U.S. cybersecurity company F5 disclosed that it suffered a cyberattack in early August, where suspected nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code.
The company states that it first became aware of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term access to its system, including the company’s BIG-IP product development environment and engineering knowledge management platform.
With this access, the threat actors were able to steal source code, vulnerability information, and some configuration and implementation information for a limited number of customers.
“During the course of its investigation, the Company determined that the threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform,” reads a Form 8-K filing with the SEC.
“Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP.”
F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management, and application delivery networking (ADN) applications. The company has 23,000 customers in 170 countries, and 48 of the Fortune 50 entities use its products.
BIG-IP is the firm’s flagship product used in ADN and traffic management by many large enterprises worldwide.
Despite this critical exposure of undisclosed flaws, F5 says there’s no evidence that the attackers leveraged the information in actual attacks, such as exploiting the undisclosed flaw against systems. The company also states that it has not seen evidence that the private information has been disclosed.
F5 claims that the threat actors’ access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
This includes its platforms that contain customer data, such as its CRM, financial, support case management, or iHealth systems. Furthermore, other products and platforms managed by the company are not compromised, including NGINX, F5 Distributed Cloud Services, or Silverline systems’ source code.
However, the company states that it is still reviewing which customers had their configuration or implementation details stolen and will contact them with guidance.
The company added that it has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms.
F5 notes in the filing that the U.S. government requested the delay of public disclosure of the incident, presumably to allow enough time to secure critical systems.
“On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted pursuant to Item 1.05(c) of Form 8-K. F5 is now filing this report in a timely manner,” explains F5.
F5 states that the incident has no material impact on its operations. All services remain available and are considered safe, based on the latest available evidence.
BleepingComputer has contacted F5 to request more details about the incident, and we will update this post when we receive a response.
This is a developing story.
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
Source link
