2025-10-15 F5, INC. Cybersecurity Incident

Page last updated on October 15, 2025

F5, INC. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2025-10-15 08:30:56 EDT.

Company Summary

F5 is a multi-cloud application services and security company that specializes in application security, performance, and delivery.

Incident Details

Material: No
Is Breach: Yes
Records Compromised: Unknown
Data Types Impacted: Unspecified, Other

Compromised Date: Unknown
Detected Date: Unknown
Disclosure Date: 2025-10-15
Contained Date: Unknown
Recovered Date: Unknown

Attack Goal: Theft
Attack Tactics¹: TA0010, TA0003, TA0001
Attack Techniques¹: T1213.003, OTHER

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2025-10-15

F5, INC. filed an 8-K at 2025-10-15 08:30:56 EDT
Accession Number: 0001048695-25-000149

Item 1.05 Material Cybersecurity Incidents.

On August 9, 2025, F5, Inc. (the “Company”, “F5”, “we”, or “our”) learned that a highly sophisticated nation-state threat actor had gained unauthorized access to certain Company systems. The Company promptly activated its incident response processes, and has taken extensive actions to contain the threat actor. To support these activities, the Company engaged leading external cybersecurity experts.

The Company believes its containment actions have been successful and, since the initiation of its containment efforts, has not observed any evidence of new unauthorized activity. The investigation, monitoring, and related activities are ongoing. The Company is actively engaged with federal law enforcement and government partners in connection with this incident. Additionally, the Company is implementing further measures to strengthen its security environment and protect its customers.

During the course of its investigation, the Company determined that the threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform. Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP. We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities. We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by leading cybersecurity research firms.

We have no evidence of access to, or exfiltration of, data from our CRM, financial, support case management, or iHealth systems. However, some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers. The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate.

We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline systems.

On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted pursuant to Item 1.05(c) of Form 8-K. F5 is now filing this report in a timely manner.

As of the date of this disclosure, this incident has not had a material impact on the Company’s operations, and the Company is evaluating the impact this incident may reasonably have on its financial condition or results of operations.

Item 7.01 Regulation FD Disclosure.

On October 15, 2025, F5 posted certain information regarding the incident on its MyF5 customer support site. A copy of that posting is furnished as Exhibit 99.1 to this report.

The information in this Item 7.01 and Exhibit 99.1 shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), or otherwise subject to the liability of that section, and shall not be incorporated by reference into any registration statement or other document filed under the Securities Act of 1933, as amended, or the Exchange Act, except as shall be expressly set forth by specific reference in such filing.

Exhibit No. 99.1

Website Post dated October 15, 2025 titled “F5 Security Incident

F5 Security Incident: Disclosure Statement

The following message will be posted on MyF5.com and emailed to customers.

We want to share information with you about steps we’ve taken to resolve a security incident at F5 and our ongoing efforts to protect our customers.

In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems. These systems included our BIG-IP product development environment and engineering knowledge management platforms. We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.

In response to this incident, we are taking proactive measures to protect our customers and strengthen the security posture of our enterprise and product environments. We have engaged CrowdStrike, Mandiant, and other leading cybersecurity experts to support this work, and we are actively engaged with law enforcement and our government partners.

We have released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. More information can be found in our October 2025 Quarterly Security Notification.
We strongly advise updating to these new releases as soon as possible.

What We Know

At this time, based on our investigation of available logs:

• We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP. We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.
• We have no evidence of access to, or exfiltration of, data from our CRM, financial, support case management, or iHealth systems. However, some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers. We are currently reviewing these files and will be communicating with affected customers directly as appropriate.
• We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by leading cybersecurity research firms NCC Group and IOActive.
• We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline systems.

What You Can Do

Our priority right now is helping you strengthen and secure your F5 environment against risks from this incident. We are providing a number of resources to support actions you can take:

• Updates to BIG-IP software. Updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients are available now. Though we have no knowledge of undisclosed critical or remote code execution vulnerabilities, we strongly advise updating your BIG-IP software as soon as possible. More information about these updates can be found in the Quarterly Security Notification.
• Threat intelligence. A threat hunting guide to strengthen detection and monitoring in your environment is available from F5 support.
• Hardening guidance with verification. We publish best practices for hardening your F5 systems and have added automated hardening checks to the F5 iHealth Diagnostic Tool. This tool will surface gaps, prioritize actions, and provide links to remediation guidance.
• SIEM integration and monitoring guidance. We recommend enabling BIG-IP event streaming to your SIEM and provide step-by-step instructions for syslog configuration (KB13080) and monitoring for login attempts (KB13426). This will enhance your visibility and alerting for admin logins, failed authentications, and privilege and configuration changes.

Our global support team is available to assist. You can open a MyF5 support case or contact F5 support directly for help updating your BIG-IP software, implementing any of these steps, or to address any questions you may have. We will keep this page updated with new information and resources.

What We Are Doing

We have taken, and will continue to take, significant steps to protect customers by remediating this threat and strengthening the security of our core enterprise and product infrastructure.

Since initiating our incident response efforts, we have:

• Rotated credentials and strengthened access controls across our systems.
• Deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats.
• Implemented enhancements to our network security architecture.
• Hardened our product development environment, including strengthening security controls and monitoring of all software development platforms.

We are taking additional actions to further strengthen the security of our products:

• Continuing code review and penetration testing of our products with support from both NCC Group and IOActive to identify and remediate vulnerabilities in our code.
• Partnering with CrowdStrike to extend Falcon EDR sensors and Overwatch Threat Hunting to BIG-IP for additional visibility and to strengthen defenses. An early access version is available to BIG-IP customers and F5 is providing supported customers with a free Falcon EDR subscription through October 14, 2026.

Your trust matters. We know it is earned every day, especially when things go wrong. We truly regret that this incident occurred and the risk it may create for you. We are committed to learning from this incident and sharing those lessons with the broader security community.

Company Information