A sophisticated nation-state hacking group breached F5's network, stealing BIG-IP source code and vulnerability details, prompting emergency warnings from US and UK authorities. Thousands of networks, including those of US government agencies and Fortune 500 companies, face imminent risks from potential supply-chain attacks. F5 has released updates, but users must act immediately to secure their systems.
F5, a Seattle-based networking software maker, disclosed on October 15, 2025, that a 'sophisticated' threat group backed by an undisclosed nation-state had persistently infiltrated its network over a long period, possibly years. The hackers gained control of the segment used to build and distribute updates for BIG-IP, a product deployed by 48 of the world's top 50 corporations as load balancers, firewalls, and data inspection tools at network edges.
During the intrusion, the group downloaded proprietary BIG-IP source code, information on privately discovered but unpatched vulnerabilities, and customer configuration settings. This access raises fears of supply-chain attacks, where hackers could exploit weaknesses to breach thousands of sensitive networks, or abuse stolen credentials for further intrusions. As F5 noted, BIG-IP's edge position allows compromised devices to expand access deeper into infected networks.
Investigations by IOActive, NCC Group, Mandiant, and CrowdStrike found no evidence of supply-chain tampering, introduced vulnerabilities, or access to F5's CRM, financial, support, or health systems. The firms confirmed no critical vulnerabilities in the analyzed code and build pipeline. Two days prior, F5 rotated BIG-IP signing certificates, though its link to the breach remains unconfirmed.
The US Cybersecurity and Infrastructure Security Agency (CISA) warned of an 'imminent threat' and 'unacceptable risk' to federal agencies, ordering them to inventory all BIG-IP devices—including those managed by third parties—install F5's updates for BIG-IP, F5OS, BIG-IQ, and APM products, and follow a provided threat-hunting guide. The UK's National Cyber Security Centre issued a similar directive. Private sector BIG-IP users face the same recommendations to mitigate risks.