F5 has revealed new details about a major cybersecurity incident involving a highly sophisticated nation-state threat actor who maintained prolonged access to parts of the company’s internal network. Discovered in August 2025, the breach allowed the attacker to infiltrate F5’s BIG-IP product development environment and engineering knowledge management platforms, where they exfiltrated files containing portions of BIG-IP source code and technical information about vulnerabilities that had not yet been disclosed. F5 emphasized that there is no evidence of any critical or remote code execution vulnerabilities being exploited, and no indication that the attackers gained access to F5’s customer relationship management, financial, support, or iHealth systems. 

The company’s investigation, supported by top cybersecurity firms such as CrowdStrike, Mandiant, NCC Group, and IOActive, confirmed that the breach did not compromise F5’s software supply chain, build or release pipelines, or the NGINX and F5 Distributed Cloud Services environments. Nonetheless, F5 acknowledged that a small number of exfiltrated files contained configuration or implementation data belonging to a limited number of customers. These customers are being notified directly. 

In response, F5 took extensive containment measures, including rotating credentials, strengthening access controls, and deploying enhanced monitoring, patch automation, and network security tools. The company believes the threat actor’s access has been fully contained, with no evidence of ongoing malicious activity since mitigation efforts began. F5 has also implemented code reviews, penetration testing, and security hardening across its product development environments, aiming to reinforce trust in its infrastructure and supply chain security. 

As part of its remediation plan, F5 released software updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients, all of which are included in its October 2025 Quarterly Security Notification. The company is also introducing new security initiatives, such as integrating CrowdStrike Falcon EDR and Overwatch Threat Hunting directly into BIG-IP for expanded visibility. All supported BIG-IP customers will receive a free Falcon EDR subscription as part of this effort. 

F5 has reiterated its commitment to transparency and customer protection, stating that it continues to work closely with law enforcement and government partners while improving its internal security architecture. It has also expanded its hardening guidance, SIEM integration documentation, and automated checks within the F5 iHealth Diagnostic Tool, helping customers quickly identify and remediate vulnerabilities in their environments. 

 List of CVEs disclosed by F5 on 15th October 2025 

High: CVE-2025-53868, CVE-2025-61955, CVE-2025-57780, CVE-2025-60016, CVE-2025-48008, CVE-2025-59781, CVE-2025-41430, CVE-2025-55669, CVE-2025-61951, CVE-2025-55036, CVE-2025-54479, CVE-2025-46706, CVE-2025-59478, CVE-2025-61938, CVE-2025-54858, CVE-2025-58120, CVE-2025-53856, CVE-2025-61974, CVE-2025-58071, CVE-2025-53521, CVE-2025-61960, CVE-2025-54854, CVE-2025-53474, CVE-2025-61990, CVE-2025-58096, CVE-2025-61935, CVE-2025-59778. 

Medium: CVE-2025-59481, CVE-2025-61958, CVE-2025-47148, CVE-2025-47150, CVE-2025-55670, CVE-2025-54805, CVE-2025-59269, CVE-2025-58153, CVE-2025-60015, CVE-2025-59483, CVE-2025-60013, CVE-2025-59268, CVE-2025-58474, CVE-2025-61933, CVE-2025-54755, CVE-2025-53860. 

Low: CVE-2025-58424 

What you should do: 

Customers using any F5 products should immediately update to the latest versions of BIG-IP, F5OS, BIG-IP Next, BIG-IQ, or APM clients. Review F5’s hardening and monitoring guides to verify that your systems follow current security best practices, and enable event streaming from BIG-IP to your SIEM for visibility into login activity and configuration changes. Use the F5 iHealth Diagnostic Tool to detect and remediate gaps, rotate credentials in affected environments, and apply continuous monitoring for potential unauthorized access. F5’s support team remains available to assist customers with patching, verification, and implementation of defensive measures. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.