F5 Breach
U.S. cybersecurity company F5 revealed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code.
The company first detected the breach on August 9, 2025, and during its investigation, F5 discovered that the attackers maintained long-term access to its systems. This access included the company’s BIG-IP product development environment and engineering knowledge management platform.
Because of this infiltration, the threat actors stole source code, vulnerability information, and limited configuration and implementation details for a small number of customers.
“During the course of its investigation, the Company determined that the threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform,” reads a Form 8-K filing with the SEC.
“Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP.”
F5, a Fortune 500 technology giant, specializes in cybersecurity, cloud management, and application delivery networking (ADN). The firm serves 23,000 customers across 170 countries, and 48 of the Fortune 50 companies rely on its products.
Its flagship product, BIG-IP, supports ADN and traffic management for many large enterprises worldwide.
What about the data?
Despite the exposure of undisclosed flaws, F5 found no evidence that the attackers used the stolen information in real-world attacks or attempted to exploit the vulnerabilities. The company also confirmed that it has seen no indication of any data leaks.
F5 emphasized that the hackers’ access to the BIG-IP environment did not compromise its software supply chain or lead to any unauthorized code changes.
The company clarified that platforms containing customer data—such as its CRM, financial, support case management, and iHealth systems—remain secure. In addition, other products and services, including NGINX, F5 Distributed Cloud Services, and Silverline systems, were not affected.
However, F5 continues to review which customers had their configuration or implementation details stolen and plans to contact them directly with guidance.
The company also validated the integrity of all BIG-IP releases through independent reviews by leading cybersecurity firms.
F5’s filing further noted that the U.S. government requested a delay in the public disclosure of the incident to allow time to secure critical systems.
“On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted pursuant to Item 1.05(c) of Form 8-K. F5 is now filing this report in a timely manner,” explains F5.
The company confirmed that the incident did not materially impact its operations. All services remain online and safe, based on the latest available evidence.
BleepingComputer has reached out to F5 for additional details and will update this report once the company responds.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
