F5 has confirmed it was the victim of a state-sponsored cyberattack that allowed hackers to access its internal systems and steal valuable technical data. The company says the attackers gained long-term access before being detected in August 2025.
According to F5’s official statement, the incident led to the theft of files containing parts of its BIG-IP source code, internal vulnerability research, and configuration details for a small number of customers. The company said it has found no evidence that its software build systems or update mechanisms were tampered with, and normal operations remain unaffected.
The UK’s National Cyber Security Centre (NCSC) later confirmed that the incident compromised parts of F5’s internal network and involved advanced, persistent techniques consistent with nation-state operations. Government agencies and enterprise customers using F5’s BIG-IP and related products have been urged to apply all recent patches and review access controls.
Investigators believe the attackers focused on gathering intelligence about how F5 products work at a deep technical level. This kind of information can help adversaries identify weaknesses before they are publicly disclosed or patched. Security researchers say this could make future exploit development easier if the stolen material is analysed or shared among threat groups.
“This is another reminder that the modern attack surface extends deep into the software development lifecycle, and threat groups targeting source code repositories and build environments are seeking long-term intelligence value by understanding how security controls operate from the inside,” said Will Baxter, Field CISO at Team Cymru.
“Visibility into outbound connections, threat actor command-and-control infrastructure, and unusual data exfiltration patterns is key to identifying this activity early. Combining external threat intelligence with internal telemetry gives defenders the context needed to detect and contain these advanced intrusions,” Baxter emphasised.
F5 has brought in external cybersecurity firms to assist in containment and forensic analysis. The company is also notifying any customers whose data may have been part of the stolen files.
Nevertheless, the timing couldn’t be worse. Just a week before F5 went public with its breach, SonicWall confirmed hackers had breached its firewall backup systems, exposing customer configuration data.
The two incidents highlight a growing trend of attackers going after the vendors that protect everyone else. It’s a clear signal for companies to review not just their own networks but the ones they trust to defend them.
