIn immediate response to the breach, the Cybersecurity and Infrastructure Security Agency (CISA) issued an\r\nEmergency Directive (ED 26-01). The directive instructs all Federal Civilian Executive Branch agencies to\r\ninventory F5 BIG-IP devices, ensure management interfaces are inaccessible from the public internet, apply all\r\nnewly released updates by October 22, 2025, and report full compliance by October 29, 2025.\r\nCISA warned that the stolen information gives attackers an unfair advantage in performing vulnerability research\r\nand potentially crafting zero-day exploits against unpatched systems.\r\nGoogle, Mandiant, and CrowdStrike investigations revealed links between the F5 data breach and a Chinese cyber\r\nespionage group called UNC5221. Bloomberg later reported that the attackers had infiltrated F5’s network for\r\nhttps://threatprotect.qualys.com/2025/10/16/f5-big-ip-source-code-leaked-in-state-linked-cyberattack-brickstorm-malware/\r\nPage 1 of 6\n\nover 12 months, using custom malware identified as BRICKSTORM. This spyware is believed to have been\r\ndeployed against organizations in technology, legal services, SaaS, and BPO sectors in similar campaigns across\r\nthe U.S.\r\nThe Mandiant team has released a BRICKSTORM Indicator of Compromise Scanner to detect potential\r\nBRICKSTORM backdoor compromises on Linux and BSD-based appliances and systems. The script is designed\r\nto replicate the logic of a specific YARA rule on systems where YARA is not available or practical to run.\r\nAffected and Fixed Versions\r\nCVE Affected Versions Fixed Versions\r\nCVE-2025-\r\n53868 \r\nBIG-IP all modules: 17.5.0, 17.1.0 –\r\n17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10 \r\n17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8 \r\nCVE-2025-\r\n61955 \r\nF5OS-A: 1.8.03, 1.5.1 – 1.5.3; F5OS-C:\r\n1.8.0 – 1.8.1, 1.6.0 – 1.6.23 \r\nF5OS-A: 1.8.3, 1.5.4; F5OS-C:\r\n1.8.2, 1.6.4 \r\nCVE-2025-\r\n57780 \r\nF5OS-A: 1.8.03, 1.5.1 – 1.5.3; F5OS-C:\r\n1.8.0 – 1.8.1, 1.6.0 – 1.6.23 \r\nF5OS-A: 1.8.3, 1.5.4; F5OS-C:\r\n1.8.2, 1.6.4 \r\nCVE-2025-\r\n60016 \r\nBIG-IP all modules: 17.1.0 – 17.1.1; BIG-IP Next SPK: 1.7.0 – 1.9.2; BIG-IP Next\r\nCNF: 1.1.0 – 1.3.3 \r\nBIG-IP all modules: 17.1.2; BIG-IP Next CNF: 2.0.0, 1.4.0 \r\nCVE-2025-\r\n48008 \r\nBIG-IP all modules: 17.1.0 – 17.1.2, 16.1.0\r\n– 16.1.5, 15.1.0 – 15.1.10 \r\n17.1.2.2, 16.1.6, 15.1.10.8 \r\nCVE-2025-\r\n59781 \r\nBIG-IP all modules: 17.1.0 – 17.1.2, 16.1.0\r\n– 16.1.5, 15.1.0 – 15.1.10 \r\n17.1.2.2, 16.1.6, 15.1.10.8 \r\nCVE-2025-\r\n41430 \r\nBIG-IP SSL Orchestrator: 17.5.0, 17.1.0 –\r\n17.1.2, 16.1.0 – 16.1.3, 15.1.0 – 15.1.9 \r\n17.5.1, 17.1.3, 16.1.4 \r\nCVE-2025-\r\n55669 \r\nBIG-IP ASM: 17.1.0 – 17.1.2, 16.1.0 –\r\n16.1.5 \r\n17.1.2.2, 16.1.6 \r\nCVE-2025-BIG-IP all modules: 17.5.0, 17.1.0 –\r\n17.1.2, 16.1.0 – 16.1.6 \r\n17.5.1, 17.1.3, 16.1.6.1 \r\nhttps://threatprotect.qualys.com/2025/10/16/f5-big-ip-source-code-leaked-in-state-linked-cyberattack-brickstorm-malware/\r\nPage 2 of 6\n\n61951 \r\nCVE-2025-\r\n55036 \r\nBIG-IP SSL Orchestrator: 17.1.0 – 17.1.2,\r\n16.1.0 – 16.1.5, 15.1.0 – 15.1.10 \r\n17.1.3, 16.1.6, 15.1.10.8 \r\nCVE-2025-\r\n54479 \r\nBIG-IP PEM: 17.5.0, 17.1.0 – 17.1.2,\r\n16.1.0 – 16.1.6, 15.1.0 – 15.1.10; BIG-IP\r\nNext CNF: 2.0.0 – 2.1.0, 1.1.0 – 1.4.0 \r\n17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8;\r\nBIG-IP Next CNF: 2.1.0 (EHF-14,\r\nEHF-24, EHF-34) \r\nCVE-2025-\r\n46706 \r\nBIG-IP all modules: 17.1.0 – 17.1.2, 16.1.0\r\n– 16.1.5 \r\n17.1.2.2, 16.1.6 \r\nCVE-2025-\r\n59478 \r\nBIG-IP AFM: 17.5.0, 17.1.0 – 17.1.2,\r\n15.1.0 – 15.1.10 \r\n17.5.1, 17.1.3, 15.1.10.8 \r\nCVE-2025-\r\n61938 \r\nBIG-IP Advanced WAFASM: 17.5.0,\r\n17.1.0 – 17.1.2 \r\n17.5.1, 17.1.3 \r\nCVE-2025-\r\n54858 \r\nBIG-IP Advanced WAFASM: 17.5.0 –\r\n17.5.1, 17.1.0 – 17.1.2, 16.1.0 – 16.1.6,\r\n15.1.0 – 15.1.10 \r\n17.5.1.3, 17.1.3, 16.1.6.1,\r\n15.1.10.8 \r\nCVE-2025-\r\n58120 \r\nBIG-IP Next SPK: 2.0.0, 1.7.0 – 1.7.14;\r\nBIG-IP Next CNF: 2.0.0, 1.1.0 – 1.4.1 \r\n2.0.1, 1.7.14 (EHF-24); 2.0.1 \r\nCVE-2025-\r\n53856 \r\nBIG-IP all modules: 17.5.0 – 17.5.1, 17.1.0\r\n– 17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10 \r\n17.5.1.3, 17.1.3, 16.1.6.1,\r\n15.1.10.8 \r\nCVE-2025-\r\n61974 \r\nBIG-IP all modules: 17.5.0 – 17.5.1, 17.1.0\r\n– 17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10 \r\n17.5.1.3, 17.1.3, 16.1.6.1,\r\n15.1.10.8; BIG-IP Next SPK: 2.0.0\r\n– 2.0.2; BIG-IP Next CNF: 2.0.0 –\r\n2.1.0 \r\nCVE-2025-\r\n58071 \r\nBIG-IP all modules: 17.5.0, 17.1.0 –\r\n17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10;\r\nBIG-IP Next CNF: 2.0.0 – 2.1.0, 1.1.0 –\r\n1.4.1 \r\n17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8;\r\nBIG-IP Next CNF: 2.1.0 (EHF-14,\r\nEHF-24, EHF-34) \r\nCVE-2025-\r\n53521 \r\nBIG-IP APM: 17.5.0 – 17.5.1, 17.1.0 –\r\n17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10 \r\n17.5.1.3, 17.1.3, 16.1.6.1,\r\n15.1.10.8 \r\nhttps://threatprotect.qualys.com/2025/10/16/f5-big-ip-source-code-leaked-in-state-linked-cyberattack-brickstorm-malware/\r\nPage 3 of 6\n\nCVE-2025-\r\n61960 \r\nBIG-IP APM: 17.5.0 – 17.5.1, 17.1.0 –\r\n17.1.2, 16.1.0 – 16.1.6 \r\n17.5.1.3, 17.1.3, 16.1.6.1 \r\nCVE-2025-\r\n54854 \r\nBIG-IP APM: 17.5.0 – 17.5.1, 17.1.0 –\r\n17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10 \r\n17.5.1.3, 17.1.3, 16.1.6.1,\r\n15.1.10.8 \r\nCVE-2025-\r\n53474 \r\nBIG-IP APM: 17.5.0 – 17.5.1, 17.1.0 –\r\n17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10 \r\n17.5.1.3, 17.1.3, 16.1.6.1,\r\n15.1.10.8 \r\nCVE-2025-\r\n61990 \r\nBIG-IP all modules: 17.5.0 – 17.5.1, 17.1.0\r\n– 17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10 \r\n17.5.1.3, 17.1.3, 16.1.6.1,\r\n15.1.10.8; BIG-IP Next SPK: 2.0.0\r\n– 2.0.2; BIG-IP Next CNF: 2.0.0 –\r\n2.1.0 \r\nCVE-2025-\r\n58096 \r\nBIG-IP all modules: 17.5.0 – 17.5.1, 17.1.0\r\n– 17.1.2, 16.1.0 – 16.1.6, 15.1.0 – 15.1.10 \r\n17.5.1.3, 17.1.3, 16.1.6.1,\r\n15.1.10.8 \r\nCVE-2025-\r\n61935 \r\nBIG-IP Advanced WAFASM: 17.5.0,\r\n17.1.0 – 17.1.2, 15.1.0 – 15.1.10 \r\n17.5.1, 17.1.3 \r\nFor more information, please refer to the October 2025 Quarterly Security Notification.\r\nQualys Detection\r\nNote: All the QIDs mentioned below are only scanner-supported (Authenticated remote scanning).\r\nCVE QID\r\nCVE-2025-58474  385574 \r\nCVE-2025-55036  385571 \r\nCVE-2025-61938  385573 \r\nCVE-2025-41430  385572 \r\nCVE-2025-53474  385544 \r\nCVE-2025-59268  385543 \r\nCVE-2025-59269  385560 \r\nCVE-2025-47148  385562 \r\nhttps://threatprotect.qualys.com/2025/10/16/f5-big-ip-source-code-leaked-in-state-linked-cyberattack-brickstorm-malware/\r\nPage 4 of 6\n\nCVE-2025-59478  385556 \r\nCVE-2025-60016  385567 \r\nCVE-2025-58153  385548 \r\nCVE-2025-48008  385561 \r\nCVE-2025-55669  385540 \r\nCVE-2025-46706  385547 \r\nCVE-2025-59781  385566 \r\nCVE-2025-58424  385555 \r\nCVE-2025-54479  385541 \r\nCVE-2025-53856  385568 \r\nCVE-2025-61951  385559 \r\nCVE-2025-61935  385550 \r\nCVE-2025-58071  385553 \r\nCVE-2025-53868  385552 \r\nCVE-2025-54858  385563 \r\nCVE-2025-58096  385557 \r\nCVE-2025-53521  385564 \r\nCVE-2025-61958  385542 \r\nCVE-2025-61933  385558 \r\nCVE-2025-54854  385554 \r\nCVE-2025-61960  385545 \r\nCVE-2025-59481  385565 \r\nCVE-2025-61974  385551 \r\nCVE-2025-59483  385569 \r\nCVE-2025-54755  385549 \r\nCVE-2025-61990  385546 \r\nhttps://threatprotect.qualys.com/2025/10/16/f5-big-ip-source-code-leaked-in-state-linked-cyberattack-brickstorm-malware/\r\nPage 5 of 6\n\nPlease follow Qualys Threat Protection for more coverage on the latest vulnerabilities.\r\nReferences\r\nhttps://my.f5.com/manage/s/article/K000156572\r\nhttps://my.f5.com/manage/s/article/K000154696\r\nhttps://github.com/mandiant/brickstorm-scanner\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign\r\nhttps://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices\r\nhttps://www.bloomberg.com/news/articles/2025-10-16/potentially-catastrophic-breach-of-cyber-firm-blamed-on-china\r\nSource: https://threatprotect.qualys.com/2025/10/16/f5-big-ip-source-code-leaked-in-state-linked-cyberattack-brickstorm-malware/\r\nhttps://threatprotect.qualys.com/2025/10/16/f5-big-ip-source-code-leaked-in-state-linked-cyberattack-brickstorm-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatprotect.qualys.com/2025/10/16/f5-big-ip-source-code-leaked-in-state-linked-cyberattack-brickstorm-malware/"
	],
	"report_names": [
		"f5-big-ip-source-code-leaked-in-state-linked-cyberattack-brickstorm-malware"
	],
	"threat_actors": [
		{
			"id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8",
			"created_at": "2024-01-18T02:02:34.643994Z",
			"updated_at": "2026-04-10T02:00:04.959645Z",
			"deleted_at": null,
			"main_name": "UNC5221",
			"aliases": [
				"UNC5221",
				"UTA0178"
			],
			"source_name": "ETDA:UNC5221",
			"tools": [
				"BRICKSTORM",
				"GIFTEDVISITOR",
				"GLASSTOKEN",
				"LIGHTWIRE",
				"PySoxy",
				"THINSPOOL",
				"WARPWIRE",
				"WIREFIRE",
				"ZIPLINE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9",
			"created_at": "2024-01-12T02:00:04.33082Z",
			"updated_at": "2026-04-10T02:00:03.517264Z",
			"deleted_at": null,
			"main_name": "UTA0178",
			"aliases": [
				"UNC5221",
				"Red Dev 61"
			],
			"source_name": "MISPGALAXY:UTA0178",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434312,
	"ts_updated_at": 1775791474,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3156f30229251669b34c907766c876875e2f9d1.pdf",
		"text": "https://archive.orkl.eu/e3156f30229251669b34c907766c876875e2f9d1.txt",
		"img": "https://archive.orkl.eu/e3156f30229251669b34c907766c876875e2f9d1.jpg"
	}
}