The Cybersecurity and Infrastructure Security Agency on Wednesday issued a sweeping emergency order directing all federal agencies to immediately patch critical vulnerabilities in certain devices and software made by F5, a technology vendor, after confirming a nation-state cyber actor gained unauthorized access to F5's source code.
CISA — a part of the Department of Homeland Security which manages risks to the U.S.'s cyber and physical infrastructure — issued Emergency Directive 26-01 following the company's disclosure that a foreign threat actor had maintained long-term, persistent access to its internal development and engineering environments using source code.
Officials warned that attackers could exploit the vulnerabilities to steal credentials, move laterally through networks, and potentially take full control of targeted systems. F5 said they first discovered the attack in August but did not disclose exactly when it began.
"This directive addresses an imminent risk," said Nick Anderson, CISA's Executive Assistant Director for Cybersecurity, during a news briefing Wednesday. "A nation-state actor could exploit these flaws to gain unauthorized access to embedded credentials and API keys. That's an unacceptable risk to federal networks."
F5 is a publicly traded American technology company headquartered in Seattle, Washington.
Justice Department delayed breach announcement
Earlier Wednesday, F5 disclosed the breach in a filing with the Securities and Exchange Commission.
In the SEC 8-K report, F5 said the Justice Department on Sept. 12 "determined that a delay in public disclosure was warranted." It's one of the first times a company has publicly acknowledged DOJ intervention under the SEC's cybersecurity disclosure rules.
The rules were adopted in July 2023 and require companies to report cybersecurity incidents within four business days of determining that a material event has occurred.
F5 CEO François Locoh-Donou signed the filing, which said the company learned of the attack on Aug. 9 and launched an investigation alongside cybersecurity firms CrowdStrike, Mandiant, and others, with assistance from federal law enforcement and unnamed "government partners."
"During the course of its investigation, the Company determined that the threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform," F5 wrote in its filing.
CBS News has reached out to the Justice Department for any explanation on why the public disclosure was delayed.
What's in the CISA emergency order
CISA's order directed Federal Civilian Executive Branch agencies — which include the Department of Justice, Department of State, Department of Treasury, and the Federal Trade Commission, among others — to inventory F5 BIG-IP products, which are application delivery and security services.
The federal agencies need to evaluate if their networks are accessible from the public internet, and apply newly released updates from F5 by Oct. 22, the emergency order said. They must also complete scoping reports identifying affected devices by Oct. 29.
There are currently thousands of F5 devices in use across federal networks, Anderson told CBS News. The cybersecurity agency said it expects to know more about the scope of exposure by the end of the month.
CISA Acting Director Madhu Gottumukkala said in a statement that the agency remains "steadfast" in its mission to defend U.S. networks, even amid the ongoing government shutdown and the lapse of the Cybersecurity Information Sharing Act of 2015.
"The alarming ease with which these vulnerabilities can be exploited demands immediate and decisive action," Gottumukkala said. "These same risks extend beyond federal systems — to any organization using this technology."
No confirmed compromises yet, but broader campaign underway
Anderson confirmed that CISA is not aware of any current data breaches within federal agencies, though the directive is designed to uncover any potential compromises. He said the campaign appears to be part of a broader nation-state effort targeting elements of the U.S. technology supply chain, not just one vendor.
"The broader goal here is persistent access — to gather intelligence, hold infrastructure hostage, or position themselves for future attacks," Anderson told CBS News during Wednesday's briefing.
CISA declined to name the country behind the attack, citing ongoing investigations.
"The U.S. government is not making a public attribution at this time," said Marcy McCarthy, CISA's Director of Public Affairs.
Working through the government shutdown
Pressed on the government's ability to respond amid furloughs and staffing reductions at CISA, Anderson acknowledged the agency's challenges but said it remains operational.
"We're sustaining essential functions and providing timely guidance like this to mitigate risk," he said. "This is core mission work for CISA — exactly what we should be doing."
Anderson also said the lapse of Cybersecurity Information Sharing Act of 2015, a law which had governed federal-private sector cyber information sharing before sunsetting, did not delay coordination with F5 or impact the agency's response.
While the directive applies only to federal agencies, CISA is strongly urging state, local, and private sector organizations using F5 technologies to follow the same patching and mitigation steps. F5's products, including its BIG-IP line, are widely used in both government and commercial networks to manage internet traffic and security.
