U.S. cybersecurity company F5 on Wednesday disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities in the product.
It attributed the activity to a "highly sophisticated nation-state threat actor," adding the adversary maintained long-term, persistent access to its network. The company said it learned of the breach on August 9, 2025, per a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC). F5 said it delayed the public disclosure at the request of the U.S. Department of Justice (DoJ).
"We have taken extensive actions to contain the threat actor," it noted. "Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful."
F5 did not say for how long the threat actors had access to its BIG-IP product development environment, but emphasized that it has not observed any indication that the vulnerabilities have been exploited in a malicious context. It also said that the attackers did not access its CRM, financial, support case management, or iHealth systems.
That said, the company acknowledged that some of the exfiltrated files from its knowledge management platform contained configuration or implementation information for a small percentage of customers. Impacted customers are expected to be directly notified following a review of the files.
Following the discovery of the incident, F5 has engaged the services of Google Mandiant and CrowdStrike, as well as rotated credentials and signing certificates and keys, strengthened access controls, deployed tooling to better monitor threats, bolstered its product development environment with extra security controls, and implemented enhancements to its network security architecture.
Users are advised to apply the latest updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients as soon as possible for optimal protection.
CISA Issues Emergency Directive
In response to F5's disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive (ED 26-01) that requires Federal Civilian Executive Branch agencies to inventory F5 BIG-IP products, check if the networked management interfaces are accessible from the public internet, and apply newly released updates from F5 by October 22, 2025.
"A nation-state affiliated cyber threat actor has compromised F5 systems and exfiltrated data, including portions of the BIG-IP proprietary source code and vulnerability information, which provides the actor with a technical advantage to exploit F5 devices and software," the agency said. "This poses an imminent threat to federal networks using F5 devices and software."
"The threat actor's access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities, as well as the ability to develop targeted exploits."
CISA is also urging organizations to harden public-facing devices, disconnect those that have reached end-of-life support date, and mitigate against a BIG-IP cookie leakage vulnerability. All agencies are further required to submit a complete inventory of F5 products and actions taken to CISA no later than October 29, 2025, 11:59 p.m. EDT.
In a report published Thursday, Bloomberg revealed that the attackers were in the company's network for at least 12 months, and that the intrusion involved the use of a malware family dubbed BRICKSTORM, which is attributed to a China-nexus cyber espionage group tracked as UNC5221.
Last month, Mandiant and Google Threat Intelligence Group (GTIG) divulged that companies in the legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. have been targeted by the suspected Chinese hacking group (and other related clusters) to deliver the BRICKSTORM backdoor.
When reached for comment, GTIG/Mandiant told The Hacker News that it does not have anything to share at this stage.
"Generally, if an attacker steals source code, it takes time to find exploitable issues," Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, said in a statement. "In this case, they also stole information on undisclosed vulnerabilities that F5 was actively working to patch."
"This provides the ability for threat actors to exploit vulnerabilities that have no public patch, potentially increasing speed to exploit creation. The disclosure of 45 vulnerabilities in this quarter vs. just 6 last quarter suggests F5 is moving as fast as they can to actively patch these stolen flaws before the threat actors can exploit them."
(The story was updated after publication with details of the emergency directive issued by CISA.)
