F5 Networks was compromised by a government-backed threat actor who had long term access to its systems.
This included F5’s BIG-IP product development environment and engineering knowledge management platforms. The attackers were able to access F5’s source code and undisclosed security vulnerabilities, the company confirmed on Wednesday.
CISA and the UK’s NCSC have warned this could accelerate exploit development against F5 appliances, which are widely deployed across enterprise and government networks.
F5 is one of the world’s largest application delivery and security vendors. F5’s WAF, API security, app delivery, and bot defense solutions are used by 85% of the Fortune 500.
The Seattle-based vendor said it first discovered the intrusion in August 2025 and has since taken extensive actions to contain the threat actor, saying it has “not seen any new unauthorized activity” and believes its containment efforts have been successful.
The incident is known to impact F5 BIG-IP iSeries, rSeries, and any other F5 device that has reached end of support, as well as all devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG IP Next, BIG- IQ, and BIG-IP Next for Kubernetes (BNK) / Cloud-Native Network Functions (CNF).
F5 has released security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients, and strongly advises customers to update as soon as possible. More information is available here.
In response to the breach, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-01, ordering all federal civilian agencies to inventory, patch, or disconnect affected F5 systems by October 22.
“A nation-state affiliated cyber threat actor has compromised F5’s systems and exfiltrated files, which included a portion of its BIG-IP source code and vulnerability information,” CISA said.
“The threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software.”
There’s currently no reporting that any customer networks have been impacted by the attack, although F5 has confirmed a small number of files exfiltrated from F5’s knowledge management platform contained customer configuration or implementation information.
In a statement, F5 confirmed they first learned of the attack in August 2025, but it is not currently known when the attack first began, or how long the threat actors had access to F5’s systems.
“In response to this incident, we are taking proactive measures to protect our customers and strengthen the security posture of our enterprise and product environments,” F5 said.
“We have engaged CrowdStrike, Mandiant, and other leading cybersecurity experts to support this work, and we are actively engaged with law enforcement and our government partners.”
How To Stay Protected
The UK’s National Cyber Security Centre (NCSC) has advised F5 customers to:
- Inventory all F5 products (hardware, software, and virtualised)
- Ensure management interfaces are not exposed to the internet – if they are, conduct a compromise assessment
- If you believe yourself to be compromised, report to F5 and to authorities
- Follow F5’s published advice on hardening your system
- Install the latest F5 security patches
- Replace any products that have reached end-of-life support
- Perform networking monitoring and threat hunting
Subscribe to our weekly newsletter to keep informed as this story develops.
