Sophisticated threat actors access a networking firm’s development system, exfiltrating source code and vulnerability data, prompting urgent patching directives.
On 15 Oct 2025, a Seattle-based maker of networking software disclosed a major breach on 9 Aug 2025 by a state-sponsored threat actor that had who secretly maintained persistent access to its network for an extended period, possibly years.
In the current disclosure now (due to permitted delays), the attackers are said to have infiltrated the segment of F5’s network responsible for the development and distribution of software updates of a widely used product deployed by many corporations and government agencies.
During this breach (right after one in 2024), the hackers had likely exfiltrated proprietary source code and documents detailing privately reported but unpatched vulnerabilities, giving them deep insight into potential security flaws and enabling the development of targeted exploits. In addition, the attackers have accessed configuration files related to some customers, potentially exposing sensitive credential information.
Despite extensive investigations involving two cybersecurity firms, no evidence was found that critical customer-facing systems like CRM or financial platforms were compromised, or that the attackers had tampered with other products.
In response upon detecting the current breach, F5 had taken rapid actions including rotating credentials, updating security certificates, reinforcing access controls, and enhancing network security architectures. They have urged customers to immediately apply newly released security updates across BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients.
Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to inventory F5 BIG-IP devices, assess network exposure, and apply patches by 22 October, 2025, with compliance reports due by 29 October 29. The agency has warned the breach poses an “imminent threat”, as state-sponsored hackers have the capability to exploit source code access to launch supply-chain attacks, steal credentials, and conduct network-wide compromises. CISA has strongly urged all entities using F5 products to undertake the recommended security measures without delay.
Similarly, the United Kingdom’s National Cyber Security Centre has alerted F5 customers to potential risks from this breach, advising them to identify all affected devices, evaluate for compromises, report incidents, and deploy the latest security patches immediately.
