F5, a network security company that serves 80% of the Fortune 500, says an attacker gained “long-term, persistent access” to its systems.

The advanced attacker used their sustained access to steal source code and information about undisclosed vulnerabilities in its BIG-IP suite. 

The $19 billion market cap firm made the admission in an SEC filing today – two days after it rotated cryptographic keys and certificates.

It insisted though that the attack was not SolarWinds, redux: “We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines.”

Today it also pushed a security update that patches 40+ CVEs.

F5  said it learned of the incident in August 2025. It did not, worryingly for customers, specify when it was first breached: "We have taken extensive actions to contain the threat actor" it added today.

The Department of Justice on September 12 let it delay public disclosure until now on national security grounds, its SEC filing showed.

It was not immediately clear why it waited until October to rotate security keys, having learned of the breach in August.

CISA has called for “immediate emergency action” in the wake of the incident, saying the threat group “presents an imminent threat to federal networks using F5 devices and software.”

“Exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and API keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems,” it warned.

F5 breach: Configuration files stolen

F5 said in the SEC filing: “We are not aware of active exploitation of any undisclosed F5 vulnerabilities” – saying that this view had been validated by independent cybersecurity assessments by NCC Group and IOActive.

It published a separate security notification today here.

F5 admitted, however, that the attackers had successfully stolen “configuration or implementation information for a small percentage of customers” and said that it would contact them directly.

Revealed: SolarWinds hackers stole Azure IAM source code
Microsoft: “For a small number of repositories, there was additional access, including in some cases, downloading component source code”.
The StackEdward Targett

Since it started incident response it said that it had:

  • Rotated credentials and strengthened access controls across our systems.
  • Deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats.
  • Implemented enhancements to our network security architecture.
  • Hardened our product development environment, including strengthening security controls and monitoring of all software development platforms.

Ryan Dewhurst, who runs threat intelligence at watchTowr, said: "On October 13th, F5 quietly announced it had rotated its signing certificates and cryptographic keys, the ones used to prove that F5-produced software is legitimate and untampered. That’s not a routine update."

He added: Older software signed with the previous keys may now warrant closer scrutiny. For a vendor whose products sit deep in enterprise and government networks, this is a serious breach of trust. 

Dewhurst said: “If those compromised keys were stolen, and F5 hasn’t ruled that out, malicious software updates signed by ‘F5’ could be indistinguishable from the real thing."

F5 said: "We have released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. More information can be found in our October 2025 Quarterly Security Notification. We strongly advise updating to these new releases as soon as possible.:

Views? Get in touch on or off-the-record. Email or Signal @Targett.11

See also: Questions mount over F5 breach

The link has been copied!