A nation-state cyberattack compromised F5’s internal systems, granting hackers long-term access to its BIG-IP product development and engineering platforms. The breach resulted in the theft of source code (including portions of BIG-IP) and undisclosed software vulnerabilities, effectively exposing 'blueprints' to F5’s security systems used globally by banks, hospitals, cloud providers, and government agencies. While no customer data, financial systems, or critical platforms (NGINX, Distributed Cloud, Silverline) were directly accessed, the stolen information could enable future exploits targeting traffic management, encryption, and authentication systems. CISA issued an emergency directive (ED 26-01), mandating federal agencies to audit and patch systems urgently. The breach risks cascading attacks on infrastructure relying on F5’s technology, potentially leading to data manipulation, unauthorized access, or large-scale disruptions in sectors like finance, healthcare, and government services. The U.S. Department of Justice permitted delayed disclosure until September 2025, indicating the incident’s sensitivity and ongoing investigation into the responsible nation-state actor.
TPRM report: https://www.rankiteo.com/company/f5
"id": "f55102651101625",
"linkid": "f5",
"type": "Breach",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Network Security, Application Delivery',
'location': 'Seattle, Washington, USA',
'name': 'F5, Inc.',
'type': 'Public Company (Technology/Security)'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'U.S. Federal Civilian Agencies',
'type': 'Government'},
{'industry': 'Finance',
'location': 'Global',
'name': 'Financial Institutions (Banks)',
'type': 'Private Sector'},
{'industry': 'Healthcare',
'location': 'Global',
'name': 'Healthcare Systems (Hospitals)',
'type': 'Private/Public Sector'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Cloud Service Providers',
'type': 'Private Sector'},
{'industry': 'Telecommunications',
'location': 'Global',
'name': 'Telecom Sector Companies',
'type': 'Private Sector'},
{'industry': 'Public Sector',
'location': 'Global',
'name': 'Foreign Governments',
'type': 'Government'},
{'industry': 'Defense/Aerospace',
'location': 'Global',
'name': 'Defense Contractors',
'type': 'Private Sector'}],
'attack_vector': ['Unauthorized Access to Internal Systems',
'Long-term Persistence in Development/Engineering Platforms',
'Theft of Proprietary Source Code'],
'customer_advisories': ['F5 assured customers that no evidence of supply '
'chain tampering or critical vulnerability '
'exploitation was found.',
'Users of BIG-IP advised to monitor for patches and '
'apply updates promptly.'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Source Code Files',
'Vulnerability Documentation'],
'sensitivity_of_data': 'High (critical infrastructure '
'security blueprints)',
'type_of_data_compromised': ['Proprietary Source Code '
'(BIG-IP)',
'Undisclosed Vulnerability '
'Details']},
'date_publicly_disclosed': '2025-09-12',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) issued an emergency directive (ED 26-01) after F5, '
'Inc. disclosed that a highly sophisticated nation-state actor '
'stole portions of its BIG-IP source code and details about '
"undisclosed vulnerabilities. The breach exposed 'blueprints' "
'to F5’s security systems, which are widely used by banks, '
'hospitals, cloud service providers, and federal agencies. '
'While F5 contained the breach and reported no evidence of '
'supply chain tampering or critical vulnerability '
'exploitation, the incident poses significant risks to '
'government and private-sector systems. Federal agencies were '
'ordered to audit and patch their systems amid an ongoing '
'investigation into the responsible nation-state.',
'impact': {'brand_reputation_impact': ['High (due to nation-state involvement '
'and critical infrastructure reliance '
'on F5)',
'Potential Erosion of Trust in F5 '
'Security Products'],
'data_compromised': ['Portions of BIG-IP Source Code',
'Details of Undisclosed Vulnerabilities'],
'identity_theft_risk': ['Indirect (via potential exploitation of '
'stolen vulnerabilities in downstream '
'systems)'],
'operational_impact': ['Federal Agencies Ordered to Audit/Patch '
'Systems (ED 26-01)',
'No Material Impact Reported on F5 '
'Operations'],
'payment_information_risk': ['Indirect (via potential exploitation '
'of vulnerabilities in financial '
'sector systems using BIG-IP)'],
'systems_affected': ['F5 Internal Development/Engineering '
'Platforms (BIG-IP)',
'Federal Agency Systems (potential, via '
'BIG-IP dependencies)',
'Financial Institutions, Healthcare Systems, '
'Cloud Providers, Telecom Sector (indirect '
'risk)']},
'initial_access_broker': {'high_value_targets': ['BIG-IP Source Code',
'Undisclosed Vulnerability '
'Details'],
'reconnaissance_period': 'Long-term (implied by '
"'long-term access' "
'description)'},
'investigation_status': 'Ongoing (nation-state attribution pending)',
'lessons_learned': ['Nation-state actors continue to target critical '
'infrastructure supply chains for long-term intelligence '
'gathering.',
'Delayed disclosure of breaches involving national '
'security risks requires coordination with law '
'enforcement.',
'Source code theft poses systemic risks beyond '
'traditional data breaches, enabling future exploits.',
'Federal emergency directives serve as both mitigation '
'tools and public warnings for private-sector adoption.'],
'motivation': ['Cyber Espionage',
'Intellectual Property Theft',
'Potential Future Exploitation of Undisclosed Vulnerabilities'],
'post_incident_analysis': {'corrective_actions': ['F5 contained the breach '
'and terminated '
'unauthorized access.',
'Federal audit/patch '
'directives issued to '
'mitigate downstream risks.',
'Ongoing investigation to '
'attribute the nation-state '
'actor and assess exploited '
'vulnerabilities.'],
'root_causes': ['Unspecified initial compromise of '
'F5 internal systems (likely '
'sophisticated phishing or '
'zero-day exploitation).',
'Inadequate detection of long-term '
'persistence in '
'development/engineering '
'environments.',
'Potential gaps in access controls '
'for high-value intellectual '
'property.']},
'recommendations': ['Federal and private-sector organizations using F5 BIG-IP '
'should prioritize audits and patch management.',
'Enhance monitoring for anomalies in systems reliant on '
'F5 technologies, particularly in high-value sectors '
'(finance, healthcare, defense).',
'Review third-party vendor access and segmentation to '
'limit exposure from supply chain compromises.',
'Prepare incident response plans for scenarios involving '
'theft of proprietary code or vulnerability details.',
'Collaborate with CISA and sector-specific ISACs (e.g., '
'FS-ISAC, H-ISAC) to share threat intelligence.'],
'references': [{'source': 'CISA Emergency Directive 26-01'},
{'date_accessed': '2025-09-12',
'source': 'F5, Inc. Public Statement on Breach'},
{'source': 'The Brief (News Report on CISA Directive)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA Emergency '
'Directive (ED 26-01)',
'U.S. Department of '
'Justice Approval for '
'Delayed Disclosure']},
'response': {'communication_strategy': ['Delayed Public Disclosure (approved '
'by U.S. DOJ until 2025-09-12)',
'CISA Emergency Directive (ED 26-01) '
'Issued to Federal Agencies',
'Public Statement by F5 Confirming '
'Containment'],
'containment_measures': ['Isolation of Compromised Systems',
'Termination of Unauthorized Access'],
'enhanced_monitoring': ['Federal Agencies Ordered to Audit '
'BIG-IP Deployments'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Internal Audit of Affected Systems',
'Collaboration with CISA on '
'Vulnerability Analysis']},
'stakeholder_advisories': ['CISA ordered federal agencies to audit BIG-IP '
'deployments and report findings.',
'Private-sector entities advised to follow CISA '
'guidance for similar systems.'],
'threat_actor': [{'sophistication': 'Highly Sophisticated',
'type': 'Nation-State Actor'}],
'title': 'F5 Source Code and Undisclosed Vulnerabilities Theft by '
'Nation-State Hacker',
'type': ['Data Breach',
'Source Code Theft',
'Nation-State Cyber Espionage',
'Supply Chain Risk'],
'vulnerability_exploited': ['Undisclosed Vulnerabilities in BIG-IP (details '
'not public)',
'Internal System Compromise (mechanism '
'unspecified)']}