U.S.-based cybersecurity firm F5 disclosed on Wednesday that unauthorized actors infiltrated its systems and obtained files containing portions of the BIG-IP source code, along with information about undisclosed vulnerabilities in the product.
The company attributed the attack to a “highly sophisticated nation-state threat actor,” noting that the intruders maintained prolonged access to its network. According to a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), F5 became aware of the breach on August 9, 2025.
F5 stated, “We have taken extensive actions to contain the threat actor. Since initiating these measures, no further unauthorized activity has been detected, and we believe our containment efforts have been successful.”
The firm did not reveal the duration of access to its BIG-IP development environment but stressed that there is no evidence the exposed vulnerabilities were exploited maliciously. Sensitive systems, including CRM, financial records, support case management, and iHealth, were not accessed by the attackers.
However, some files taken from F5’s knowledge management platform contained configuration or implementation details relevant to a small portion of customers. Affected customers will be notified directly after a careful review of the data.
In response to the incident, F5 engaged cybersecurity specialists from Google Mandiant and CrowdStrike, rotated credentials, strengthened access controls, deployed enhanced threat monitoring tools, reinforced its development environment with additional security measures, and upgraded its network security architecture.
Users are strongly recommended to install the latest updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients to ensure maximum protection.
