F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using BRICKSTORM Backdoor
Essential information
- Published
- 24/10/2025 11:09
- Modified
- 24/10/2025 11:48
- Tags
- 2025-10-24 brickstorm f5 big-ip
- Related entities
- 27 vulnerabilities (cve), 3 observables, 1 intrusion sets (apt), 6 techniques (mitre), 1 malware, 3 others
Description
A China-linked threat cluster, UNC5221, is actively targeting organizations using F5 BIG-IP following a confirmed breach of F5's internal development data. The stolen data includes portions of BIG-IP source code and vulnerability information, raising the risk of rapid 0-day discovery and weaponization. CISA issued an Emergency Directive warning of an imminent threat to federal networks. The attackers deployed a Go-based ELF backdoor called BRICKSTORM, which establishes a persistent C2 tunnel using WebSocket and employs various techniques to evade detection. The backdoor can turn a BIG-IP device into a stealth egress point and internal proxy. F5 has disclosed over twenty vulnerabilities affecting various products, urging immediate patching and security measures.