In or around August 2025, F5 discovered that a sophisticated, likely nation‑state threat actor had gained and maintained persistent access to internal F5 systems. In particular, the actor appeared to be after product development and engineering knowledge bases. The attacker exfiltrated files which included source code and technical documentation related to F5’s BIG-IP, F5OS, and other similar offerings. F5 reports that they have contained the intrusion, engaged third‑party forensic/security firms, and begun providing upgraded software and guidance to customers. As of now, F5 states there is no confirmed evidence of exploitation of undisclosed vulnerabilities in customer environments.

It is important to note that theft of source code and internal design details raises the risk that new attack vectors or zero-day exploits could emerge over time.

Affected Systems and/or Applications

Based on current statements from F5 the following are the product lines believed to be impacted or at risk:

• BIG-IP (all modules) — software (TMOS), hardware, Virtual Edition
• F5OS
• BIG-IQ
• F5’s “Next” / Kubernetes / cloud-native variants (e.g. BIG-IP Next, BNK / CNF)
• APM clients and other F5-provided ancillary modules
• Environments using Advanced WAF / ASM profiles (some new CVEs disclosed in October 2025 may also relate)

Technical Details

Based on current details we know that the attackers maintained long-term access to F5's internal systems, which led to the exfiltration of files that included source coded, and undisclosed vulnerabilities. Per F5 they do not believe that the supply chain pipeline was tampered with, and that no code was modified to introduce backdoors. However, based on the duration and access that the adversaries had they would have gained deeper visibility into internal code, architectures, and possibly even development-time vulnerabilities. Given that this notice was released alongside the Quarterly Security Notification (K000156572), and include newly released vulnerabilities, it is possible that they may be tied to this. Below are two such recent vulnerabilities which highlight that functionality modules may be attacked via malformed inputs, possibly leveraging knowledge gained from exfiltrated code:

• CVE‑2025‑54858 — A vulnerability in BIG-IP Advanced WAF / ASM when using a JSON content profile with malformed JSON schema. Under certain requests, the bd process may terminate, causing availability problems. Affects versions prior to certain patched releases (e.g. < 17.5.1.3, < 17.1.3, < 16.1.6.1).
• CVE‑2025‑61935 — Another vulnerability impacting Advanced WAF / ASM, where use of certain requests may cause unexpected termination of bd when a security policy is configured on a virtual server.

Temporary Mitigations

While F5 works to remediate and support customers, the following mitigations can reduce potential exposure:

• Isolate / restrict management interfaces
• Apply the latest patches / upgrades immediately
• Rotate credentials, API keys, certificates
• Hunt for anomalies / forensic review
• Communicate with F5 / obtain their guidance
• Segment / limit exposure of dependent systems

What the Cyber Fusion Center is Doing

The CFC is actively monitoring the situation and will continue to research and provide our findings. Additionally, we have implemented increased awareness for activity involving F5 BIG-IP. At this time, the main recommendations are to do the following:

• Enable BIG-IP event streaming to SIEM and configure the systems to log to a remote syslog server and monitor for login attempts
• Utilize the F5 iHealth Diagnostic Tool, which can now flag security risks, vulnerabilities, prioritize actions, and provide remediation guidance.
• Identify all F5 products (hardware, software, and virtualized) and ensure that no management interface is exposed on the public web. If an exposed interface is discovered, companies should make compromise assessment."
• Regarding threat hunting F5 is partnering with CrowdStrike to extend Falcon EDR sensors and Overwatch Threat Hunting to BIG-IP for additional visibility and to strengthen defenses. An early access version will be available to BIG-IP customers and F5 will provide all supported customers with a free Falcon EDR subscription. Additionally when threat hunting guidance is made available it will be reviewed.

References

• https://my.f5.com/manage/s/article/K000154696
• https://my.f5.com/manage/s/article/K000156572