On October 15, 2025, F5 announced that in August 2025, they had discovered evidence of a highly sophisticated nation-state threat actor which had maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platforms.
F5 has taken steps internally to strengthen their security posture, including credential rotation, improving access controls, and strengthening overall security across networks and development environments.
Scope of Compromise
The threat actor exfiltrated files containing BIG-IP source code and information on undisclosed vulnerabilities that were being worked on. These vulnerabilities range from low to high severity, with most being Denial of Service (DoS) vulnerabilities. The vulnerabilities targeted in this incident do not include critical or remote code execution flaws, and there is no evidence of exploitation at this time. F5 has released patches for these vulnerabilities, and organizations are strongly encouraged to apply them promptly. Some files from the knowledge management platform also included limited customer configuration information, and affected customers are being engaged directly by F5.
In addition to source code, some of the exfiltrated files from F5’s knowledge management platform included configuration and implementation details from a limited subset of F5 customers.
F5 has stated that there is no evidence the threat actor accessed or exfiltrated data from their Customer Relationship Management, financial systems, support case management, iHealth, or F5 distributed cloud-based services such as Silverline. As of October 10, 2025, independent reviews from IOActive and NCC Group were not able to identify changes made to software supply chain and other core development environments as a result of this incident.
Recommendations
Update to the Latest Patched Versions of BIG-IP
Arctic Wolf strongly recommends upgrading to the latest version of affected BIG-IP products to mitigate the vulnerabilities related to this incident. A full list of impacted products and the corresponding versions is available in F5’s October 2025 Quarterly Security Notification.
Follow Official Guidance from F5 and Notify CST if Contacted
F5 is actively engaging with a limited number of customers affected by the theft of configuration and implementation details. If you are contacted by F5, we recommend collaborating closely with them and notifying your Concierge Security Team. We also recommend monitoring F5’s advisory page on this incident for updated guidance.
F5 customers are encouraged to open a MyF5 support case or contact F5 support directly for help updating your BIG-IP software if needed or have further questions.
References
