U.S. cybersecurity firm F5 disclosed that nation-state hackers breached its methods and stole undisclosed BIG-IP security vulnerabilities and supply code.
The corporate states that it first turned conscious of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term entry to its system, together with the corporate’s BIG-IP product growth surroundings and engineering data administration platform.
With this entry, the menace actors had been in a position to steal supply code, vulnerability data, and a few configuration and implementation data for a restricted variety of clients.
“Throughout the course of its investigation, the Firm decided that the menace actor maintained long-term, persistent entry to sure F5 methods, together with the BIG-IP product growth surroundings and engineering data administration platform,” reads a Kind 8-Okay submitting with the SEC.
“By way of this entry, sure information had been exfiltrated, a few of which contained sure parts of the Firm’s BIG-IP supply code and details about undisclosed vulnerabilities that it was engaged on in BIG-IP.”
F5 is a Fortune 500 tech big specializing in cybersecurity, cloud administration, and utility supply networking (ADN) functions. The corporate has 23,000 clients in 170 nations, and 48 of the Fortune 50 entities use its merchandise.
BIG-IP is the agency’s flagship product utilized in ADN and site visitors administration by many giant enterprises worldwide.
Regardless of this essential publicity of undisclosed flaws, F5 says there is no proof that the attackers leveraged the data in precise assaults, comparable to exploiting the undisclosed flaw towards methods. The corporate additionally states that it has not seen proof that the personal data has been disclosed.
F5 claims that the menace actors’ entry to the BIG-IP surroundings didn’t compromise its software program provide chain or end in any suspicious code modifications.
This consists of its platforms that include buyer information, comparable to its CRM, monetary, help case administration, or iHealth methods. Moreover, different merchandise and platforms managed by the corporate aren’t compromised, together with NGINX, F5 Distributed Cloud Companies, or Silverline methods’ supply code.
Nevertheless, the corporate states that it’s nonetheless reviewing which clients had their configuration or implementation particulars stolen and can contact them with steering.
The corporate added that it has validated the protection of BIG-IP releases by way of a number of impartial evaluations by main cybersecurity corporations.
F5 notes within the submitting that the U.S. authorities requested the delay of public disclosure of the incident, presumably to permit sufficient time to safe essential methods.
“On September 12, 2025, the U.S. Division of Justice decided {that a} delay in public disclosure was warranted pursuant to Merchandise 1.05(c) of Kind 8-Okay. F5 is now submitting this report in a well timed method,” explains F5.
F5 states that the incident has no materials impression on its operations. All providers stay accessible and are thought of protected, based mostly on the most recent accessible proof.
BleepingComputer has contacted F5 to request extra particulars in regards to the incident, and we are going to replace this publish once we obtain a response.
This can be a growing story.
Be part of the Breach and Attack Simulation Summit and expertise the way forward for security validation. Hear from prime specialists and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that can form the way forward for your security technique
