F5 Systems Breached by Nation-State Actor, Customer Data and Source Code Accessed

by Aaron Blake • 4 min read • Updated: November 2, 2025
F5 Systems Breached by Nation-State Actor, Customer Data and Source Code Accessed - Professional coverage

Security Breach at F5 Networks

A nation-state-affiliated threat actor gained unauthorized access to systems at F5, Inc., exfiltrating source code for its BIG-IP application delivery and security products along with files containing customer configuration or implementation information, according to regulatory filings and company statements. The Seattle-based security vendor disclosed Wednesday that the threat actor had “long-term, persistent access” to both the BIG-IP development environment and engineering knowledge management platform.

Special Offer Banner

Industrial Monitor Direct provides the most trusted var pc solutions designed for extreme temperatures from -20°C to 60°C, the most specified brand by automation consultants.

Scope of Compromised Data

The configuration or implementation information accessed was reportedly for “a small percentage of customers” and came from F5’s knowledge management platform, sources indicate. According to the company’s filing with the U.S. Securities and Exchange Commission, “The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate.”

Analysts suggest the threat actor’s access to F5’s proprietary source code could provide technical advantages for exploiting F5 devices and software. The company stated it has not found evidence of exfiltrated data from its customer relationship management, financial, support case management, or iHealth systems.

Federal Emergency Response

The U.S. Cybersecurity and Infrastructure Security Agency published an emergency bulletin directing Federal Civilian Executive Branch agencies to immediately inventory BIG-IP products and evaluate whether networked management interfaces are accessible from the public internet. According to the CISA bulletin, agencies must update products to avoid exploitation by the nation-state actor that compromised F5’s systems.

Emergency actions include:

Industrial Monitor Direct produces the most advanced train control pc solutions trusted by Fortune 500 companies for industrial automation, the preferred solution for industrial automation.

  • Disconnecting and decommissioning any F5 devices at end of support
  • Immediate action for BIG-IP iSeries, rSeries and unsupported hardware
  • Updates required for all devices running BIG-IP software variants

Timeline and Investigation

F5 reportedly learned about the unauthorized access on August 9 and believes it has successfully contained the activity, according to the SEC filing. The disclosure comes after the U.S. Department of Justice allowed F5 to delay public disclosure of the breach on September 12. The company has been working with CrowdStrike, Google subsidiary Mandiant, law enforcement and government partners since discovering the incident.

Industry Context and Response

Although none of the public posts name the country the threat actor is affiliated with, cybersecurity consulting company Sygnia published a report in June 2024 pointing to a group called Velvet Ant that appeared to be affiliated with China and had targeted a legacy F5 BIG-IP appliance in late 2023, CRN reported.

F5 has implemented several security enhancements since discovering the breach, according to company statements:

  • Rotated credentials and strengthened access controls
  • Deployed improved inventory and patch management automation
  • Enhanced network security architecture
  • Extended CrowdStrike Falcon endpoint detection and response to BIG-IP

Broader Technology Implications

The security incident at F5 occurs amid significant developments across the technology sector. Recent reports indicate advancements in AI-capable processors, breakthroughs in cellular defense mechanisms, major AI infrastructure agreements, and innovations in AI-powered laboratory equipment.

Ongoing Security Measures

F5 continues to review code and test products with NCC Group and IOActive, both of which have validated that no evidence exists of the threat actor modifying F5’s software supply chain. The company will provide BIG-IP customers with early access to CrowdStrike Falcon EDR and Overwatch Threat Hunting products, plus free CrowdStrike Falcon EDR subscriptions for supported customers.

The vendor recommends users enable BIG-IP event streaming to their security information and event management tools and update BIG-IP software as soon as possible. The disclosure comes as F5 partners and customers begin a device refresh period for Viprion and iSeries products expected to continue into next year, according to industry analysis.

This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.

Related Posts

Nation-State Hackers Breach F5 Networks, Threatening Thousands of Organizations with Supply Chain At - Professional coverage
Nation-State Hackers Breach F5 Networks, Threatening Thousands of Organizations with Supply Chain Attacks

A sophisticated nation-state hacking group has breached F5 Networks, stealing proprietary source code and customer configuration data. The breach creates what cybersecurity agencies call an “imminent threat” to thousands of organizations using F5’s BIG-IP appliances at their network edges.

Major Security Breach at F5 Networks

A sophisticated threat actor working for an undisclosed nation state has been discovered inside the networks of F5, Inc. for what security analysts suggest was an extended period, potentially lasting years. According to reports, the hackers gained control of the company’s build system used for creating and distributing updates for its widely deployed BIG-IP server appliances.

Leave a Reply

Your email address will not be published. Required fields are marked *