F5 Source Code Stolen by Nation-State Hackers in Data Breach
▼ Summary
– F5 confirmed a nation-state actor breached its systems in August 2025, stealing BIG-IP source code and vulnerability information.
– Investigators found no evidence that customer, financial, or NGINX systems were accessed or tampered with during the breach.
– F5 has contained the threat, strengthened security controls, and verified the stolen code was not altered.
– Customers are urged to apply F5’s updates and follow hardening guidance, though no active exploitation of vulnerabilities is known.
– CISA has directed federal agencies to update, secure, or decommission F5 BIG-IP products and report their inventory by December 2025.
Technology firm F5 has confirmed a significant security incident involving the theft of source code and vulnerability data tied to its BIG-IP product line. The breach, attributed to a highly sophisticated nation-state actor, raises concerns that attackers could leverage the stolen intellectual property to uncover new security flaws and craft targeted exploits.
According to the UK National Cyber Security Centre, vulnerabilities in BIG-IP systems are frequently exploited by malicious actors. The agency expressed apprehension that the stolen materials could enable the threat group to identify additional weaknesses and refine their attack methods.
F5 disclosed that in August 2025 it became aware that a nation-state adversary had maintained persistent access to select company systems over an extended period, downloading numerous files. The organization stated it has since taken comprehensive measures to contain the intrusion. “Since initiating these containment activities, we have observed no further unauthorized access, and we believe our response has effectively neutralized the threat,” the company affirmed.
The investigation, supported by cybersecurity firms CrowdStrike and Mandiant, determined that the attackers successfully exfiltrated files from F5’s BIG-IP development environment and engineering knowledge platforms. These files included portions of the BIG-IP source code along with information about undisclosed vulnerabilities under active investigation. Additionally, configuration and implementation details for a limited number of customers were taken from knowledge management systems, with affected clients receiving direct notification.
Importantly, investigators found no indication that the attackers accessed or extracted data from F5’s customer relationship management, financial, support case management, or iHealth platforms. There is also no current evidence suggesting compromise of NGINX source code or development environments, nor of F5’s Distributed Cloud Services or Silverline systems. The UK National Cyber Security Centre noted it has not observed any customer network compromises stemming from this incident.
In response to the breach, F5 implemented multiple security enhancements including strengthened access controls across its systems, rotation of potentially compromised certificates and cryptographic keys, and hardening of its network security architecture and product development environment. The company also engaged NCC Group and IOActive to evaluate the BIG-IP software development pipeline and source code security. Their preliminary assessments identified no critical vulnerabilities and confirmed the code integrity remained intact, though comprehensive reviews continue.
F5 further announced a partnership with CrowdStrike to extend Falcon EDR sensors and Overwatch Threat Hunting capabilities to BIG-IP environments. The company committed to providing an early access version to BIG-IP customers along with complimentary Falcon EDR subscriptions for all supported clients.
The UK NCSC identified affected products including BIG-IP iSeries, rSeries, and any F5 appliances that have reached end of support. Also impacted are devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, BIG-IQ, and BIG-IP Next for Kubernetes/Cloud-Native Network Functions.
Customers are strongly advised to implement the security updates F5 released for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Organizations should also apply recommended hardening practices, integrate SIEM solutions, and follow monitoring guidance. F5 has made available a threat hunting guide to improve detection capabilities within customer environments, though the company stated it has no knowledge of undisclosed critical vulnerabilities or active exploitation of F5 weaknesses.
In related developments, the US Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring Federal Civilian Executive Branch agencies to inventory their F5 BIG-IP deployments, mitigate risks to management interfaces accessible from the public internet, apply F5’s recent updates, and decommission public-facing F5 devices that are no longer supported. Agencies must report their F5 product inventories to CISA by December 3, 2025, and address any cookie leakage vulnerabilities according to CISA guidance.
Subsequent reporting indicates the attackers have been linked to China and maintained access within F5’s network for approximately twelve months. The threat hunting guide distributed to F5 customers specifically aims to help organizations detect the presence of the Brickstorm backdoor within their systems.
(Source: HelpNet Security)
