Hackers from an unknown country infiltrated F5 Networks’ IT environment for months. Access to the development environment for new products and IP may have led to large-scale data theft.

The development environment for BIG-IP was the main target. This product is designed to protect customers’ most important applications and services. Given that F5 has many prominent parties among its 23,000 customers, it is easy to imagine why a state hacker would target the company.

Long-term infiltration discovered

F5 discovered the breach on August 9, 2025. The investigation revealed that attackers had access to critical systems for an extended period of time. They penetrated the BIG-IP product development environment and the technical knowledge management platform.

This access allowed the hackers to steal source code, information about unpublished vulnerabilities, and some customer configuration data. F5 disclosed this in documents submitted to the US SEC, which BleepingComputer has reviewed.

Limited impact on systems

F5’s own software supply chain remained uncompromised. There were also no suspicious code changes within the BIG-IP environment, so it appears that the attackers only exfiltrated data. Other platforms such as CRM and financial systems and support services remained secure. NGINX, F5 Distributed Cloud Services, and Silverline systems also escaped the attack.

Despite the critical nature of the stolen information, F5 states that there is no evidence of actual misuse. The attackers have most likely not used the unknown vulnerabilities for further attacks against systems, according to the security company.

Communication to the outside world

The US government requested a delay in the public notification. On September 12, 2025, the Department of Justice determined that this was justified under regulations. “F5 is now submitting this report in a timely manner,” the company explains.

F5 is still checking which customers had configuration or implementation details stolen. These customers will receive instructions and guidance from the company. F5 states that the incident has no material impact on its business operations. All services remain available and are considered secure.

