U.S. cybersecurity company F5 on Wednesday disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP’s source code and information related to undisclosed vulnerabilities in the product.
It attributed the activity to a “highly sophisticated nation-state threat actor,” adding the adversary maintained long-term, persistent access to its network. The company said it learned of the breach on August 9, 2025, per a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC).
“We have taken extensive actions to contain the threat actor,” it noted. “Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.”
F5 did not say for how long the threat actors had access to its BIG-IP product development environment, but emphasized that it has not observed any indication that the vulnerabilities have been exploited in a malicious context. It also said that the attackers did not access its CRM, financial, support case management, or iHealth systems.
That said, the company acknowledged that some of the exfiltrated files from its knowledge management platform contained configuration or implementation information for a small percentage of customers. Impacted customers are expected to be directly notified following a review of the files.
Following the discovery of the incident, F5 has engaged the services of Google Mandiant and CrowdStrike, as well as rotated credentials and strengthened access controls, deployed tooling to better monitor threats, bolstered its product development environment with extra security controls, and implemented enhancements to its network security architecture.
Users are advised to apply the latest updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients as soon as possible for optimal protection.
