F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using…

216.73.217.22

F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using BRICKSTORM Backdoor

· Published 24/10/2025 11:09 · Modified 24/10/2025 11:48

Essential information

Published: 24/10/2025 11:09
Modified: 24/10/2025 11:48
Tags: 2025-10-24 brickstorm f5 big-ip
Related entities: 27 vulnerabilities (cve), 3 observables, 1 intrusion sets (apt), 6 techniques (mitre), 1 malware, 3 others

Description

A China-linked threat cluster, UNC5221, is actively targeting organizations using F5 BIG-IP following a confirmed breach of F5's internal development data. The stolen data includes portions of BIG-IP source code and vulnerability information, raising the risk of rapid 0-day discovery and weaponization. CISA issued an Emergency Directive warning of an imminent threat to federal networks. The attackers deployed a Go-based ELF backdoor called BRICKSTORM, which establishes a persistent C2 tunnel using WebSocket and employs various techniques to evade detection. The backdoor can turn a BIG-IP device into a stealth egress point and internal proxy. F5 has disclosed over twenty vulnerabilities affecting various products, urging immediate patching and security measures.

Related entities

CVE-2025-61990

8.7 High

When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-61935

8.7 High

When a BIG IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-58071

8.7 High

When IPsec is configured on the BIG-IP system, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-57780

8.5 High

A vulnerability exists in F5OS-A and F5OS-C system that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector: LOCAL
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-61974

8.7 High

When a client SSL profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-61960

8.7 High

When a per-request policy is configured on a BIG-IP APM portal access virtual server, undisclosed traffic can cause the Traffic Management Microkernel …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-61955

8.5 High

A vulnerability exists in F5OS-A and F5OS-C systems that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector: LOCAL
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-61951

8.7 High

Undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. This issue may occur when a Datagram Transport Layer Security (DTLS) …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-61938

8.7 High

When a BIG-IP Advanced WAF or ASM security policy is configured with a URL greater than 1024 characters in length for the …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-60016

8.7 High

When Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves are configured in an SSL profile's Cipher Rule or Cipher Group, and …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-59781

8.7 High

When DNS cache is configured on a BIG-IP or BIG-IP Next CNF virtual server, undisclosed DNS queries can cause an increase in …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-59478

8.7 High

When a BIG-IP AFM denial-of-service (DoS) protection profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-58120

8.7 High

When HTTP/2 Ingress is configured, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-58096

8.2 High

When the database variable tm.tcpudptxchecksum is configured as non-default value Software-only on a BIG-IP system, undisclosed traffic can cause the Traffic Management …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-55669

8.7 High

When the BIG-IP Advanced WAF and ASM security policy and a server-side HTTP/2 profile are configured on a virtual server, undisclosed traffic …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-55036

8.7 High

When BIG-IP SSL Orchestrator explicit forward proxy is configured on a virtual server and the proxy connect feature is enabled, undisclosed traffic …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-54858

8.7 High

When a BIG-IP Advanced WAF or BIG-IP ASM Security Policy is configured with a JSON content profile that has a malformed JSON …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-54854

8.7 High

When a BIG-IP APM OAuth access profile (Resource Server or Resource Client) is configured on a virtual server, undisclosed traffic can cause …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-54479

8.7 High

When a classification profile is configured on a virtual server without an HTTP or HTTP/2 profile, undisclosed requests can cause the Traffic …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-53868

8.5 High

When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance …

Attack vector: Network
Published: 15/10/2025
Modified: 04/02/2026

CVE-2025-53856

8.7 High

When a virtual server, network address translation (NAT) object, or secure network address translation (SNAT) object uses the embedded Packet Velocity Acceleration …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-53521 KEV

8.7 High

When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions …

Attack vector: Network
Complexity: Low
Published: 15/10/2025
Modified: 04/04/2026

CVE-2025-53474

8.7 High

When an iRule using an ILX::call command is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-48008

8.7 High

When a TCP profile with Multipath TCP (MPTCP) enabled is configured on a virtual server, undisclosed traffic along with conditions beyond the …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-46706

8.7 High

When an iRule containing the HTTP::respond command is configured on a virtual server, undisclosed requests can cause an increase in memory resource …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-41430

8.7 High

When BIG-IP SSL Orchestrator is enabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

CVE-2025-61882 KEV

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025