F5 Networks reports major Nation-State Breach, BIG-IP source code and vulnerability data stolen

F5 Networks, a Fortune 500 cybersecurity and technology company based in Seattle, Washington, is reporting that a nation-state threat actor breached and maintained long-term persistent access to critical company systems and stole proprietary source code and sensitive vulnerability information related to its flagship BIG-IP product line. 

The company discovered the breach on August 9, 2025, when internal security teams identified suspicious activity within systems supporting BIG-IP product development and the engineering knowledge management platform.

F5 issued patches to address 44 vulnerabilities (including the ones stolen in the breach) and urged customers to update their systems as soon as possible. F5 confirmed that "today's security updates do address impact from the incident."

The report triggered emergency actions from the United States government. CISA issued Emergency Directive ED 26-01 ordering all federal civilian executive branch agencies to immediately inventory F5 BIG-IP products, secure management interfaces, and apply critical security updates by October 22, 2025. 

CISA characterized the situation as posing an "imminent threat" to federal networks and warned of potentially "catastrophic" downstream consequences for thousands of government and private sector organizations utilizing F5 products. 

According to Bloomberg the cyberattack has been attributed to UNC5221, a China-nexus advanced persistent threat group that has been conducting supply chain espionage operations across the United States. Bloomberg sources indicated the attackers maintained access to F5's network for at least 12 months before detection.

The nation-state actors stole sensitive technical and operational information from F5's compromised systems:

• Portions of BIG-IP proprietary source code
• Information about undisclosed security vulnerabilities under development but not yet patched
• Documentation of vulnerability details including technical specifications and potential exploit methodologies
• Customer configuration and implementation information from F5's knowledge management platform affecting a small percentage of customers
• Engineering documentation and technical specifications from the product development environment

The nature of the initial breach is not disclosed, or if any personal data or individuals have been affected.

The company stated it has found no evidence of active exploitation of the undisclosed vulnerabilities in malicious contexts and confirmed that independent security audits by NCC Group and IOActive have not identified critical vulnerabilities or evidence of source code tampering in the compromised development pipeline. 

Cybersecurity experts warn that possession of source code and vulnerability documentation provides the threat actors with unprecedented capabilities to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities, as well as the ability to develop highly targeted exploits against F5 customers.

F5 claim that the attackers did not access or compromise several critical systems including customer relationship management databases, financial systems, support case management platforms, iHealth diagnostic systems, NGINX product development environment, F5 Distributed Cloud Services, or Silverline systems. Independent audits by NCC Group and IOActive have validated the integrity of F5's software supply chain, with no evidence discovered of unauthorized modifications to source code repositories or build and release pipelines that would enable supply chain attacks similar to the SolarWinds compromise.

F5 company claims that since initiating containment activities, no new unauthorized activity has been detected and officials believe containment efforts have been successful.