Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN703
_____________________________________________________________________

DATE                : 16/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running F5 products.

=====================================================================
https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
https://my.f5.com/manage/s/article/K000156572
_____________________________________________________________________


Emergency Directives
ED 26-01: Mitigate Vulnerabilities in F5 Devices
October 15, 2025
Related topics:
Cybersecurity Best Practices
ED 26-01 Carousel

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of
Homeland Security, in response to a known or reasonably suspected
information security threat, vulnerability, or incident that
represents a substantial threat to the information security of an
agency, to “issue an emergency directive to the head of an agency
to take any lawful action with respect to the operation of the
information system, including such systems used or operated by
another entity on behalf of an agency, that collects, processes,
stores, transmits, disseminates, or otherwise maintains agency
information, for the purpose of protecting the information system
from, or mitigating, an information security threat.”
44 U.S.C. § 3553(h)(1)–(2). Sections 2202(c)(3) and 2205(3) of the
Homeland Security Act of 2002, as amended, delegate this authority
to the Director of the Cybersecurity and Infrastructure Security
Agency. 6 U.S.C. §§ 652(c)(3), 655(3). Federal agencies are
required to comply with these directives.
44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to
statutorily defined “national security systems” nor to systems
operated by the Department of War or the Intelligence Community.
44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).


Background

CISA is directing Federal Civilian Executive Branch (FCEB) agencies
to inventory F5 BIG-IP products, evaluate if the networked
management interfaces are accessible from the public internet, and
apply updates from F5.  

A nation-state affiliated cyber threat actor has compromised F5’s
systems and exfiltrated files, which included a portion of its
BIG-IP source code and vulnerability information. The threat
actor’s access to F5’s proprietary source code could provide that
threat actor with a technical advantage to exploit F5 devices and
software. The threat actor’s access could enable the ability to
conduct static and dynamic analysis for identification of logical
flaws and zero-day vulnerabilities as well as the ability to
develop targeted exploits.  

This cyber threat actor presents an imminent threat to federal
networks using F5 devices and software. Successful exploitation
of the impacted F5 products could enable a threat actor to access
embedded credentials and Application Programming Interface (API)
keys, move laterally within an organization’s network, exfiltrate
data, and establish persistent system access. This could
potentially lead to a full compromise of target information
systems.

CISA has assessed these conditions pose an unacceptable risk to
agencies and necessitate immediate emergency action involving
the following F5 products:

    Hardware: BIG-IP iSeries, rSeries, or any other F5 device
that has reached end of support
    Software: All devices running BIG-IP (F5OS), BIG-IP (TMOS),
Virtual Edition (VE), BIG-IP Next, BIG-IQ, and BIG-IP Next for
Kubernetes (BNK)/Cloud-Native Network Functions (CNF)

The requirements in this Directive address immediate risk and
best position agencies to respond to anticipated targeting of
these devices by the threat actor.


Scope

The required actions in this Directive apply to agency assets
in any federal information system, including an information
system used or operated by another entity on behalf of an
agency, that collects, processes, stores, transmits,
disseminates, or otherwise maintains agency information.

For federal information systems hosted in third-party
environments, each agency is responsible for maintaining
an inventory of its information systems hosted in thos
 environments (FedRAMP-authorized or otherwise) and
obtaining status updates pertaining to, and to ensure
compliance with, this Directive. Agencies should work
through the FedRAMP program office to obtain these updates
for FedRAMP-authorized cloud service providers and work
directly with service providers that are not
FedRAMP-authorized.

All other provisions specified in this Directive remain
applicable.


Required Actions

This Emergency Directive requires agencies to take the
following actions:

Inventory

    Immediately identify:
        All BIG-IP hardware devices.
        All instances of BIG-IP F5OS, BIG-IP TMOS, Virtual
         Edition (VE), BIG-IP Next, BIG-IQ software, and
         BNK/CNF.

Harden Public-Facing F5 BIG-IP Devices

    For all public-facing BIG-IP physical or virtual devices,
identify if the networked management interface is accessible
directly from the public internet. For all devices with
confirmed exposure: 1
        Follow the requirements in CISA’s Binding Operational
         Directive (BOD) 23-02: Mitigating the Risk from
         Internet-Exposed Management Interfaces.
        Report to CISA and follow further CISA instructions.    

Update Instances of BIG-IP Hardware and Software Appliances

    By October 22, 2025, apply the latest vendor-provided
     update for each of the following products:

        F5OS
        BIG-IP TMOS
        BIG-IQ
        BNK/CNF – prior to applying the update, validate
         the F5 published MD5 checksums for its software
         image files and other F5 downloaded software.  

    Note: Agencies that – prior to the issuance of this
     Directive – have configured the management interface
     for a device so that it is exclusively shown to a
     management network and only accessible via a jump box,
     may note this best practice in their reporting and
     follow the agency’s regular update schedule for this
     device, overriding the timeline above. 
 
    For all F5 virtual and physical devices not covered
     in required action 3:
        Update with the latest software release patch by
        October 31, 2025, and apply the latest F5-provided
        asset hardening guidance.
    Apply all subsequent updates via F5’s download portal
     within one (1) week of vendor release.   


Disconnect End of Support Devices

    For all public-facing F5 devices that have reached end
     of support, disconnect and decommission these devices.
     Agencies that cannot disconnect F5 devices that have
     reached their end of support date shall report to
     CISA:
        Any mission critical need(s) preventing such action;
and
        Plans for eventual decommissioning of the device.


Mitigate Against Cookie Leakage

    If CISA notifies an agency of a BIG-IP cookie leakage
     vulnerability, the agency shall follow CISA’s
     accompanying mitigation instructions.     


Report

    All agencies, regardless of the results of required
action 1, must:
       By 11:59 PM ET on October 29, 2025, report to CISA
        (using the provided template) a summary of products
        within scope on agency networks.
       By 11:59 PM ET on December 3, 2025, report to CISA
        (using the provided template) a detailed inventory
        of all instances of products within scope on agency
        networks. 


1 A Networked Management Interface is a dedicated device
interface that is accessible over network protocols and is
meant exclusively for authorized users to perform
administrative activities on a device, a group of devices,
or the network itself as defined in CISA’s Binding
Operational Directive 23-02 


CISA Actions:

    CISA will provide agencies with a template that will be
     used for reporting agency actions following the
     issuance of this Directive.
    CISA will continue efforts to identify instances and
     potential compromises associated with this threat
     activity, provide partner notifications, and will
     issue additional guidance and direction, as appropriate.

    By March 1, 2026, CISA will provide a report to the
     Secretary of Homeland Security, the National Cyber
     Director, the Director of the Office of Management and
     Budget, the Federal Chief Information Officer, and the
     Federal Chief Information Security Officer identifying
     the implementation of this Directive, including
     cross-agency status and outstanding issues.


Additional Information

Visit https://www.cisa.gov/news-events/directives or contact
the following for:

    General information, assistance, and reporting –
CyberDirectives@cisa.dhs.gov
    Reporting indications of compromise – contact@cisa.dhs.gov



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================