U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code.
The company states that it first became aware of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term access to its system, including the company's BIG-IP product development environment and engineering knowledge management platform.
F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management, and application delivery networking (ADN) applications. The company has 23,000 customers in 170 countries, and 48 of the Fortune 50 entities use its products.
BIG-IP is the firm's flagship product used for application delivery and traffic management by many large enterprises worldwide.
No supply-chain risk
It’s unclear how long the hackers maintained access, but the company confirmed that they stole source code, vulnerability data, and some configuration and implementation details for a limited number of customers.
"Through this access, certain files were exfiltrated, some of which contained certain portions of the Company's BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP," the company states.
Despite this critical exposure of undisclosed flaws, F5 says there's no evidence that the attackers leveraged the information in actual attacks, such as exploiting the undisclosed flaw against systems. The company also states that it has not seen evidence that the private information has been disclosed.
F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
This includes its platforms that contain customer data, such as its CRM, financial, support case management, or iHealth systems. Furthermore, other products and platforms managed by the company are not compromised, including NGINX, F5 Distributed Cloud Services, or Silverline systems' source code.
Response to the breach
After discovering the intrusion, F5 took remediation action by tightening access to its systems, and improving its overall threat monitoring, detection, and response capabilities:
Rotated credentials and strengthened access controls across our systems.
Deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats.
Implemented enhancements to our network security architecture.
Hardened our product development environment, including strengthening security controls and monitoring of all software development platforms.
Additionally, the company also focuses on the security of its products through source code reviews and security assessements with support from NCC Group and IOActive.
NCC Group's assessment covered security reviews of critical software components in BIG-IP and portions of the development pipeline in an effort that involved 76 consultants.
IOActive's expertise was called in after the security breach and the engagement is still in progress. The results so far show no evidence of the threat actor introducing vulnerablities in critical F5 software source code or the software development build pipeline.
Customers should take action
F5 is still reviewing which customers had their configuration or implementation details stolen and will contact them with guidance.
To help customers secure their F5 environments against risks stemming from the breach, the company released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients.
Despite any evidence "of undisclosed critical or remote code execution vulnerabilities," the company urges customers to prioritize installing the new BIG-IP software updates.
Furthermore, F5 support makes available a threat hunting guide for customers to improve detection and monitoring in their environment.
New best practices for hardening F5 systems now include automated checks to the F5 iHealth Diagnostic Tool, which can now flag security risks, vulnerabilities, prioritize actions, and provide remediation guidance.
Another recommendation is to enable BIG-IP event streaming to SIEM and configure the systems to log to a remote syslog server and monitor for login attempts.
"Our global support team is available to assist. You can open a MyF5 support case or contact F5 support directly for help updating your BIG-IP software, implementing any of these steps, or to address any questions you may have" - F5
The company added that it has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms, including CrowdStrike and Mandiant.
Additional guidance for F5 customers comes from UK's National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Both agencies recommmend identifying all F5 products (hardware, software, and virtualized) and making sure that no management interface is exposed on the public web. If an exposed interface is discovered, companies should make compromise assessment.
F5 notes that it delayed the public disclosure of the incident at the U.S. government's request, presumably to allow enough time to secure critical systems.
"On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted pursuant to Item 1.05(c) of Form 8-K. F5 is now filing this report in a timely manner," explains F5.
F5 states that the incident has no material impact on its operations. All services remain available and are considered safe, based on the latest available evidence.
BleepingComputer has contacted F5 to request more details about the incident, and we will update this post when we receive a response.
This is a developing story.