F5, a leading provider of application security and delivery solutions, disclosed a major security incident on October 14, 2025.
The company revealed that a sophisticated nation-state threat actor had gained long-term access to internal systems, exfiltrating sensitive files including BIG-IP source code and details on undisclosed vulnerabilities.
While F5 emphasized that no critical exploits or active attacks on customers have been detected, the breach underscores the vulnerabilities in even the most secure development environments.
The intrusion, discovered in August 2025, involved persistent access to F5’s BIG-IP product development environment and engineering knowledge management platforms.
According to the company’s official statement, the actor downloaded files containing proprietary source code for its flagship BIG-IP software, which powers load balancing and security for millions of enterprise applications worldwide.
Additionally, the stolen data included information on vulnerabilities F5 was actively researching and patching. However, the firm stressed that these were not critical remote code execution flaws and showed no signs of exploitation in the wild.
Breach Details
F5’s investigation, aided by cybersecurity CrowdStrike and Mandiant, found no evidence of tampering with the software supply chain, including build pipelines or released code.
Independent audits by NCC Group and IOActive corroborated this, ruling out modifications that could have introduced backdoors into customer deployments. The breach also spared key areas like NGINX source code, F5 Distributed Cloud Services, and Silverline DDoS protection systems.
However, some fallout reached customers. A small subset of exfiltrated files from the knowledge platform held configuration details for certain BIG-IP implementations.
F5 plans to notify affected users directly after reviewing the data. Crucially, no customer records from CRM, financial systems, support portals, or the iHealth monitoring tool were compromised, limiting broader privacy risks.
F5 acted swiftly to contain the threat, rotating credentials, bolstering access controls, and deploying advanced monitoring tools. No further unauthorized activity has occurred since containment.
To safeguard users, the company rolled out urgent patches for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients in its October 2025 Quarterly Security Notification. Customers are urged to apply these updates immediately, even in the absence of known exploits.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
