In August 2025, F5 Inc. suffered a sophisticated cyberattack by a nation-state threat actor, who gained long-term unauthorized access to its BIG-IP product development environment and engineering knowledge management platform. The attackers exfiltrated portions of the BIG-IP source code, details of undisclosed vulnerabilities under active development, and customer configuration/implementation data (affecting a small percentage of clients). While F5 confirmed no evidence of supply chain tampering (source code, build, or release pipelines) or active exploitation of undisclosed flaws, the breach exposed proprietary intellectual property and sensitive customer-specific deployment information.F5 contained the incident, engaged external cybersecurity firms, and collaborated with law enforcement. Mitigation steps included credential rotation, access control hardening, network security enhancements, and automated patch management. Customers were urged to update BIG-IP software immediately, adopt threat hunting guides, and monitor for suspicious activity via SIEM integration. F5 also partnered with CrowdStrike to offer free Falcon EDR subscriptions for extended threat detection. Direct outreach was initiated to affected customers whose data may have been exposed, though no critical remote code execution vulnerabilities were confirmed as leaked or exploited.
Source: https://www.claimdepot.com/data-breach/f5-networks-2025
TPRM report: https://www.rankiteo.com/company/f5
"id": "f52002820101625",
"linkid": "f5",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Small Percentage (Directly '
'Contacted by F5)',
'industry': 'Networking and Application Delivery',
'location': 'Seattle, Washington, USA',
'name': 'F5 Inc.',
'type': 'Public Company (Technology)'}],
'attack_vector': ['Persistent Access',
'Exfiltration of Source Code and Sensitive Data'],
'customer_advisories': ['Update BIG-IP Software Immediately',
'Follow Hardening and Monitoring Guidance',
'Contact F5 Support for Assistance'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Source Code Files',
'Engineering Documentation',
'Customer Configuration Files'],
'sensitivity_of_data': 'High (Source Code, Vulnerability '
'Details, Customer-Specific '
'Configurations)',
'type_of_data_compromised': ['Source Code (BIG-IP)',
'Undisclosed Vulnerability '
'Research',
'Customer '
'Configuration/Implementation '
'Data']},
'date_detected': '2025-08-09',
'description': 'In August 2025, F5 Inc. discovered that a highly '
'sophisticated nation-state threat actor had gained '
'unauthorized, long-term access to certain company systems, '
'including the BIG-IP product development environment and '
'engineering knowledge management platform. Files were '
'exfiltrated, including portions of the BIG-IP source code and '
'information about undisclosed vulnerabilities. Some '
'exfiltrated files contained customer configuration or '
'implementation details for a small percentage of customers. '
'F5 confirmed no evidence of supply chain tampering or active '
'exploitation of undisclosed vulnerabilities. The company has '
'contained the breach and is directly contacting affected '
'customers.',
'impact': {'brand_reputation_impact': 'Potential Reputation Risk Due to '
'Breach of Trust and Source Code '
'Exposure',
'data_compromised': ['BIG-IP Source Code (Portions)',
'Undisclosed Vulnerability Information',
'Customer Configuration/Implementation Data '
'(Small Percentage)'],
'operational_impact': ['Incident Response Activation',
'Customer Notifications',
'Software Updates and Hardening Guidance'],
'systems_affected': ['BIG-IP Product Development Environment',
'Engineering Knowledge Management Platform']},
'initial_access_broker': {'high_value_targets': ['BIG-IP Source Code',
'Undisclosed Vulnerability '
'Research',
'Customer Configuration '
'Data'],
'reconnaissance_period': 'Long-Term (Exact Duration '
'Undisclosed)'},
'investigation_status': 'Ongoing (File Review and Customer Notifications in '
'Progress)',
'lessons_learned': ['Importance of Continuous Monitoring for Persistent '
'Threats',
'Need for Rigorous Access Controls in Development '
'Environments',
'Value of Third-Party Validation for Supply Chain '
'Integrity',
'Proactive Customer Communication and Support During '
'Breaches'],
'motivation': ['Espionage',
'Intellectual Property Theft',
'Reconnaissance for Future Exploits'],
'post_incident_analysis': {'corrective_actions': ['Credential Rotation and '
'Access Control '
'Strengthening',
'Network Security '
'Architecture Enhancements',
'Automated Patch and '
'Inventory Management',
'Expanded Threat Hunting '
'and EDR Deployment (Falcon '
'EDR)',
'Ongoing Code Review and '
'Penetration Testing'],
'root_causes': ['Persistent Unauthorized Access by '
'Sophisticated Threat Actor',
'Potential Gaps in Access Controls '
'or Monitoring for Development '
'Environments']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Immediately Update BIG-IP and Related Software to Latest '
'Versions',
'Review F5’s Threat Intelligence and Hardening Guidance',
'Monitor for Suspicious Activity Using SIEM and Falcon '
'EDR',
'Contact F5 Support for Exposure Assessment',
'Implement Multi-Layered Defense Strategies for '
'High-Value Environments'],
'references': [{'source': 'F5 Inc. SEC Filing (August 2025)'},
{'source': 'F5 Quarterly Security Notification (October '
'2025)'}],
'regulatory_compliance': {'regulatory_notifications': ['SEC Filing']},
'response': {'communication_strategy': ['Direct Outreach to Affected '
'Customers',
'Quarterly Security Notification '
'(October 2025)',
'Public Advisory for Software Updates '
'and Monitoring'],
'containment_measures': ['Credential Rotation',
'Strengthened Access Controls',
'Network Security Architecture '
'Enhancements'],
'enhanced_monitoring': ['SIEM Integration',
'Falcon EDR Deployment',
'Improved Threat Hunting'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Threat Hunting Guide Release',
'Hardening Guidance with Verification',
'SIEM Integration and Monitoring '
'Instructions',
'Free Falcon EDR Subscription for '
'Supported Customers (Until Oct. 14, '
'2026)'],
'remediation_measures': ['Software Updates for BIG-IP, F5OS, '
'BIG-IP Next for Kubernetes, BIG-IQ, '
'and APM Clients',
'Improved Inventory and Patch '
'Management Automation',
'Hardening of Product Development '
'Environment',
'Code Review and Penetration Testing '
'with Independent Firms'],
'third_party_assistance': ['External Cybersecurity Experts',
'CrowdStrike (Falcon EDR)']},
'stakeholder_advisories': ['Direct Customer Outreach for Affected Parties',
'Public Security Advisories for Software Updates'],
'threat_actor': 'Nation-State Threat Actor (Sophisticated)',
'title': "Unauthorized Access to F5 Inc.'s BIG-IP Development Environment by "
'Nation-State Threat Actor',
'type': ['Cyber Espionage', 'Data Breach', 'Unauthorized Access']}