F5 disclosed a security incident impacting its internal environments, confirming that a sophisticated nation-state actor maintained persistent access and exfiltrated files from key F5 systems, including the BIG-IP product development environment and engineering knowledge platforms.
The company says containment actions have been successful and that no further unauthorized activity has been observed since its response began in August 2025. F5 has issued security updates across multiple product lines and urged customers to patch immediately.
What was Accessed and what wasn’t
According to F5, the threat actor downloaded files that included portions of BIG-IP source code and information about undisclosed vulnerabilities under development.
The company emphasized it has no knowledge of undisclosed critical or remote code execution flaws and is not aware of any active exploitation tied to those vulnerabilities.
Key findings from F5’s investigation:
- Files exfiltrated from BIG-IP product development environment and engineering knowledge platforms.
- Some BIG-IP source code and undisclosed vulnerability information accessed.
- No evidence of access to CRM, financial, support case management, or iHealth systems.
- Configuration details for a small subset of customers potentially compromised.
- No supply chain manipulation detected in source code, build, or release pipelines.
- NGINX source code and F5 Distributed Cloud Services remain unaffected.
F5 also reported no evidence of access to or exfiltration from CRM, financial, support case management, or iHealth systems.
However, some exfiltrated knowledge-base files contained configuration or implementation details for a small subset of customers; F5 is reviewing those and will notify impacted organizations directly.
Notably, F5 states there is no evidence of supply chain manipulation affecting source code, build, or release pipelines, a position independently validated by NCC Group and IOActive.
The company further says there is no indication of access to NGINX source code or its product development environment, nor to F5 Distributed Cloud Services or Silverline systems.
Customer Guidance: Patch, Harden, and Monitor
F5 has released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients, directing customers to apply the October 2025 Quarterly Security Notification releases as soon as possible.
The company is providing a threat hunting guide, refreshed hardening best practices, and automated hardening checks via the F5 iHealth Diagnostic Tool to help identify gaps and prioritize remediation.
Recommended security actions for F5 customers:
- Apply October 2025 security updates for BIG-IP, F5OS, BIG-IP Next, BIG-IQ, and APM clients immediately.
- Use F5 iHealth Diagnostic Tool for automated hardening checks and gap identification.
- Enable BIG-IP event streaming to SIEM systems for enhanced visibility.
- Follow syslog configuration guides for improved monitoring capabilities.
- Implement login monitoring to detect administrator access and failed authentication attempts.
- Contact F5 support for assistance with updates and security implementations.
For visibility, F5 recommends enabling BIG-IP event streaming to SIEMs and following its syslog configuration and login monitoring guides to enhance alerting on administrator logins, failed authentications, and privilege or configuration changes.
Response Actions and Industry Partners
F5 engaged CrowdStrike, Mandiant, and other experts, while coordinating with law enforcement and government partners.
Internally, it rotated credentials, tightened access controls, improved inventory and patch automation, enhanced network security architecture, and hardened software development platforms.
Externally, F5 is continuing code review and penetration testing with NCC Group and IOActive.
In a notable move, F5 is partnering with CrowdStrike to extend Falcon EDR sensors and OverWatch Threat Hunting to BIG-IP, offering an early access program and providing all supported customers a free Falcon EDR subscription.
F5 underscored its commitment to transparency and ongoing updates. While the incident exposed sensitive engineering information, the company’s current assessment points to successful containment, no supply chain compromise, and no evidence of critical undisclosed RCE flaws being exploited.
Customers are strongly advised to patch promptly, implement hardened configurations, and increase monitoring to reduce residual risk.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
