F5 Networks Breached by Nation-State Actor, BIG-IP Source Code and Undisclosed Vulnerabilities Stolen

F5 Networks has disclosed that a “highly sophisticated nation-state threat actor” infiltrated its internal systems, exfiltrating files from its BIG-IP product development environment and engineering knowledge management platforms, including portions of source code and information on undisclosed vulnerabilities.

“In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems,” the company said in its statement.

According to F5, the affected systems were isolated, and containment efforts have since been successful. “Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful,” F5 assured customers.

F5 said that the intruder accessed BIG-IP source code and internal information about unreleased vulnerabilities, but emphasized that none of these flaws were critical or actively exploited.

“These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP. We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” the company stated.

F5 clarified that the breach did not extend to its customer relationship management (CRM), financial, or support systems, nor to its NGINX or Distributed Cloud environments.

“We have no evidence of access to, or exfiltration of, data from our CRM, financial, support case management, or iHealth systems,” the report confirmed.

The company also stressed that its software supply chain remained uncompromised.

“We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines,” F5 said, adding that this conclusion was validated by NCC Group and IOActive.

To mitigate potential risks from the breach, F5 has issued security updates for 44 vulnerabilities, including those related to the stolen data.

The company confirmed that the security updates do address impact from the incident, covering the following products:

BIG-IP
F5OS
BIG-IP Next for Kubernetes
BIG-IQ
Access Policy Manager (APM) clients

“Updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients are available now. Though we have no knowledge of undisclosed critical or remote code execution vulnerabilities, we strongly advise updating your BIG-IP software as soon as possible,” F5 emphasized.

The patches are available as part of F5’s October 2025 Quarterly Security Notification.

Administrators are urged to:

Enable BIG-IP event streaming to SIEM platforms
Configure remote syslog servers
Monitor for admin logins, failed authentications, and configuration changes

“We recommend enabling BIG-IP event streaming to your SIEM and provide step-by-step instructions for syslog configuration (KB13080) and monitoring for login attempts (KB13426),” F5 said.

In response to the incident, the Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-01, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch affected F5 products immediately.

“CISA is directing Federal Civilian Executive Branch (FCEB) agencies to inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply updates from F5,” the directive stated.

CISA set a deadline of October 22 for patching F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF products, and October 31 for all other F5 appliances. It also instructed agencies to disconnect and decommission public-facing F5 devices that have reached end-of-support.

According to CISA, successful exploitation of vulnerable BIG-IP systems could allow attackers to steal credentials, move laterally within networks, and establish persistence.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply