Cybersecurity order warns of "imminent risk" to federal agencies following possible breach

Source: CBS News

Updated on: October 15, 2025 / 5:34 PM EDT


The Cybersecurity and Infrastructure Security Agency on Wednesday issued a sweeping emergency order directing all federal agencies to immediately patch critical vulnerabilities in certain devices and software made by F5, a technology vendor, after confirming a nation-state cyber actor gained unauthorized access to F5's source code.

CISA — a part of the Department of Homeland Security which manages risks to the U.S.'s cyber and physical infrastructure — issued Emergency Directive 26-01 following the company's disclosure that a foreign threat actor had maintained long-term, persistent access to its internal development and engineering environments using source code.

Officials warned that attackers could exploit the vulnerabilities to steal credentials, move laterally through networks, and potentially take full control of targeted systems. F5 said they first discovered the attack in August but did not disclose exactly when it began.

"This directive addresses an imminent risk," said Nick Anderson, CISA's Executive Assistant Director for Cybersecurity, during a news briefing Wednesday. "A nation-state actor could exploit these flaws to gain unauthorized access to embedded credentials and API keys. That's an unacceptable risk to federal networks." F5 is a publicly traded American technology company headquartered in Seattle, Washington.

Read more: https://www.cbsnews.com/news/f5-source-code-cybersecurity-infrastructure-security-agency-emergency-order/