In August 2025, F5—a US-based tech company specializing in networking and security—suffered a **sophisticated nation-state breach** where attackers maintained **long-term, persistent access** to its systems. The threat actors exfiltrated **source code and undisclosed vulnerability details** for its **BIG-IP product line**, along with **engineering knowledge management files** and **customer configuration/implementation data** (affecting a small subset of clients). While no evidence suggests tampering with NGINX, Distributed Cloud Services, or financial/CRM systems, the stolen data raises risks of **targeted exploits** leveraging BIG-IP flaws. Investigations by CrowdStrike, Mandiant, and others confirmed **no critical vulnerabilities or code tampering** in the reviewed portions, but reviews remain ongoing. The breach prompted **emergency directives from CISA**, mandating federal agencies to patch, decommission unsupported devices, and report BIG-IP inventories. F5 has since hardened access controls, rotated credentials, and partnered with CrowdStrike to extend Falcon EDR to BIG-IP customers. No active exploitation of undisclosed flaws has been detected, but the **potential for future attacks** using the stolen data remains a critical concern.
Source: https://www.helpnetsecurity.com/2025/10/15/f5-big-ip-data-breach/
TPRM report: https://www.rankiteo.com/company/f5
"id": "f52192221101525",
"linkid": "f5",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Small percentage (notified '
'directly)',
'industry': 'Networking and Cybersecurity',
'location': 'United States',
'name': 'F5, Inc.',
'type': 'Technology Company'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Executive Branch Agencies '
'(USA)',
'type': 'Government'}],
'attack_vector': ['Persistent Access',
'Exfiltration of Source Code and Vulnerability Data'],
'customer_advisories': ['Apply updates for BIG-IP, F5OS, BIG-IP Next, BIG-IQ, '
'APM clients',
'Follow F5’s hardening and monitoring best practices',
'Utilize F5’s threat hunting guides and free Falcon '
'EDR subscriptions'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Source code files',
'Engineering documents',
'Knowledge base articles'],
'sensitivity_of_data': 'High (source code, vulnerability '
'details, customer configurations)',
'type_of_data_compromised': ['Source code (BIG-IP)',
'Undisclosed vulnerability '
'information',
'Customer '
'configuration/implementation '
'details']},
'date_detected': '2025-08',
'date_publicly_disclosed': '2025-08',
'description': 'US tech company F5 suffered a breach where attackers '
'exfiltrated source code and vulnerability information related '
'to its BIG-IP family of networking and security products. The '
'breach was attributed to a highly sophisticated nation-state '
'threat actor with long-term, persistent access. While no '
'evidence of tampering or critical vulnerabilities was found, '
'concerns remain about potential exploitation of undisclosed '
'vulnerabilities. F5 engaged third-party cybersecurity firms '
'(CrowdStrike, Mandiant, NCC Group, IOActive) for '
'investigation and remediation, including hardening systems, '
'rotating credentials, and extending EDR capabilities to '
'BIG-IP customers.',
'impact': {'brand_reputation_impact': 'High (due to source code theft and '
'nation-state attribution)',
'data_compromised': ['BIG-IP source code',
'Undisclosed vulnerability information '
'(BIG-IP)',
'Customer configuration/implementation '
'details (small percentage of customers)'],
'operational_impact': ['Potential future exploitation risk via '
'stolen vulnerability data',
'Customer trust erosion'],
'systems_affected': ['BIG-IP product development environment',
'Engineering knowledge management platforms']},
'initial_access_broker': {'high_value_targets': ['BIG-IP source code',
'Vulnerability databases',
'Customer configurations'],
'reconnaissance_period': 'Long-term (duration '
'undisclosed)'},
'investigation_status': 'Ongoing (code/base reviews by NCC Group and IOActive '
'continue)',
'lessons_learned': ['Nation-state actors pose persistent threats to supply '
'chain integrity',
'Source code and vulnerability databases require layered '
'defenses',
'Third-party collaboration is critical for breach '
'response and validation'],
'motivation': ['Espionage',
'Potential Exploitation of Undisclosed Vulnerabilities'],
'post_incident_analysis': {'corrective_actions': ['Access control hardening '
'and credential rotation',
'Network security '
'architecture enhancements',
'Product development '
'environment hardening',
'Third-party code/build '
'pipeline audits',
'Extended EDR and threat '
'hunting capabilities'],
'root_causes': ['Persistent access by nation-state '
'actor (methods undisclosed)',
'Potential gaps in access controls '
'or monitoring (implied by '
"'strengthened' post-breach)"]},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Customers should apply F5’s latest updates for BIG-IP, '
'F5OS, BIG-IP Next, BIG-IQ, and APM clients',
'Implement F5’s best practices for system hardening, SIEM '
'integration, and monitoring',
'Decommission end-of-support F5 devices (per CISA '
'directive)',
'Restrict public internet access to F5 management '
'interfaces',
'Leverage F5’s free Falcon EDR subscriptions and threat '
'hunting guides'],
'references': [{'date_accessed': '2025-08', 'source': 'F5 Official Statement'},
{'date_accessed': '2025-08',
'source': 'UK National Cyber Security Centre (NCSC) Advisory'},
{'date_accessed': '2025-10-15',
'source': 'US CISA Emergency Directive (2025-10-15)'}],
'regulatory_compliance': {'regulatory_notifications': ['UK National Cyber '
'Security Centre '
'(NCSC) advisory',
'US CISA Emergency '
'Directive '
'(2025-10-15)']},
'response': {'communication_strategy': ['Public disclosure with technical '
'details',
'Direct notifications to affected '
'customers',
'Collaboration with UK NCSC and CISA '
'for advisories'],
'containment_measures': ['Strengthened access controls',
'Rotated compromised signing '
'certificates/keys',
'Enhanced network security architecture',
'Hardened product development '
'environment'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'recovery_measures': ['Free Falcon EDR subscriptions for BIG-IP '
'customers',
'Threat hunting guides for customers',
'Extended EDR (CrowdStrike Falcon) and '
'threat hunting (Overwatch) to BIG-IP'],
'remediation_measures': ['Security assessments of BIG-IP source '
'code and build pipeline (ongoing)',
'Firmware/software updates for BIG-IP, '
'F5OS, BIG-IP Next, BIG-IQ, APM clients',
'Best practices for system hardening, '
'SIEM integration, and monitoring'],
'third_party_assistance': ['CrowdStrike',
'Mandiant',
'NCC Group',
'IOActive']},
'stakeholder_advisories': ['F5 customer notifications (direct outreach to '
'affected parties)',
'UK NCSC guidance for F5 customers',
'CISA Emergency Directive for US federal agencies'],
'threat_actor': 'Highly sophisticated nation-state actor',
'title': 'F5 BIG-IP Source Code and Vulnerability Information Breach (2025)',
'type': ['Data Breach', 'Source Code Theft', 'Espionage']}