Home 
Date of Incident:
August 9, 2025
Overview:
In August 2025, F5 Networks experienced a breach by nation-state hackers who accessed and stole the source code, undisclosed vulnerabilities, and some customer configuration details of their BIG-IP products. Occurring on August 9 and reported on October 15, the attack involved advanced persistent threat actors utilizing specific MITRE ATT&CK techniques. Despite the severity, there was no evidence of actual exploitation or private data disclosure, and no compromise of other linked platforms. Similar companies operating in the sector include Palo Alto Networks, Fortinet, and Cisco Systems.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Nation-state hackers breached F5’s systems, stealing undisclosed BIG-IP security vulnerabilities, source code, and some configuration and implementation information for a limited number of customers. No evidence of actual exploitation or disclosure of private information was found, and no compromise of other platforms or software supply chain occurred.
Details:
The breach involved advanced persistent threat (APT) actors likely mapping to MITRE ATT&CK techniques T1560 (Archive Collected Data), T1005 (Data from Local System), and T1078 (Valid Accounts) for initial access. The stolen artifacts included undisclosed vulnerabilities in BIG-IP devices and source code with configuration settings potentially exposing customer implementation details. Indicators of Compromise (IOCs) include unusual outbound data transfers from F5 internal networks, anomalous logins from foreign IP addresses, and artifacts like modified system logs and registry edits typical of data exfiltration malware. PoC code behavior analysis reveals exploitation of management interface vulnerabilities leading to unauthorized data extraction methods via stealthy backdoor channels. Log artifacts include elevated privilege logins without MFA triggers and unauthorized source code repository access records.
Remediation:
F5 Networks has released patches addressing known variants of BIG-IP vulnerabilities and strongly recommends immediate update to the latest BIG-IP software version. Temporary mitigations include disabling remote management interfaces where not in use and enabling multifactor authentication (MFA) on all administrative accounts. Regular network traffic monitoring and anomaly detection rules are advised to identify unusual data exfiltration activity. For compromised credentials, immediate password resets and incident response engagement are critical.
Takeaway for CISO:
This incident highlights the risks associated with vendor software source code exposure and the potential for zero-day vulnerabilities to be weaponized by nation-state actors. CISOs must prioritize secure software supply chains, enforce MFA and strict access controls, and maintain vigilant monitoring for anomalous access patterns. Investing in proactive threat hunting and incident response readiness is crucial to mitigate damage from similar breaches in the future.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
