Security and application delivery vendor F5 revealed today in an SEC filing that a nation-state threat actor had “long-term, persistent access” to some of the company’s most critical environments.
The SEC 8-K filing said the intrusion by a “highly sophisticated nation-state threat actor” was discovered on August 9 but not reported until now because the U.S. Department of Justice had “determined that a delay in public disclosure was warranted.”
After detecting the breach, F5 activated its incident response processes and took “extensive actions to contain the threat actor.”
F5 determined that the threat actor “maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform. Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP.”
The company sought to assure customers and investors that the incident has been contained and that there has been no evidence of additional unauthorized activity.
“We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” the SEC filing said. ”We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by leading cybersecurity research firms.”
F5 shares (NASDAQ:FFIV) were off 4% in recent trading after falling more than 5% at its lows for the day.
CISA Issues F5 Breach Guidance
Also today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to federal civilian agencies directing them to secure their F5 environments, noting that the “threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software.”
Ryan Dewhurst, Head of Proactive Threat Intelligence at watchTowr, said in a statement today that it seemed like something was wrong on October 13, when F5 “quietly announced it had rotated its signing certificates and cryptographic keys, the ones used to prove that F5-produced software is legitimate and untampered. That’s not a routine update. Vendors only do that when something has gone very wrong. Today, F5 confirmed exactly that.”
“Older software signed with the previous keys may now warrant closer scrutiny,” Dewhurst added. “For a vendor whose products sit deep in enterprise and government networks, this is a serious breach of trust. If those compromised keys were stolen, and F5 hasn’t ruled that out, malicious software updates signed by ‘F5’ could be indistinguishable from the real thing.”
F5 said there is no evidence that CRM, financial, support case management, or iHealth systems data has been accessed, or the NGINX, F5 Distributed Cloud Services and Silverline environments.
“However, some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers,” F5 said. “The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate.”
F5 Issues Customer Breach Guidance
As part of the SEC filing, F5 also shared a disclosure statement sent to customers today.
The statement said the company is “taking proactive measures to protect our customers and strengthen the security posture of our enterprise and product environments. We have engaged CrowdStrike, Mandiant, and other leading cybersecurity experts to support this work, and we are actively engaged with law enforcement and our government partners.”
F5 has released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. “We strongly advise updating to these new releases as soon as possible,” the company said.
The company has also released a threat hunting guide, hardening guidance with verification, and SIEM integration and monitoring guidance, and added automated hardening checks to the F5 iHealth Diagnostic Tool. “This tool will surface gaps, prioritize actions, and provide links to remediation guidance,” F5 said.
Since the incident, the company has rotated credentials and strengthened access controls across systems, deployed better inventory and patch management automation, added better detection and response, improved its network security architecture, and hardened its product development environment.
Other steps include ongoing code review and penetration testing with support from both NCC Group and IOActive, and extending CrowdStrike Falcon EDR sensors and Overwatch Threat Hunting to BIG-IP for additional visibility and to strengthen defenses. An early access version is available to BIG-IP customers, and F5 is providing supported customers with a free Falcon EDR subscription through October 14, 2026.
“Your trust matters,” F5 concluded. ”We know it is earned every day, especially when things go wrong. We truly regret that this incident occurred and the risk it may create for you. We are committed to learning from this incident and sharing those lessons with the broader security community.”
