A rare emergency directive was issued by the U.S. Cybersecurity and Infrastructure Security Agency on Wednesday after the reported theft of the code of a widely used security system last month by a "highly sophisticated nation-state actor."
The theft exposes multiple critical government online services and places personal data at risk.
What is F5, and what does this impact?
What we know:
F5, Inc. says a nation-state cyberattack gave hackers long-term access to parts of its internal systems, including those tied to its BIG-IP product development and engineering platforms.
The Seattle-based company said it has contained the breach and has not seen any new unauthorized activity since taking response actions. Investigators found that some files were stolen, including portions of BIG-IP source code and details about software vulnerabilities that had not yet been disclosed publicly.
In a statement, F5 said it is not aware of any undisclosed critical or remote code vulnerabilities being exploited. Independent cybersecurity experts confirmed that the company’s software supply chain was not altered.
The company reported no evidence of access to customer relationship data, financial systems, support, or iHealth systems. It also said the breach did not affect its NGINX, Distributed Cloud Services, or Silverline platforms.
The U.S. Department of Justice allowed F5 to delay disclosure of the incident until Sept. 12, 2025, while federal investigators assessed the situation. F5 said operations have not been materially impacted and that it continues to evaluate any financial effects.
Separately, Michael Montoya resigned from F5’s Board of Directors on Oct. 9 and became Chief Technology Operations Officer on Oct. 13, reducing the board to ten members.
Will this directly impact you?
Why you should care:
While this seems to not be an extremely boring and dry subject, it could make big waves for those who frequently interact with government agencies and large companies.
The same systems are used by financial institutions, universities, health care systems, cloud service providers, and other large private companies, particularly in the telecom sector.
Several foreign governments, defense contractors, and international companies also use the system.
This is not a typical data breach but a theft of the "blueprints" to an entire security system which would lead to personal information being stolen, or manipulated.
F5 makes systems that sit between users and websites or apps, basically the traffic managers and gatekeepers of the internet. Think of F5 as the digital air-traffic controller for web traffic. When you visit a bank’s website, log into a government portal, or stream video from a major platform, there’s a good chance F5 technology is managing that connection somewhere in the background.
F5 balances internet traffic, preventing denial-of-service attacks; helps prevent malware and hacking; encrypts, authenticates, and controls access to sensitive online data; and employs firewalls.
While home devices will not be directly impacted, services frequently used online could be exploited, putting users at risk.
SolarWinds, Microsoft Exchange vulnerabilities, and other breaches
The backstory:
CISA has issued more than two dozen emergency directives since 2019, using its highest-level authority to protect federal networks from serious and often nation-state-backed cyber threats.
These directives, known as EDs, are rare, legally binding orders that apply to all federal civilian agencies. They are used only when CISA determines that a cyber vulnerability or ongoing attack presents an "unacceptable risk" to government information systems. Each directive requires agencies to take specific actions such as disconnecting devices, applying software patches, or reporting potential compromises within strict deadlines.
Since the agency’s creation in 2018, emergency directives have addressed some of the most high-profile cybersecurity incidents in U.S. history.
In December 2020, CISA issued ED 21-01 in response to the SolarWinds Orion supply chain breach, which allowed Russian-linked hackers to infiltrate multiple federal agencies. The following year, ED 21-02 ordered urgent patching of Microsoft Exchange servers after widespread exploitation by Chinese threat actors.
In 2023, CISA released a string of directives targeting emerging vulnerabilities in MOVEit Transfer, Fortinet, and Ivanti systems after multiple ransomware groups and foreign intelligence units began exploiting them. Those directives were followed in 2024 by orders to patch flaws in CitrixBleed, Palo Alto Networks, and Microsoft 0-day vulnerabilities affecting secure cloud infrastructure.
Most recently, in 2025, CISA has issued three emergency directives within months. ED 25-02 required updates to Microsoft Exchange environments, while ED 25-03 focused on Cisco Adaptive Security Appliances and Firepower devices under active exploitation by advanced threat actors. The latest, ED 26-01, came after a nation-state breach at F5, Inc. exposed parts of the company’s source code and information about undisclosed vulnerabilities.
CISA says it uses emergency directives sparingly, averaging three to four per year, because each one can disrupt government operations while agencies rush to comply. The orders are intended to ensure rapid, coordinated defense across federal networks and often serve as public warnings for private companies to take similar action.
What we don't know:
CISA has not released what nation-state or sponsored actor may be behind this theft.
The White House has been briefed by CISA on this, but offered no comment on Wednesday.
What's next:
CISA has asked all government agencies to audit their systems and to work on patches to fix the vulnerability quickly.
The Source: The U.S. Cybersecurity and Infrastructure Security Agency provided the details for this article.