A recent F5 BIG-IP source code breach has exposed proprietary data and undisclosed vulnerability information after threat actors gained long-term access to the company’s internal systems. The intrusion has been attributed to a highly sophisticated nation-state group, according to an SEC filing published on October 15, 2025.
Scope and Impact of the Breach
F5 confirmed that attackers infiltrated its product development environment and exfiltrated files containing portions of BIG-IP source code and technical details about unpatched vulnerabilities. Although the company did not specify the duration of the intrusion, later reports revealed that the attackers were present in the network for at least 12 months.
While the breach did not affect F5’s CRM, financial, or customer support systems, a small subset of files from its knowledge management platform contained configuration and implementation information for certain customers. Impacted organizations are being notified directly.
Response and Containment
F5 stated that it has contained the intrusion and found no signs of ongoing unauthorized activity. Following the discovery, the company partnered with Mandiant and CrowdStrike to conduct forensic analysis, rotated credentials and signing certificates, and strengthened its product development and network security environments.
Users of BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients are strongly advised to apply the latest updates immediately to mitigate potential risks.
CISA Emergency Directive
In response to the F5 BIG-IP source code breach, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-01, ordering federal agencies to:
- Identify and inventory all F5 BIG-IP products
- Verify that management interfaces are not publicly accessible
- Apply the latest patches and security updates by October 22, 2025
CISA warned that the exfiltrated data, including portions of the BIG-IP proprietary source code and vulnerability details, could give threat actors a technical advantage to identify zero-day flaws and develop targeted exploits.
The agency also urged organizations to disconnect unsupported devices, mitigate cookie leakage vulnerabilities, and report all mitigation actions to CISA by October 29, 2025.
Attack Attribution and Broader Threat Context
According to Bloomberg, the breach has been linked to BRICKSTORM, a malware family associated with a China-nexus cyber espionage group tracked as UNC5221. The group has previously targeted U.S. law firms, SaaS providers, and technology companies using long-term access operations focused on data theft and reconnaissance.
Security experts note that by stealing both source code and undisclosed vulnerability information, attackers can accelerate exploit development. F5 has disclosed 45 vulnerabilities this quarter, compared to 6 in the previous quarter, suggesting accelerated patching efforts to stay ahead of potential exploitation.
Ongoing Risks
The F5 BIG-IP source code breach serves as a reminder that development environments are increasingly becoming prime targets for state-sponsored actors seeking to exploit software supply chains. Even without evidence of immediate exploitation, the exposure of proprietary code and vulnerability data raises long-term risks for organizations relying on BIG-IP technologies.