F5 Networks, a leading provider of application and security solutions renowned for products such as BIG-IP, NGINX, and F5 Distributed Cloud Services, has confirmed a serious security incident that occurred in August 2025. According to the company, a nation-state–sponsored threat actor infiltrated its internal systems and maintained persistent access for an extended period.

Incident scope and impact

The compromised systems included the BIG-IP product development environment and the engineering knowledge management platform. Threat actors successfully exfiltrated portions of the BIG-IP source code, details of undisclosed vulnerabilities, and a limited amount of configuration and deployment data belonging to a small subset of customers.

F5 emphasized that there is no indication of any compromise to the NGINX source code, software supply chain, or build pipeline. Furthermore, the company confirmed that CRM, financial, iHealth, and customer support systems remain unaffected, with no evidence of real-world exploitation observed to date.

Root cause and mitigation measures

The incident is believed to have been carried out by a highly sophisticated threat group that maintained long-term access to F5’s infrastructure. In response, F5 promptly implemented a series of containment and remediation measures, including:

• ● Revoking all compromised access and resetting affected credentials.
• ● Enhancing access controls and deploying advanced security monitoring.
• ● Upgrading Endpoint Detection and Response (EDR) capabilities with support from CrowdStrike Falcon and Overwatch Threat Hunting.
• ● Collaborating with leading cybersecurity firms—including CrowdStrike, Mandiant, NCC Group, and IOActive—to conduct a comprehensive investigation.
• ● Reviewing source code and performing comprehensive penetration testing across all major products.

Additionally, F5 has released the October 2025 Security Update for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM Clients to address potential vulnerabilities and strengthen product security.

Recommendations for F5 customers

1. Apply security updates as soon as possible
Install the latest security updates included in the Quarterly Security Notification (October 2025). Timely patching significantly reduces the risk of potential vulnerability exploitation.

2. Enhance threat monitoring and detection
Leverage F5’s Threat Hunting Guide (available via MyF5 Support) to strengthen proactive defense. Enable BIG-IP event streaming to your SIEM for monitoring logins, failed authentications, and configuration privilege changes. Refer to F5 Knowledge Base articles KB13080 and KB13426 for implementation guidance.

3. Reinforce configuration and automate security validation
Follow F5’s official hardening guidelines (see K53108777) to strengthen system configurations.
Use the F5 iHealth Diagnostic Tool to automatically assess system security and receive detailed remediation recommendations.

4. Stay informed via official F5 channels
Regularly check the F5 Security Notification page for the latest updates.
Open a MyF5 Support Case or contact F5 Support directly for assistance with security configuration and verification.

Security impact and key takeaways

Although there is currently no evidence of source code tampering, the leak of source code and internal data heightens the risk of potential supply chain attacks in the future. Organizations utilizing BIG-IP or related products are strongly advised to proactively review their environments, enhance traffic monitoring, and apply security patches immediately.

This incident further underscores the risks inherent in the software supply chain and the critical importance of securing development environments. F5 remains committed to transparency and strongly encourages customers to adhere to recommended security best practices to safeguard their systems.

Why HPT

With extensive expertise in Security Operations Center (SOC) services, Incident Response (IR), and advanced security consulting, HPT stands ready to support enterprises with:

• ● Assessment and risk evaluation of BIG-IP environments.
• ● Implementation of SIEM monitoring and early warning systems.
• ● Timely deployment and maintenance of security patches.

For in-depth consultation and technical assistance, please contact the HPT Security Operations Center (HSOC).