F5 Issues Statement on Compromise of Internal F5 Networks
F5 has acknowledged source code and details about undisclosed vulnerabilities have been stolen by a state-sponsored attacker, but no exploitation has been observed
Summary
F5 has acknowledged source code and details about undisclosed vulnerabilities have been stolen by a state-sponsored attacker, but no exploitation has been observed
Affected platforms
The following platforms are known to be affected:
Affected F5 products:
- Hardware: BIG-IP iSeries, rSeries, or any other F5 device that has reached end of support
- Software: All devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG IP Next, BIG- IQ, and BIG-IP Next for Kubernetes (BNK) / Cloud-Native Network Functions (CNF)
Threat details
F5 acknowledges BIG-IP source code stolen
F5 has acknowledged that a state-sponsored attacker has stolen technical details for the BIG-IP platform, including source code and details of undisclosed vulnerabilities.
F5 has seen no evidence at this time to suggest any undisclosed critical severity or remote code execution vulnerabilities are present in the BIG-IP source code, nor seen evidence of active exploitation of any undisclosed F5 vulnerabilities.
Introduction
F5 has issued a statement to report compromise of their systems by a suspected state-sponsored attacker. The attacker was able to maintain long-term persistent access to F5's internal systems, as well as exfiltrate sensitive technical data. The attacker reportedly accessed technical details for the BIG-IP and F5OS platforms, including source code and details of undisclosed vulnerabilities.
The access obtained by the attacker could allow them to exploit F5 appliances and software in future, as well as conduct analysis of the source code to find new vulnerabilities and develop targeted exploit code.
F5 and independent third parties have attested that the source code pipeline is unaffected, meaning the attacker has not, and cannot, modify the code deployed to software releases for F5 appliances.
The National Cyber Security Centre (NCSC) has stated "Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organisation’s network, exfiltrate data, and establish persistent system access".
The NCSC also states: "There is currently no indication that any customer networks have been impacted via the compromise of the F5 network."
Threat updates
| Date | Update |
|---|---|
| 16 Oct 2025 |
Severity changed to High
The following items have been updated to reflect this change:
|
Remediation advice
Affected organisations must review the F5 Security Incident and Quarterly Security Notification (October 2025) knowledgebase articles and apply the remediation steps detailed below. Organisations are strongly encouraged to also review the NCSC's Confirmed compromise of F5 network advisory.
Remediation steps
| Type | Step |
|---|---|
| Action |
Required Organisations must identify all F5 products (hardware, software, and virtualised). https://www.ncsc.gov.uk/news/confirmed-compromise-f5-network |
| Patch |
Required Organisations must update F5 devices to the latest version as soon as possible. Note: Internet-facing F5 devices that have reached end of support must be replaced with a supported version. https://my.f5.com/manage/s/article/K000156572 |
| Guidance |
Recommended Organisations are strongly encouraged to follow F5's best practice guidance for hardening F5 systems. https://my.f5.com/manage/s/article/K53108777 |
| Action |
Recommended Organisations should ensure F5 management interfaces are not exposed to the internet. If an exposed management interface is found, a compromise assessment should be undertaken. https://my.f5.com/manage/s/article/K13092#administrativeports |
| Action |
Recommended Where possible, organisations are strongly encouraged to hunt for activity related to the state-sponsored attack using F5's threat hunting guide. The threat hunting guide can be obtained from F5 support. If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. https://my.f5.com/manage/s/article/K000154696 |
| Action |
Recommended Organisations are strongly encouraged to integrate key log sources from F5 devices with their SIEM. Organisations should retain this key log data for 180 days for audit and investigation purposes. See KB13080 and KB13426 for further information. https://my.f5.com/manage/s/article/K000154696 |
Definitive source of threat updates
Last edited: 16 October 2025 3:29 pm