CISA confirms hackers are exploiting F5 flaw on federal and private networks

The Department of Homeland Security’s cybersecurity division said Friday it had responded to at least two hacking incidents at U.S. government and private-sector organizations that exploited a critical vulnerability in enterprise software to take control of the victim’s computer systems.

DHS’s Cybersecurity and Infrastructure Security Agency said the unidentified malicious hackers had for weeks been scanning federal agencies’ networks for a flaw in a popular software made by F5 Networks, which was revealed earlier this month. CISA said it was working with multiple sectors to investigate possible breaches related to the vulnerability, with two compromises confirmed as of Friday.

The vulnerability allows hackers to execute code remotely on target systems, opening up a pathway to deleting files or disabling services. Hackers will continue to exploit the bug, CISA warned. The agency “strongly urg[ed] users and administrators to upgrade their software to the fixed versions.”

The disclosure shows how, once a high-profile software flaw is revealed, the race is on between hackers eager to exploit it and organizations trying to fortify their defenses. In this case, there were confirmed breaches within days of F5 releasing a fix for the flaw, according to CISA.

“If you didn’t patch by this morning, assume [you are] compromised,” CISA Director Chris Krebs said in early July when the F5 vulnerability was revealed.

It has been a torrid few weeks for critical bugs in widely used software. On July 14, researchers revealed a vulnerability in applications made by software giant SAP could affect up to 40,000 SAP customers. In late June, CISA and U.S. Cyber Command urged users to address a vulnerability in another popular operating system on firewalls and corporate virtual private network products.