F5 Networks has disclosed a significant security breach where a sophisticated nation-state threat actor maintained persistent access to its systems for months, successfully exfiltrating BIG-IP source code and information about undisclosed vulnerabilities.
The company discovered the intrusion in August 2025, revealing that attackers had compromised its BIG-IP product development environment and engineering knowledge management platforms. The stolen data includes portions of BIG-IP source code—the underlying instructions that power the widely-used application delivery controller—and details about security flaws F5 was privately working to fix.
"We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment," F5 stated in its security advisory published today. While the company emphasizes it has "no knowledge of undisclosed critical or remote code vulnerabilities," the breach raises serious concerns about potential future exploits as attackers now possess intimate knowledge of the platform's inner workings.
F5 has deployed heavy firepower to contain the incident, engaging CrowdStrike, Mandiant, and other cybersecurity firms. Independent reviews by NCC Group and IOActive confirmed no tampering with F5's software supply chain, build pipelines, or NGINX products. However, some exfiltrated files contained configuration information for a "small percentage of customers," who are being contacted directly.
The company has released critical security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients, strongly urging immediate deployment. F5 is also partnering with CrowdStrike to extend Falcon EDR sensors to BIG-IP systems, offering free subscriptions to all supported customers.
Since detection, F5 reports no new unauthorized activity, suggesting containment efforts have succeeded. The company has rotated credentials, strengthened access controls, and hardened its development environment while working closely with law enforcement.
For organizations running F5 products, immediate patching and implementing F5's recommended hardening measures are critical steps to mitigate potential risks from this breach.