The US government has urged federal agencies to take immediate action after security vendor F5 revealed it has been breached by a nation-state actor.
The application security specialist informed its customers about the breach on October 15, despite making the discovery back in August.
“In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems. These systems included our BIG-IP product development environment and engineering knowledge management platforms,” it explained.
“We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.”
Read more on F5: CISA Urges Encryption of Cookies in F5 BIG-IP Systems
Crucially, some of the stolen files contained BIG-IP source code and information about undisclosed vulnerabilities in the product. Although the firm said it had no knowledge of any active exploitation of undisclosed vulnerabilities, it urged all customers to apply the updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM clients in its Quarterly Security Notification.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive demanding that federal agencies “evaluate if the networked management interfaces are accessible from the public internet, and apply updates from F5.”
It warned that the threat actor’s access to the F5 development environment could enable it to conduct static and dynamic analysis in order to discover logical flaws, zero-day vulnerabilities and targeted exploits.
“This cyber-threat actor presents an imminent threat to federal networks using F5 devices and software,” CISA continued.
“Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and application programming interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems.”
The agency’s list of recommended remedial actions can be found here.
It’s likely the government has had some time to prepare its response, given that the Justice Department ordered a delay in public disclosure of the breach on September 12, according to an SEC filing by F5 yesterday.
Further Action Needed
F5 said it had no evidence of exfiltration of data from its CRM, financial, support case management or iHealth systems. However, it admitted that some files stolen from its knowledge management platform contained configuration or implementation information “for a small percentage of customers.”
The vendor also claimed to have so far seen no evidence of modification to: its software supply chain (including source code and build and release pipelines); its NGINX source code/product development environment; or its F5 Distributed Cloud Services or Silverline systems.
Aside from applying the latest security updates, it advised customers to:
- Carry out proactive threat hunting to spot signs of intrusion
- Harden F5 systems using the F5 iHealth Diagnostic Tool
- Enable BIG-IP event streaming to their SIEM to check for admin logins, failed authentications and privilege/configuration changes
For its part, the vendor said it has improved internal security including access controls, inventory and patch management, network security and monitoring of all software development platforms.
Tom Kelermann, VP of cyber risk at Hitrust, argued that the F5 breach is likely to be the first stage in a supply chain campaign.
“Rogue nation-state actors consistently show us how successful and well-resourced they are. Once adversaries gain access at the application layer, they’re not just stealing data but embedding themselves for command and control,” he added.
“F5 customers must immediately enhance detection and response at the application layer through ADR [application detection and response]. Supply chain attacks have become the preferred tactic of modern cyber warfare. We need to start treating third-party risk as a national security issue.”
ImmuniWeb CEO, Ilia Kolochenko agreed that the stolen IP could be used to craft zero-day exploits for subsequent APT campaigns.
“Likewise, the reportedly small percentage of customers, whose technical information was compromised, should urgently assess their risks and continue working with F5 to better understand the impact of the incident,” he added.
