F5 Inc. Data Breach: BIG-IP Source Code Exfiltrated

In August 2025, F5 Inc. discovered that a highly sophisticated nation-state threat actor had gained unauthorized, long-term access to certain company systems. The breach was first detected on Aug. 9, 2025. According to the company’s official SEC filing, the attacker maintained persistent access to F5’s BIG-IP product development environment and engineering knowledge management platform.

During the cyberattack, files were downloaded, including some portions of the BIG-IP source code and information about undisclosed vulnerabilities that F5 was actively working on for BIG-IP. Some of the exfiltrated files from the knowledge management platform did contain configuration or implementation information for a small percentage of customers.

F5 stated that, at this time, they are not aware of any undisclosed critical or remote code vulnerabilities, nor have they observed active exploitation of any undisclosed F5 vulnerabilities. Independent cybersecurity firms validated that there was no evidence of modification to F5’s software supply chain, including source code, build, or release pipelines.

F5 is reviewing these files and will contact affected customers directly.

F5's response

F5 responded by activating its incident response protocols, engaging external cybersecurity experts, and notifying with federal law enforcement. The company believes the breach has been contained, as no new unauthorized activity has been observed since the initial response.

To support customers, F5 has released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Customers are strongly advised to update their BIG-IP software as soon as possible, as outlined in F5’s October 2025 Quarterly Security Notification.

Additionally, F5 has provided a threat hunting guide, hardening guidance with verification, and SIEM integration and monitoring instructions to help organizations strengthen detection and monitoring in their environments.

F5 has also taken the following steps:

• Rotated credentials and strengthened access controls across systems
• Deployed improved inventory and patch management automation
• Enhanced network security architecture
• Hardened the product development environment
• Continued code review and penetration testing with independent cybersecurity firms
• Partnered with CrowdStrike to extend Falcon EDR sensors and threat hunting to BIG-IP, offering a free Falcon EDR subscription to supported customers through Oct. 14, 2026

Customers who believe they may be affected should:

1. Immediately update their BIG-IP and related software to the latest versions
2. Review F5’s threat intelligence and hardening guidance
3. Monitor for suspicious activity using SIEM integration and recommended monitoring practices
4. Contact F5 support for assistance or if they have questions about their specific exposure

F5 is directly reaching out to customers whose configuration or implementation data may have been exposed.