F5 Hit by ‘Nation-State’ Cyberattack
U.S. cybersecurity firm F5 has confirmed that it suffered a cybersecurity incident involving a “highly sophisticated nation-state threat actor” that maintained long-term access to certain company systems.
The intrusion, detected in August 2025, and revealed this week, affected F5’s BIG-IP product development environment and engineering knowledge management platforms.
The company said the threat actor “downloaded files” from these systems but emphasized that containment efforts have been successful, with “no new unauthorized activity” detected since mitigation steps began.
Bloomberg News, citing people familiar with the matter, reported it was hackers from China. Although Reuters could not immediately verify the report.
To bolster defenses, F5 has enlisted cybersecurity firms CrowdStrike, Mandiant, and others, while working with law enforcement and government partners. Updates have been released for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients, with the company urging all customers to install the latest releases detailed in its October 2025 Quarterly Security Notification.
Investigation findings
According to F5, analysis of available logs confirmed that attackers exfiltrated files containing portions of BIG-IP source code and details of vulnerabilities under development. However, the company stated, “We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.”
F5 added that it has “no evidence of access to, or exfiltration of, data” from its CRM, financial, support case management, or iHealth systems. A small subset of exfiltrated knowledge management files contained configuration data for some customers, and F5 said it will contact those affected directly.
The company also reported “no evidence of modification to our software supply chain,” including source code or build pipelines. Independent cybersecurity firms NCC Group and IOActive validated this assessment. F5 said there was also “no evidence that the threat actor accessed or modified the NGINX source code” or its F5 Distributed Cloud Services and Silverline systems.
Guidance for customers
F5 outlined several steps customers should take to mitigate potential risks, including:
• Updating all BIG-IP, F5OS, BIG-IP Next, BIG-IQ, and APM client software.
• Using a new threat hunting guide available through F5 support.
• Leveraging enhanced hardening tools in the iHealth Diagnostic Tool for automated security checks.
• Configuring SIEM integration and monitoring admin login activity following guidance in KB13080 and KB13426.
The company said its global support team remains available to assist customers with updates and incident-response measures.
Actions taken by F5
F5 stated it has “rotated credentials and strengthened access controls,” improved patch management automation, and enhanced network security architecture. It also hardened its software development environment to increase monitoring and control.
The company is conducting additional code reviews and penetration tests with NCC Group and IOActive and partnering with CrowdStrike to extend Falcon EDR sensors and Overwatch Threat Hunting to BIG-IP. Customers will receive free Falcon EDR subscriptions once the early access version becomes available.
“Your trust matters,” the company said. “We truly regret that this incident occurred and the risk it may create for you. We are committed to learning from this incident and sharing those lessons with the broader security community.”
The U.S. and U.K. have carried out their largest joint action to date targeting cybercriminal networks operating across Southeast Asia.
About Author
