A sophisticated nation-state actor breached F5 systems, stealing BIG-IP source code and data on undisclosed flaw

F5 disclosed that a sophisticated nation-state actor breached its systems, stealing BIG-IP source code and data on undisclosed product vulnerabilities.

Cybersecurity firm F5 disclosed that a highly sophisticated nation-state actor in August 2025 threat actors breached its systems and stole BIG-IP’s source code and information related to undisclosed vulnerabilities.

The attackers accessed the company’s BIG-IP development and engineering systems, but F5 highlights that containment efforts were successful, with no further unauthorized activity observed.

The company reported the incident to law enforcement and is investigating the security breach with the help of leading cybersecurity firms.

“In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems. These systems included our BIG-IP product development environment and engineering knowledge management platforms. We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.” reads the notice of the Security Incident published by the company.

“In response to this incident, we are taking proactive measures to protect our customers and strengthen the security posture of our enterprise and product environments. We have engaged CrowdStrike, Mandiant, and other leading cybersecurity experts to support this work, and we are actively engaged with law enforcement and our government partners.”

F5 found no signs of compromise in its CRM, financial, or cloud systems, nor tampering with its source code or supply chain. The company states that some stolen files contained limited customer configuration data. The cybersecurity firm is notifying impacted clients.

“We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by leading cybersecurity research firms NCC Group and IOActive.” continues the notice. “We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline systems.”

The company also filed a Form 8-K report with the U.S. Securities and Exchange Commission (SEC).

“On August 9, 2025, F5, Inc. (the “Company”, “F5”, “we”, or “our”) learned that a highly sophisticated nation-state threat actor had gained unauthorized access to certain Company systems. The Company promptly activated its incident response processes, and has taken extensive actions to contain the threat actor. To support these activities, the Company engaged leading external cybersecurity experts.” reads the report.

F5 responded to the breach with extensive containment and hardening measures to protect its systems and customers. The company rotated credentials, tightened access controls, automated patch management, and improved monitoring and network security.

The cybersecurity firm also enhanced protections in its product development environment and continues in-depth code reviews and penetration tests with NCC Group and IOActive. Additionally, F5 partnered with CrowdStrike to deploy Falcon EDR and threat hunting for BIG-IP, offering customers a free EDR subscription to bolster defenses.

Users should promptly install the latest updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients to ensure full protection.

Cybersecurity agencies UK’s NCSC and US CISA advise F5 customers to locate all F5 products, secure exposed management interfaces, and assess for compromise. F5 delayed disclosure at the U.S. government’s request to protect critical systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, security breach)