F5 Breach Involving Nation-State Attackers and Customer Configuration Data Exposure
F5 disclosed that a prolonged intrusion by a nation-state threat actor resulted in unauthorized access to its internal systems, prompting emergency updates to BIG-IP software and hardware across its customer base. The company reported that configuration data belonging to a small percentage of customers was stolen during the attack, but emphasized that most customers were not significantly impacted. F5 worked rapidly with affected organizations to deploy critical patches, and a major North American technology provider was able to update over 800 devices within hours of the disclosure. The breach led to a rare emergency directive from federal cyber authorities, underscoring the seriousness of the incident.
F5's leadership stated that the attack was first detected in August and publicly disclosed in October, with ongoing investigations to determine the full scope of data exposure. The company remains optimistic that the breach has been contained and that the majority of its largest customers have completed necessary mitigations with minimal disruption. The incident highlights the persistent risk posed by advanced threat actors targeting technology vendors and the importance of rapid response and transparent communication in managing supply chain security threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
F5 says nation-state intrusion had limited business impact
During an earnings-related disclosure, F5 said the prolonged attack on its systems had limited impact. The company publicly addressed the incident as reporting on the breach widened.
Defenders observe active exploitation of CVE-2025-59287
Eye Security and Huntress reported that attackers were actively exploiting the newly patched WSUS vulnerability CVE-2025-59287. The activity elevated the issue from a patching concern to an in-the-wild threat.
Microsoft patches critical WSUS remote code execution flaw
Microsoft released a fix for CVE-2025-59287, a critical remote code execution vulnerability in Windows Server Update Services. The flaw later became notable because defenders observed active exploitation soon after patching.
Nation-state actor breaches F5 systems and remains undetected for years
F5 disclosed that a nation-state threat actor compromised some of its systems and maintained access for a prolonged period, reportedly spanning years. Reporting linked the intrusion to China and characterized it as a long-dwell espionage-style breach.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
F5 Breach Involving Nation-State Attackers and Theft of Source Code
F5 confirmed that a nation-state threat actor gained persistent access to its internal systems, resulting in the theft of *BIG-IP* source code, customer configuration data, and information on 44 vulnerabilities. The company stated that only a small number of customers were affected, all of whom have since applied emergency updates, and emphasized that the stolen data was not sensitive and that customer operations experienced minimal disruption. F5 has responded by expanding its bug bounty program and partnering with CrowdStrike to enhance endpoint detection and response (EDR) capabilities for *BIG-IP* systems, while external cybersecurity firms IOActive and NCC Group found no critical flaws in the stolen code. Despite F5's assurances that the incident is contained and the impact is limited, some independent researchers have raised concerns about the company's transparency and the true extent of operational control and reputational damage. The breach, discovered in August and disclosed in October, also triggered a federal emergency directive. F5 maintains that the incident has not significantly affected its business outlook, projecting up to 4% revenue growth in fiscal 2026, but scrutiny continues regarding the adequacy of its response and communication with stakeholders.
Mar 21, 2026
F5 Breach Exposes BIG-IP Source Code and Undisclosed Vulnerabilities
F5, a leading provider of application security and delivery technology, confirmed that it suffered a significant cybersecurity breach attributed to a highly sophisticated nation-state threat actor. The company first detected unauthorized access to its systems on August 9, 2025, and immediately initiated incident response protocols, including engaging external cybersecurity experts such as CrowdStrike and Mandiant. Investigations revealed that the attackers maintained long-term, persistent access to critical F5 environments, specifically the BIG-IP product development environment and the engineering knowledge management platform. During this period, the threat actors exfiltrated files containing portions of the BIG-IP source code and information about vulnerabilities that had not yet been publicly disclosed or patched. Additionally, some configuration and implementation information for a limited number of customers was also stolen, though F5 stated that affected customers would be notified directly. The breach did not impact F5’s software supply chain, as independent reviews found no evidence of malicious modifications to source code, build, or release pipelines. There was also no indication that the attackers accessed or tampered with the NGINX product line, Distributed Cloud Services, Silverline systems, or customer data in CRM, financial, or support case management systems. F5 emphasized that, as of the latest investigation, there is no evidence that the stolen vulnerability information has been used in active exploitation or that the private information has been publicly disclosed. The company’s containment measures, implemented promptly after discovery, have been effective, with no signs of further unauthorized activity since their deployment. The U.S. Department of Justice authorized F5 to delay public disclosure of the breach due to national security concerns, as permitted under SEC rules. The UK National Cyber Security Centre highlighted the risk that attackers could use the stolen source code to identify additional vulnerabilities and develop targeted exploits. F5’s flagship BIG-IP product is widely used by major enterprises, including 48 of the Fortune 50, raising concerns about the potential impact of the breach. The company continues to monitor for any signs of exploitation and is working closely with law enforcement and cybersecurity partners. F5 has reassured customers that the breach did not compromise the integrity of its software updates or supply chain. The incident underscores the ongoing threat posed by nation-state actors to critical technology providers and the importance of rapid detection and response to sophisticated intrusions.
Apr 14, 2026
F5 Breach Involving Advanced Brickstorm Malware and Supply Chain Risks
F5, a major application delivery and security provider, disclosed a significant breach in which malicious actors maintained persistent access to critical systems, including the BIG-IP product development environment and engineering knowledge management platform. The breach, which began in August and was deemed material by September, prompted F5 to delay public notification due to national security concerns. Upon disclosure, F5 released security patches for affected products, and CISA issued an emergency directive requiring federal agencies to patch vulnerable F5 devices immediately. The advanced 'Brickstorm' malware, attributed to Chinese threat actors, was detected as part of this breach, raising concerns about the potential for long-term exploitation of stolen technical specifications and code. While there is currently no evidence that the stolen information has been used to exploit F5 devices or alter the codebase, the incident highlights the ongoing risks associated with software supply chain attacks. The breach underscores the challenges organizations face in securing complex supply chains, as even widely adopted security frameworks may not fully mitigate such threats. The F5 incident draws parallels to previous high-profile supply chain compromises, emphasizing the need for more robust and comprehensive security measures to protect critical infrastructure and sensitive data from sophisticated nation-state actors.
Mar 21, 2026