F5 breach exposes 262,000 BIG-IP systems worldwide
October 20, 2025
Over 262K F5 BIG-IP devices exposed after threat actors stole source code and data on undisclosed flaws in a recent F5 breach.
Over 262,000 F5 BIG-IP devices are exposed online after F5 confirmed a breach by nation-state actors who stole source code and data on undisclosed flaws.
The Shadowserver Foundation found 262,269 F5 BIG-IP systems exposed online, with over 130,000 in the US. It remains unclear how many have been secured against potential exploitation of the recently disclosed BIG-IP vulnerabilities, raising concerns over widespread exposure and delayed patching efforts.
In mid-October, cybersecurity firm F5 disclosed that a highly sophisticated nation-state actor that occurred in August 2025. Threat actors breached its systems and stole BIG-IP’s source code and information related to undisclosed vulnerabilities.
The attackers accessed the company’s BIG-IP development and engineering systems, but F5 highlights that containment efforts were successful, with no further unauthorized activity observed.
The company reported the incident to law enforcement and is investigating the security breach with the help of leading cybersecurity firms.
F5 found no signs of compromise in its CRM, financial, or cloud systems, nor tampering with its source code or supply chain. The company states that some stolen files contained limited customer configuration data. The cybersecurity firm is notifying impacted clients.
The company also filed a Form 8-K report with the U.S. Securities and Exchange Commission (SEC).
F5 responded to the breach with extensive containment and hardening measures to protect its systems and customers. The company rotated credentials, tightened access controls, automated patch management, and improved monitoring and network security.
The cybersecurity firm also enhanced protections in its product development environment and continues in-depth code reviews and penetration tests with NCC Group and IOActive. Additionally, F5 partnered with CrowdStrike to deploy Falcon EDR and threat hunting for BIG-IP, offering customers a free EDR subscription to bolster defenses.
Users should promptly install the latest updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients to ensure full protection.
Cybersecurity agencies UK’s NCSC and US CISA advise F5 customers to locate all F5 products, secure exposed management interfaces, and assess for compromise. F5 delayed disclosure at the U.S. government’s request to protect critical systems.
F5 privately linked the breach to the China-nexus group UNC5221, which was active in its network for at least a year. The company warned customers about the Go-based Brickstorm backdoor, tied to the same group known for exploiting Ivanti zero-days and using custom malware like Zipline and Spawnant, according to Bloomberg and Google’s earlier findings.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, F5)
