Sergey Nivens - stock.adobe.com
F5 admits nation-state actor stole BIG-IP source code
F5 discloses that a nation-state actor has stolen source code and unpatched vulnerability data for its widely used BIG-IP products, raising supply chain security concerns across the industry
F5 has revealed that a highly sophisticated nation-state threat actor had gained long-term, persistent access to its corporate network, exfiltrating parts of the source code for its flagship BIG-IP products.
In a security notification released today, the network and application security supplier said the perpetrator had also downloaded information on undisclosed vulnerabilities that it was in the process of fixing. The breach, which F5 learned of in August 2025, targeted the company’s product development environment and engineering knowledge management platforms.
The incident has raised supply chain security concerns across the industry, as F5 technology underpins the networks of 85% of Fortune 500 companies, as well as major government agencies and critical infrastructure operators worldwide.
F5 said it has since contained the threat and has seen no new unauthorised activity. However, the potential fallout from the theft of its data has sent shockwaves through the cyber security community.
“Make no mistake, the breach at F5 is a five-alarm fire for national security,” said Bob Huber, chief security officer at Tenable and a former US Navy cyber leader, adding that the stolen data could be used as a master key to launch devastating attacks, similar to the campaigns waged by Salt Typhoon and Volt Typhoon.
F5 response and customer actions
In its disclosure, F5 assured customers that its investigation, supported by CrowdStrike and Mandiant, has found no evidence that the threat actor modified its software supply chain, source code, or build and release pipelines. This assessment was independently validated by NCC Group and IOActive.
The company also stated it has no evidence of compromise to its customer relationship management, financial, or support case management systems. However, it did confirm that some exfiltrated files contained “configuration or implementation information for a small percentage of customers,” and that it will be communicating with those affected directly.
In response, F5 has released urgent security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients, urging customers to update to these new releases as soon as possible.
F5 is also taking steps to help customers secure their environments, including providing a threat hunting guide to strengthen detection and monitoring; adding automated hardening checks to the F5 iHealth diagnostic tool; and offering an early access version of CrowdStrike’s Falcon EDR sensors for BIG-IP, with a free subscription for all supported customers.
The cyber disclosure is particularly fraught, coming during a US government shutdown that has impacted federal cyber security readiness.
“This would be a shocking revelation on a good day,” Huber said. “But it comes as a government shutdown and associated staffing impacts have left federal cyber security operations at reduced capacity. The reality is that our national defenders are operating with one hand tied behind their back, right when a major threat has emerged.”
Despite the gravity of the situation, Huber credited F5 for its handling of the incident. “This is a time for the entire cyber security industry to pull together, get proactive, and pay close attention to remediation guidance. F5 should get credit for their transparency and how they’ve handled this incident so far,” he said.
For now, the focus for thousands of organisations globally is on patching, hardening, and hunting for any signs of compromise. The full impact of the stolen data may not be known for months or even years, but the immediate risk is clear.
“The attackers have a map to our most sensitive environments. Our only defence is to eliminate every possible path before they choose to strike,” Huber said.
Read more about cyber security in APAC
- Pentera is expanding its APAC operations from its Singapore hub and leveraging AI to automate and enhance its attack emulation platform.
- Qantas is investigating significant data theft of personal information for up to six million customers after a third-party platform used by its call centre was compromised.
- Singapore non-profit organisation HomeTeamNS suffered a ransomware attack that affected some servers containing employee and member data, prompting an investigation and enhanced security measures.
- Gil Shwed, Check Point’s co-founder, discusses the company’s focus on AI-driven security and his commitment to remaining an independent force in the cyber security market.
Read more on Data breach incident management and recovery
-
![]()
Russia focuses cyber attacks on Ukraine rather than West despite rising tension
By: Bill Goodwin
-
![]()
Government agencies urged to use encrypted messaging after Chinese Salt Typhoon hack
By: Bill Goodwin
-
![]()
US updates telco security guidance after mass Chinese hack
By: Alex Scroxton
-
![]()
China’s Volt Typhoon rebuilds botnet in wake of takedown
By: Alex Scroxton
