F5 data breach: “Nation-state attackers” stole BIG-IP source code, vulnerability info

US tech company F5 has suffered a breach, and the attackers made off with source code of and vulnerability information related to its BIG-IP family of networking and security products, the company confirmed today.

BIG-IP vulnerabilities are often leveraged by attackers, and the fear is that the threat actor may use the stolen code to find more of them and use the knowledge to develop targeted exploits, the UK National Cyber Security Centre has noted.

The F5 data breach

“In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems,” the company stated.

“We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.”

F5 called in CrowdStrike, Mandiant, and other cybersecurity experts to help with the investigation, and have by now concluded that he attackers exfiltrated:

• Files from its BIG-IP product development environment and engineering knowledge management platforms, which include some of the BIG-IP source code and information about undisclosed vulnerabilities the company was working on in BIG-IP, and
• Files from its knowledge management platform, which contained configuration or implementation information for a small percentage of customers (affected customers will be notified directly)

The investigators have found no evidence that the attackers ever had access to or exfiltrated of data from their CRM (customer relations management), financial, support case management, or iHealth systems.

There’s also currently no evidence that the attackers had access to or fiddled with the source code or product development environment of NGINX, F5’s enterprise-grade version of the popular NGINX web server and reverse proxy solution, nor F5’s Distributed Cloud Services or Silverline systems.

(Of course, absence of evidence is not evidence of absence, and further evidence may yet be found.)

The UK National Cyber Security Centre says that here is currently no indication that any customer networks have been impacted via the compromise of the F5 network.

F5’s efforts after the breach

Conscious of the need to restore confidence among its customers, F5 laid out the actions it has already taken: streghtened access control across its systems (and rotated potentially compromised signing certifikates and keys), enhanced its network security architecture, and hardened its product development environment.

It also engaged NCC Group and IOActive to assess the software development build pipeline for BIG-IP products and review the security of the BIG-IP source code. Their analyses found no critical vulnerabilities and confirmed that the code had not been tampered with. (Both companies are still reviewing the remaining code bases and build pipeline components, as directed by F5.)

Finally, F5 is partnering with CrowdStrike to extend Falcon EDR sensors and Overwatch Threat Hunting to BIG-IP. “An early access version will be available to BIG-IP customers and F5 will provide all supported customers with a free Falcon EDR subscription,” the company pledged.

What should customers do?

The UK NCSC has listed products affected by this breach:

• BIG-IP iSeries, rSeries, or any other F5 appliance that has reached end of support
• All devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG IP Next, BIG-IQ, and BIG-IP Next for Kubernetes (BNK) / Cloud-Native Network Functions (CNF)

Customers have been urged to implement the updates F5 pushed out today, for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Also, to implement the provided best practices for F5 systems hardening, SIEM integration and monitoring guidance.

“A threat hunting guide to strengthen detection and monitoring in your environment is available from F5 support,” the company added, but noted that it has no knowledge of undisclosed critical or remote code vulnerabilities and is not aware of active exploitation of undisclosed F5 vulnerabilities.

UPDATE (October 15, 2025, 00:10 p.m. ET):

We’ve reached out to F5 to find out how long the attackers had access to the company’s BIG-IP environment/platforms and whether they spotted the intrusion or were notified of it by a third party, but company spokesperson Dan Sorensen has told us the company could not provide additional details about the incident at this time.

Also,the US Cybersecurity and Infrastructure Security Agency has issued an emergency directive ordering Federal Civilian Executive Branch agencies to:

• Pinpoint the F5 BIG-IP products they use
• Mitigate the risk of unauthorized access to their networked management interfaces from the public internet
• Apply the newly released updates from F5, and
• Decommission all public-facing F5 devices that have reached end of support.

“If CISA notifies an agency of a BIG-IP cookie leakage vulnerability, the agency shall follow CISA’s accompanying mitigation instructions,” CISA added.

Also, all agencies must report to CISA a detailed inventory of all instances of F5 BIG-IP products on their networks by December 3, 2025.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!