CISA confirms hackers are exploiting F5 flaw on federal and private networks

Two compromises have been confirmed. An investigation into other possible breaches is ongoing.
F5 vulnerability
F5 Networks' office in San Jose.

The Department of Homeland Security’s cybersecurity division said Friday it had responded to at least two hacking incidents at U.S. government and private-sector organizations that exploited a critical vulnerability in enterprise software to take control of the victim’s computer systems.

DHS’s Cybersecurity and Infrastructure Security Agency said the unidentified malicious hackers had for weeks been scanning federal agencies’ networks for a flaw in a popular software made by F5 Networks, which was revealed earlier this month. CISA said it was working with multiple sectors to investigate possible breaches related to the vulnerability, with two compromises confirmed as of Friday.

The vulnerability allows hackers to execute code remotely on target systems, opening up a pathway to deleting files or disabling services. Hackers will continue to exploit the bug, CISA warned. The agency “strongly urg[ed] users and administrators to upgrade their software to the fixed versions.”

The disclosure shows how, once a high-profile software flaw is revealed, the race is on between hackers eager to exploit it and organizations trying to fortify their defenses. In this case, there were confirmed breaches within days of F5 releasing a fix for the flaw, according to CISA.


“If you didn’t patch by this morning, assume [you are] compromised,” CISA Director Chris Krebs said in early July when the F5 vulnerability was revealed.

It has been a torrid few weeks for critical bugs in widely used software. On July 14, researchers revealed a vulnerability in applications made by software giant SAP could affect up to 40,000 SAP customers. In late June, CISA and U.S. Cyber Command urged users to address a vulnerability in another popular operating system on firewalls and corporate virtual private network products.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts