The American cybersecurity provider F5based in Seattle, has confirmed that it suffered a major cyberattack carried out by a “highly sophisticated” state actor, which several government sources attribute to China. The company acknowledges that the attackers maintained “persistent and long-term access” to some of its systems, including the development environment for its flagship product BIG-IPused by many companies in the Fortune 500 and federal agencies.
A discreet and prolonged compromise
According to F5, “in August 2025, we learned that a highly sophisticated state threat actor had maintained long-term persistent access and downloaded files from certain F5 systems.” Investigations confirmed that these files contained “parts of BIG-IP source code and information on previously undisclosed vulnerabilities.”
The company specifies, however, that it “is not aware of any critical or undisclosed remote code execution vulnerabilities” and that it “has not observed any active exploitation” of the identified flaws.
The intrusions reportedly lasted nearly a year before being detected. THE CEO François Locoh-Donou reportedly personally informed several major clients of the timeline of the incident and the actions taken.
Targeted source code, but an intact software chain
In its statement, F5 claims to have “no evidence of changes to its software supply chain, including its source code and build and distribution pipelines.” This assessment was confirmed by independent audits carried out by NCC Group And IOActive.
The company adds that it “found no evidence of data access or exfiltration from its CRM, financial, or support systems,” although “some exfiltrated files contained configuration or implementation information for a small percentage of customers.” They will be contacted directly.
No trace of malicious activity was noted on NGINX, F5 Distributed Cloud Services Or Silverlinethe group’s other strategic products.
A coordinated response with authorities and experts
F5 says it immediately “activated its incident response processes” and surrounded itself with “CrowdStrike, Mandiant and other leading experts” to contain the threat. The company assures that “since the launch of these activities, no new unauthorized activity has been observed” and believes that its “containment efforts have been successful”.
The company specifies that it is “actively engaged with law enforcement and government partners” and continues “to implement additional measures to strengthen the security posture of its enterprise and product environments”.
These measures include rotating credentials, strengthening access controls, redesigning network architecture, and deploying new monitoring and response capabilities.
Urgent recommendations to clients
In its customer communication, F5 recommends immediate software updates BIG-IP, F5OS, BIG-IQ, APM And BIG-IP Next for Kubernetesavailable in its Quarterly Security Notification of October 2025. “While we are not aware of any undisclosed critical vulnerabilities, we strongly advise that you update your BIG-IP software as soon as possible,” the company says.
F5 also broadcast a threat hunting guide malware-related Brickstormattributed to the Chinese group UNC5221known for stealing source code to exploit vulnerabilities discovered in security products. This guide provides detection methods, hardening practices, and SIEM integration instructions.
An incident of systemic significance
The American and British authorities reacted firmly. There CISA issued an emergency directive calling the F5 compromise a “significant cyber threat” and required all federal agencies to implement updates by October 22. In the United Kingdom, the National Cyber Security Center (NCSC) recommended that organizations evaluate their F5 product deployments and report any signs of compromise.
Internal reorganization and operational continuity
F5 indicates that “this incident did not have a material impact on operations” and continues to evaluate its financial implications. The company has also appointed Michael Montoya at the post of Chief Technology Operations Officer effective October 13, 2025, responsible for “driving enterprise-wide security strategy and execution.”
