F5 Networks Breached by Nation-State Actor, BIG-IP Source Code and Undisclosed Vulnerabilities Stolen

by ddos · October 16, 2025

F5 has disclosed a serious cybersecurity incident involving the compromise of its internal systems, including the BIG-IP development environment and engineering knowledge bases. According to the company’s investigation, the breach was carried out by a highly sophisticated, state-sponsored threat actor that operated stealthily and maintained prolonged unauthorized access to F5’s infrastructure. The malicious activity was finally detected in August 2025, after which the company swiftly implemented network segmentation and containment measures to halt data exfiltration. Since then, F5 reports no evidence of renewed intrusion.

The investigation revealed that the attackers exfiltrated a limited set of files, including fragments of BIG-IP source code and internal documentation concerning unpublished vulnerabilities under development. F5 emphasizes that none of the exposed flaws were critical or remotely exploitable, and there are no indications they have been leveraged in the wild. Moreover, the company confirmed that its software supply chain — including build pipelines and release repositories — remained intact. This conclusion was independently verified by NCC Group and IOActive.

Examinations of the company’s CRM systems, financial platforms, and service environments — including iHealth and the Customer Support portal — found no evidence of access to user data. However, a small portion of files extracted from the engineering portal contained configuration details pertaining to a limited number of clients, whom F5 intends to notify directly. The company further stated that the NGINX, Silverline, and F5 Distributed Cloud ecosystems were unaffected by the breach.

Following the incident, F5 launched a sweeping initiative to strengthen the security of its corporate and product infrastructure. The company enlisted CrowdStrike, Mandiant, and law enforcement agencies to conduct comprehensive forensic and incident response efforts. As part of its resilience program, F5 has since overhauled its access control systems, introduced advanced monitoring layers, enhanced network segmentation, and modernized its asset management and automated vulnerability remediation processes. The BIG-IP development environment has been reinforced with new mechanisms for activity logging, behavioral analysis, and control verification.

In parallel, F5 released out-of-band security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. The company strongly urges customers to install these versions promptly, even though no active or critical unknown vulnerabilities have been detected. Further details are provided in the October Quarterly Security Notification.

Customers also have access to supplementary resources, including a guide for detecting compromise indicators within their own environments, updated security hardening recommendations featuring automated checks via the iHealth Diagnostic Tool, and detailed integration instructions for forwarding BIG-IP logs into SIEM platforms. These measures enable organizations to quickly identify failed login attempts, privilege escalations, configuration changes, and other signs of suspicious administrative activity.

F5 additionally announced plans to conduct further source code audits and penetration tests of its products in collaboration with NCC Group and IOActive, while expanding its partnership with CrowdStrike. Under this initiative, Falcon EDR and Overwatch Threat Hunting capabilities will be integrated into BIG-IP, providing customers with enhanced visibility and threat defense. F5 has also pledged to provide free Falcon EDR licenses to all supported clients.

Company leadership underscored that the incident served as both a wake-up call and a catalyst for internal reform. In its official statement, F5 reaffirmed that customer trust remains its highest priority, and expressed its commitment to sharing the lessons learned from the investigation with the broader cybersecurity community — to help prevent similar attacks in the future.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal