Summary
Cybersecurity firm F5 publicly disclosed a breach by an unnamed nation-state actor who gained long-term access to the company’s product development environment, including the engineering platforms for its flagship BIG-IP product. The attackers exfiltrated a portion of the BIG-IP source code, information about undisclosed security vulnerabilities, and configuration/implementation details for a limited number of customers.
The breach, initially discovered on 9 August 2025, was held from public disclosure at the request of the U.S. Department of Justice. F5 claims no evidence exists that the stolen data was used in attacks or that its software supply chain, including NGINX and F5 Distributed Cloud, was compromised, but the exposure of 48 of the Fortune 50 companies who rely on BIG-IP presents a severe risk. Customers must immediately apply new F5 updates and conduct forensic threat hunting.
The RH-ISAC Intelligence Team will continue monitoring the situation as it develops and will append this report with additional mitigations strategies and threat intelligence.
Analysis
The core risk of the attack for undisclosed attackers stems from the theft of BIG-IP source code and data on undisclosed (zero-day) vulnerabilities, which provides the adversary with a deep understanding of F5’s security posture and the precise knowledge necessary to craft highly effective, covert exploits against F5’s 23,000 customers, which include 48 of the Fortune 50. The attack’s targeting of the product development environment and engineering knowledge management platform indicates a strategic focus on intellectual property and supply chain-enabling data.
After discovering the intrusion, F5 reports that it took remediation action by tightening access to its systems, and improving its overall threat monitoring, detection, and response capabilities:
- “Rotated credentials and strengthened access controls across our systems.
- Deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats.
- Implemented enhancements to our network security architecture.
- Hardened our product development environment, including strengthening security controls and monitoring of all software development platforms.”
Mitigations
F5 provided the following mitigation strategies toaddress the risk stemming from the exposed source code and vulnerability data. The following is verbatim from the initial public breach disclosure, available here:
- “Updates to BIG-IP software. Updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients are available now. Though we have no knowledge of undisclosed critical or remote code execution vulnerabilities, we strongly advise updating your BIG-IP software as soon as possible. More information about these updates can be found in the Quarterly Security Notification.
- Threat intelligence. A threat hunting guide to strengthen detection and monitoring in your environment is available from F5 support.
- Hardening guidance with verification. We publish best practices for hardening your F5 systems and have added automated hardening checks to the F5 iHealth Diagnostic Tool. This tool will surface gaps, prioritize actions, and provide links to remediation guidance.
- SIEM integration and monitoring guidance. We recommend enabling BIG-IP event streaming to your SIEM and provide step-by-step instructions for syslog configuration (KB13080) and monitoring for login attempts (KB13426). This will enhance your visibility and alerting for admin logins, failed authentications, and privilege and configuration changes.”
