- Vulnerable U
- Posts
- F5 breach - everything we know so far
F5 breach - everything we know so far
F5 says a nation-state actor accessed internal dev systems, exfiltrated BIG-IP source code and vulnerability details, and triggered a CISA emergency patch directive.
Matt Johansen
October 16, 2025
Updated: Oct. 16, 2025
TL;DR: F5 disclosed a nation-state intrusion discovered on Aug. 9, 2025. The attacker maintained “long-term, persistent access” to internal systems, exfiltrating portions of BIG-IP source code and information about undisclosed BIG-IP vulnerabilities. F5 says there’s no evidence of software supply-chain tampering, NGINX compromise, or exploitation of the undisclosed issues to date. The U.S. government issued an Emergency Directive ordering federal agencies to patch F5 products on an accelerated timeline. Attribution remains officially unassigned, though some outlets report U.S. officials privately suspect a PRC-linked actor.
Timeline
Aug. 9, 2025 - Detection. F5 says it learned a “highly sophisticated nation-state” actor had gained unauthorized access to certain company systems.
Aug.–Sept. 2025 - Containment and investigation. F5 engaged outside responders; it believes containment actions were effective and reports no evidence of new unauthorized activity since those actions began.
Sept. 12, 2025 - DOJ authorizes delayed disclosure. The U.S. Department of Justice permitted a delay under Item 1.05(c) of Form 8-K.
Oct. 15, 2025 - Public disclosure. F5 filed an 8-K and posted a customer notice summarizing impact and actions.
Oct. 15, 2025 - CISA emergency action. Media report CISA issued an Emergency Directive requiring accelerated patching of in-scope F5 products across civilian agencies. (CISA’s page has been intermittently unreachable; timing and requirements are corroborated by multiple outlets.)
Oct. 16, 2025 - Attribution reporting. Bloomberg (via Reuters) reports U.S. officials suspect a China-linked actor; F5 has not named a threat actor.
What the attacker accessed
F5 states the actor maintained long-term, persistent access to specific internal environments:
BIG-IP product development and an engineering knowledge management platform.
Exfiltrated files included portions of BIG-IP source code and information about undisclosed BIG-IP vulnerabilities that F5 was working on.
F5’s current assessment:
No evidence of modification to the software supply chain (source, build, or release pipelines), validated by independent reviews.
No evidence of access to NGINX, F5 Distributed Cloud Services, or Silverline environments.
No evidence of access to CRM, financial, support case systems, or iHealth. However, some exfiltrated knowledge-base files contained configuration/implementation info for a small percentage of customers; F5 is notifying those customers.
The customer notice adds the vendor roster and specific steps underway, including third-party reviews by NCC Group and IOActive and a joint effort with CrowdStrike/Mandiant; F5 is also offering Falcon EDR for BIG-IP (early access) with a free subscription through Oct. 14, 2026 for supported customers.
What F5 has shipped since disclosure
F5’s customer communication says updates are available for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients, and strongly advises updating.
Coverage indicates the October 2025 updates address issues potentially impacted by the breach (BleepingComputer reports “44 vulnerabilities,” including those stolen). F5 also rotated product signing certs/keys and published operational guidance (syslog, login monitoring, iHealth checks).
Note: F5 references its Quarterly Security Notification (QSN) process (October 2025) for vulnerability details. While the specific October QSN page can be gated/ephemeral, F5’s QSN program is documented and regularly updated.
U.S. government response
Emergency Directive (ED): Outlets report CISA’s directive requires agencies to inventory F5 devices, patch by short deadlines (e.g., Oct. 22 for certain product lines; Oct. 31 for others), and remove public-facing EoS devices.
Reporting describes the actor as an imminent threat to federal networks using F5 gear and positions this as part of a broader supply-chain risk campaign.
Attribution status
F5 and U.S. agencies have not publicly attributed the intrusion beyond “nation-state.”
Reporting: Bloomberg cites unnamed officials indicating a PRC nexus and references F5 customer briefings and “Brickstorm” threat-hunting guidance; Reuters could not independently verify. Treat as unconfirmed but in my personal opinion this fits the narrative very well.
When Brickstorm came out, I made a bunch of content about it being very scary sounding and I knew it wasn’t the last we’d heard of it. I’m hearing that the initial warnings of long dwell time in networked appliances that don’t have EDR are accurate, and this fits F5 very well. Over 12 months dwell there and all the long patient downstream impacts of collecting code and configs fits Brickstorm as well.
What F5 customers should do now
1) Patch and upgrade aggressively.
Install the latest BIG-IP / F5OS / BIG-IQ / APM updates referenced in F5’s October releases. Track the QSN for specifics.
2) Assume some undisclosed findings are now known to an adversary.
Even though F5 says it is “not aware” of critical RCEs among the stolen bugs and has no evidence of exploitation, treat exposure risk as non-zero and tighten compensating controls.
3) Harden management plane and improve telemetry.
F5 recommends enabling event streaming to your SIEM, configuring remote syslog (KB13080), and monitoring for login attempts (KB13426). Use iHealth automated hardening checks.
4) Threat hunt.
Use F5’s threat-hunting guide (via support) and consider EDR coverage on BIG-IP (CrowdStrike Falcon early access). Validate no unexpected admin accounts, config drift, or pipeline changes. - TBH, F5’s info released leaves a lot to be desired at this point. I’d also check Google’s BRICKSTORM hunting tool in case these are related as I assume.
5) Review exposure of interfaces.
Per reporting on the ED, inventory all F5 gear, remove public-facing management interfaces, and decommission EoS devices.
6) If you suspect you’re among the “small percentage” with config data in exfiltrated KB files:
Rotate credentials/API keys referenced in device configs, audit trust relationships, and review change history on affected devices. (F5 says it will contact affected customers directly.)
Open questions we’re tracking
Initial access vector: Not publicly disclosed. - I’ve heard insider rumors, but they are just rumors.
Exact dwell time: F5 confirms persistent access but hasn’t published a start date; some reporting suggests 12+ months, unconfirmed.
Public exploitation: As of filing, F5 says it is not aware of active exploitation of undisclosed F5 vulns. Watch vendor advisories and CISA’s KEV catalog for changes.
CISA emergency orders & agency patch sprints (Cisco case) - context on how EDs play out operationally: Vulnerable U #136.
PRC-linked campaigns against U.S. infrastructure - prior coverage: FBI: ‘Broad and Significant’ Chinese Telecom Hack.
Large-scale vendor/security patch events - examples of accelerated patch guidance: BeyondTrust flaw under active attack and Cleo file-transfer mass exploitation.
Sources: SEC filing and customer notice (F5), major outlets covering the emergency directive and attribution, and vendor update coverage. See citations throughout.