F5 disclosed a security incident in which a nation-state threat actor maintained persistent access to the company’s internal systems, including its BIG-IP product development and engineering knowledge management environments. The actor exfiltrated source code and information about undisclosed vulnerabilities under development. Although F5 found no evidence of code tampering or compromise of its software supply chain, the incident raised concerns about potential follow-on exploitation and supply chain risks. CISA has issued guidance directing federal agencies to update and harden affected systems immediately.
In August 2025, F5 detected unauthorized access to specific internal systems, later attributed to a nation-state actor. The intrusion allowed the actor to download files containing portions of BIG-IP source code and details of in-progress vulnerability research. While no critical or remote code execution vulnerabilities were exposed, this information could give adversaries insight into potential weaknesses in F5 products.
F5’s investigation, supported by CrowdStrike, Mandiant, NCC Group, and IOActive, confirmed no evidence of tampering with its software build pipelines or modification of released code. The company also verified that its NGINX, F5 Distributed Cloud, and Silverline systems were unaffected. Limited customer configuration data was present in exfiltrated files, and F5 is notifying impacted customers directly. To contain the intrusion, F5 rotated credentials, hardened access controls, enhanced network segmentation, and implemented improved patch management and monitoring automation.