F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using BRICKSTORM Backdoor
Oct. 24, 2025, 11:48 a.m.
Description
A China-linked threat cluster, UNC5221, is actively targeting organizations using F5 BIG-IP following a confirmed breach of F5's internal development data. The stolen data includes portions of BIG-IP source code and vulnerability information, raising the risk of rapid 0-day discovery and weaponization. CISA issued an Emergency Directive warning of an imminent threat to federal networks. The attackers deployed a Go-based ELF backdoor called BRICKSTORM, which establishes a persistent C2 tunnel using WebSocket and employs various techniques to evade detection. The backdoor can turn a BIG-IP device into a stealth egress point and internal proxy. F5 has disclosed over twenty vulnerabilities affecting various products, urging immediate patching and security measures.
Tags
Date
- Created: Oct. 24, 2025, 11:09 a.m.
- Published: Oct. 24, 2025, 11:09 a.m.
- Modified: Oct. 24, 2025, 11:48 a.m.
Indicators
- aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
- 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
- 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
Attack Patterns
- BRICKSTORM
- UNC5221
- CVE-2025-61990
- CVE-2025-61935
- CVE-2025-58071
- CVE-2025-57780
- CVE-2025-61974
- CVE-2025-61960
- CVE-2025-61955
- CVE-2025-61951
- CVE-2025-61938
- CVE-2025-60016
- CVE-2025-59781
- CVE-2025-59478
- CVE-2025-58120
- CVE-2025-58096
- CVE-2025-55669
- CVE-2025-55036
- CVE-2025-54858
- CVE-2025-54854
- CVE-2025-54479
- CVE-2025-53868
- CVE-2025-53856
- CVE-2025-53521
- CVE-2025-53474
- CVE-2025-48008
- CVE-2025-46706
- CVE-2025-41430
- CVE-2025-61882
Additional Informations
- Technology
- Government
- United States of America