F5 Breach Exposes BIG-IP Source Code and Undisclosed Vulnerabilities
F5, a leading provider of application security and delivery technology, confirmed that it suffered a significant cybersecurity breach attributed to a highly sophisticated nation-state threat actor. The company first detected unauthorized access to its systems on August 9, 2025, and immediately initiated incident response protocols, including engaging external cybersecurity experts such as CrowdStrike and Mandiant. Investigations revealed that the attackers maintained long-term, persistent access to critical F5 environments, specifically the BIG-IP product development environment and the engineering knowledge management platform. During this period, the threat actors exfiltrated files containing portions of the BIG-IP source code and information about vulnerabilities that had not yet been publicly disclosed or patched. Additionally, some configuration and implementation information for a limited number of customers was also stolen, though F5 stated that affected customers would be notified directly. The breach did not impact F5’s software supply chain, as independent reviews found no evidence of malicious modifications to source code, build, or release pipelines. There was also no indication that the attackers accessed or tampered with the NGINX product line, Distributed Cloud Services, Silverline systems, or customer data in CRM, financial, or support case management systems. F5 emphasized that, as of the latest investigation, there is no evidence that the stolen vulnerability information has been used in active exploitation or that the private information has been publicly disclosed. The company’s containment measures, implemented promptly after discovery, have been effective, with no signs of further unauthorized activity since their deployment. The U.S. Department of Justice authorized F5 to delay public disclosure of the breach due to national security concerns, as permitted under SEC rules. The UK National Cyber Security Centre highlighted the risk that attackers could use the stolen source code to identify additional vulnerabilities and develop targeted exploits. F5’s flagship BIG-IP product is widely used by major enterprises, including 48 of the Fortune 50, raising concerns about the potential impact of the breach. The company continues to monitor for any signs of exploitation and is working closely with law enforcement and cybersecurity partners. F5 has reassured customers that the breach did not compromise the integrity of its software updates or supply chain. The incident underscores the ongoing threat posed by nation-state actors to critical technology providers and the importance of rapid detection and response to sophisticated intrusions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Researchers identify Brickstorm backdoor in the F5 intrusion
On October 24, 2025, reporting said researchers had identified the Brickstorm backdoor as part of the F5 attack chain. The malware reportedly enabled stealthy long-term access, encrypted outbound communications, proxying, and concealed exfiltration traffic.
Bloomberg reports hackers had been inside F5 since 2023
On October 18, 2025, Bloomberg reported that the attackers had been lurking in F5's systems since 2023, extending the understood dwell time of the compromise. This added a major escalation to the incident's scope and persistence.
Media reporting links the breach to China-aligned actors
By October 16, 2025, reporting said U.S. officials privately suspected a China-linked threat actor was responsible for the F5 intrusion. Subsequent analysis and media coverage associated the activity with UNC5221 and the broader Silk Typhoon ecosystem, though F5's public disclosure did not name an actor.
GreyNoise observes increased scanning for BIG-IP after disclosure
Threat intelligence reporting said internet scanning for BIG-IP devices spiked after F5's announcement, suggesting attackers and researchers were rapidly operationalizing the newly disclosed risk. The activity heightened concern that stolen code and vulnerability intelligence could soon be weaponized.
Researchers publish internet exposure estimates for BIG-IP devices
Following the disclosure, security researchers and vendors reported that hundreds of thousands of BIG-IP instances were exposed or identifiable on the internet, underscoring the scale of potential downstream risk. Counts reported in coverage ranged above 262,000 exposed systems and over 600,000 hosts behind exposed instances.
CERT-EU and Canada issue advisories on F5 vulnerabilities
Government cybersecurity bodies outside the U.S., including CERT-EU and Canada's cyber center, published alerts on October 15, 2025, warning organizations about the F5 incident and associated vulnerabilities. These advisories urged rapid patching and defensive review of affected deployments.
CISA orders federal agencies to mitigate F5 device risk
CISA issued Emergency Directive 26-01 on October 15, 2025, warning that the stolen source code and vulnerability information posed a significant threat to federal networks. The directive required agencies to identify exposed F5 devices, remove public management access where applicable, and apply mitigations on an accelerated timeline.
F5 releases security updates and hardening guidance
F5 published patches for multiple affected product lines and issued mitigation, hardening, and threat-hunting guidance. The company also rotated credentials and strengthened internal security controls in response to the breach.
F5 publicly discloses nation-state breach in SEC filing
On October 15, 2025, F5 disclosed that a highly sophisticated nation-state actor had breached its internal systems and maintained long-term access. The company said it had no evidence of software supply-chain tampering and no known active exploitation of the stolen undisclosed vulnerabilities at the time of disclosure.
Attackers exfiltrate BIG-IP source code and undisclosed vulnerability data
During the intrusion, the threat actor stole portions of BIG-IP source code, information on previously undisclosed BIG-IP vulnerabilities, and some configuration or implementation files affecting a small percentage of customers.
DOJ delays F5's public disclosure for national security reasons
After detecting the breach, F5 postponed public notification at the request of the U.S. Department of Justice. Multiple reports said the delay was tied to national security concerns.
F5 detects the intrusion in its internal environment
F5 identified the security incident on August 9, 2025, discovering a sophisticated nation-state compromise affecting internal systems tied to BIG-IP development and engineering knowledge resources.
Nation-state hackers begin long-term intrusion into F5 systems
Attackers gained persistent access to F5's corporate network, including the BIG-IP development environment and an engineering knowledge management platform. Later reporting said the compromise may have begun as early as 2023 and remained undetected for an extended period.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
41 references tracked. Mallory keeps watching after this page renders.
Advanced Brickstorm backdoor discovered in F5 attack
scworld.com
Open sourceSerious F5 Breach
schneier.com
Open sourceF5 breach exposes 262,000 BIG-IP systems worldwide
securityaffairs.com
Open sourceHackers Had Been Lurking in Cyber Firm F5 Systems Since 2023
bloomberg.com
Open sourceF5 BIG-IP Environment Breached by Nation-State Actor
darkreading.com
Open sourceF5 says hackers stole undisclosed BIG-IP flaws, source code
bleepingcomputer.com
Open sourceCISA Directs Federal Agencies to Mitigate Vulnerabilities in F5 Devices
cisa.gov
Open sourceF5 releases BIG-IP patches for stolen security vulnerabilities
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
F5 Networks Breach Exposes BIG-IP Source Code and Vulnerability Data
F5 Networks confirmed that unidentified threat actors gained unauthorized access to its internal systems, resulting in the theft of files containing portions of BIG-IP source code and information about undisclosed vulnerabilities in the product. The breach was discovered on August 9, 2025, but evidence suggests that the attackers had maintained access to F5’s network for at least a year prior to detection. The attackers reportedly used a malware family known as BRICKSTORM, which has been attributed to a China-linked espionage group identified as UNC5221. This sophisticated intrusion highlights the ongoing targeting of edge infrastructure and security vendors by state-sponsored actors, who recognize the strategic value of such platforms in global networks. Following the breach, security researchers observed increased scanning activity targeting F5 BIG-IP devices on September 23, October 14, and October 15, 2025, although it remains unclear if these scans were directly related to the incident. Censys reported that over 680,000 F5 BIG-IP load balancers and application gateways are exposed on the public internet, with the largest concentrations in the United States, Germany, France, Japan, and China. Not all of these systems are necessarily vulnerable, but their public exposure increases the risk of exploitation. Security experts have emphasized the need for organizations to inventory, restrict access to, and proactively patch these devices to mitigate potential threats. The breach underscores the persistent risk posed by long-term, stealthy intrusions, particularly those orchestrated by nation-state actors. F5’s disclosure has prompted renewed calls for vigilance and improved security practices among organizations relying on edge devices. The incident also serves as a reminder that even companies specializing in security solutions are not immune to advanced persistent threats. Industry analysts have warned that the exposure of source code and vulnerability information could facilitate further attacks against F5 customers if not addressed promptly. Organizations using F5 products are advised to monitor for unusual activity, apply security updates, and review their network segmentation strategies. The breach has contributed to broader concerns about the security of network edge devices, which are increasingly targeted due to their critical role in enterprise infrastructure. F5’s response and ongoing investigation will be closely watched by the cybersecurity community as more details emerge about the scope and impact of the compromise.
Mar 21, 2026
F5 Breach Involving Nation-State Attackers and Theft of Source Code
F5 confirmed that a nation-state threat actor gained persistent access to its internal systems, resulting in the theft of *BIG-IP* source code, customer configuration data, and information on 44 vulnerabilities. The company stated that only a small number of customers were affected, all of whom have since applied emergency updates, and emphasized that the stolen data was not sensitive and that customer operations experienced minimal disruption. F5 has responded by expanding its bug bounty program and partnering with CrowdStrike to enhance endpoint detection and response (EDR) capabilities for *BIG-IP* systems, while external cybersecurity firms IOActive and NCC Group found no critical flaws in the stolen code. Despite F5's assurances that the incident is contained and the impact is limited, some independent researchers have raised concerns about the company's transparency and the true extent of operational control and reputational damage. The breach, discovered in August and disclosed in October, also triggered a federal emergency directive. F5 maintains that the incident has not significantly affected its business outlook, projecting up to 4% revenue growth in fiscal 2026, but scrutiny continues regarding the adequacy of its response and communication with stakeholders.
Mar 21, 2026
F5 Breach Involving Nation-State Attackers and Customer Configuration Data Exposure
F5 disclosed that a prolonged intrusion by a nation-state threat actor resulted in unauthorized access to its internal systems, prompting emergency updates to BIG-IP software and hardware across its customer base. The company reported that configuration data belonging to a small percentage of customers was stolen during the attack, but emphasized that most customers were not significantly impacted. F5 worked rapidly with affected organizations to deploy critical patches, and a major North American technology provider was able to update over 800 devices within hours of the disclosure. The breach led to a rare emergency directive from federal cyber authorities, underscoring the seriousness of the incident. F5's leadership stated that the attack was first detected in August and publicly disclosed in October, with ongoing investigations to determine the full scope of data exposure. The company remains optimistic that the breach has been contained and that the majority of its largest customers have completed necessary mitigations with minimal disruption. The incident highlights the persistent risk posed by advanced threat actors targeting technology vendors and the importance of rapid response and transparent communication in managing supply chain security threats.
Mar 21, 2026