F5 breached by nation-state actor; BIG-IP source code and vulnerability data stolen

On October 15, 2025, cybersecurity firm F5 disclosed that a nation-state threat actor had breached its internal systems, exfiltrating proprietary source code and “information about undisclosed vulnerabilities” in its BIG-IP product line.

The company stated that the breach was first detected on August 9, 2025, and involved long-term access to F5’s product development and engineering environments. The threat actors managed to access internal documentation, configuration files for a small percentage of customers, and vulnerability tracking systems for a small percentage of customers, but there is no evidence of compromise to its software build pipeline or customer-facing systems.

F5 delayed public disclosure at the request of the U.S. Department of Justice due to national security concerns. The company engaged third-party firms to investigate the incident. The assessments confirmed that the attackers did not insert malicious code into F5’s software or compromise its cryptographic signing infrastructure.

On October 15, F5 also released updates addressing 44 vulnerabilities, including those believed to have been part of the incident. The patched products include BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and Access Policy Manager (APM) clients.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a directive requiring U.S. federal agencies to apply these patches by October 22 for core products and October 31 for other appliances.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

BIG-IP is a widely deployed application delivery controller used for load balancing, traffic management, and security enforcement across enterprise networks. F5 serves over 23,000 customers globally, including 48 of the Fortune 50. The breach impacts organizations using these platforms, particularly those with exposed management interfaces or outdated systems.

F5 has published updated deployment guidance and a threat hunting guide to assist customers in identifying potential indicators of compromise. Organizations are advised to review these resources and validate the security posture of their F5 environments.

Apply the patches and conduct an inventory of all F5 assets to verify that no management interfaces are exposed to the public internet. Enable BIG-IP event streaming to Security Information and Event Management (SIEM) platforms and configure remote syslog logging. Monitor for anomalous login attempts and privilege changes. Use the F5 iHealth Diagnostic Tool to identify risks and validate system integrity.