F5 has confirmed a significant cybersecurity breach involving a nation-state actor who maintained persistent access to internal systems for an extended period.
The attacker exfiltrated files containing portions of BIG-IP source code and information on undisclosed vulnerabilities, prompting a wide-ranging internal response and updates to customer-facing software.
F5, Inc. is a global technology company known for its BIG-IP product line, which powers advanced load balancing, security, and application delivery capabilities in enterprise and cloud environments. F5's platforms are widely deployed in government, telecom, financial, and Fortune 500 environments, making the integrity of its software stack critical to its customers' security postures.
The incident, which began in August 2025, was disclosed publicly today via an F5 customer support bulletin and a concurrent SEC 8-K filing. According to F5, the intrusion was discovered on August 9, when internal teams identified suspicious activity within systems supporting BIG-IP development and engineering knowledge management. These platforms are critical to F5's software innovation pipeline and house sensitive technical documentation.
F5 immediately activated its incident response protocol, engaging leading security firms CrowdStrike, Mandiant, NCC Group, and IOActive to assist in containment, investigation, and validation. The company also reported the matter to US law enforcement and government partners. On September 12, the Department of Justice approved a temporary delay in public disclosure, citing national security concerns, an exemption allowed under SEC rules for material cybersecurity events.
Massive security breach
The attacker reportedly exfiltrated files from F5's development environment, including fragments of BIG-IP source code and internal vulnerability data related to issues that had not yet been disclosed or patched. However, F5 states that no critical or remotely exploitable vulnerabilities were among those stolen and that no active exploitation of F5 vulnerabilities has been detected.
The company also reports no evidence of unauthorized access to production systems, customer relationship data, financial systems, support platforms, or cloud services such as F5 Distributed Cloud Services and Silverline. The firm alleges that the attacker did not compromise the software supply chain. Source code integrity, build, and release systems were reviewed and validated by both NCC Group and IOActive.
F5 acknowledged that some exfiltrated files contained customer-specific configuration or implementation information. These files were stored in their knowledge management system and related to a small percentage of customers. Impacted organizations will be contacted directly.
Response and mitigation
Since the incident was contained, F5 has taken several steps to harden its environments, including rotating credentials, tightening access controls across all systems, and enhancing monitoring and patch management automation. Network segmentation was re-architectured, and NCC Group and IOActive were contracted to perform source code reviews.
Additionally, F5 has partnered with CrowdStrike to extend Falcon EDR and Overwatch Threat Hunting coverage to the BIG-IP platform. A free Falcon EDR subscription will be made available to supported customers, with an early access version rolling out shortly.
In response to the incident, F5 has released updated versions of:
- BIG-IP
- F5OS
- BIG-IP Next for Kubernetes
- BIG-IQ
- APM clients
While no zero-day vulnerabilities are confirmed to be in active exploitation, customers are strongly advised to update to the latest versions without delay. F5 has also published a threat hunting guide, hardening best practices, SIEM integration documentation, and iHealth diagnostic improvements to assist customers in securing their deployments.
Leave a Reply