Breach taxonomy
Summary
On August 9, 2025, F5, Inc. determined that a highly sophisticated nation-state threat actor had gained long-term, persistent unauthorized access to certain company systems, including the BIG-IP product development environment and engineering knowledge management platform. Certain files were exfiltrated including portions of BIG-IP source code, information about undisclosed vulnerabilities, and configuration/implementation data for a small percentage of customers. F5 engaged federal law enforcement and leading external cybersecurity research firms and believes containment actions were successful with no evidence of new unauthorized activity observed since containment.
Tagging rationale
ThreatNation State
Filing explicitly states 'a highly sophisticated nation-state threat actor had gained unauthorized access' -> NATION-STATE.
MethodsData Exfil
Filing confirms the threat actor maintained long-term persistent access and exfiltrated certain files including source code, vulnerability information, and customer configuration data -> DATA-EXFIL.
AssetsIp Trade SecretsConfidential Biz
Exfiltrated files included portions of BIG-IP source code and information about undisclosed vulnerabilities (IP and trade secrets), as well as configuration/implementation information for a small percentage of customers (confidential business data) -> IP-TRADE-SECRETS and CONFIDENTIAL-BIZ.
EffectsInfo Privacy LossNetwork Security
Exfiltration of BIG-IP source code and undisclosed vulnerability information poses network security risks to F5 customers (NETWORK-SECURITY); customer configuration data exposure constitutes information privacy loss (INFO-PRIVACY-LOSS).
Impact
Nation-state actor maintained persistent access to a critical network security vendor's source code and vulnerability database for an extended period; exposure of undisclosed vulnerabilities in widely deployed BIG-IP products creates systemic risk across F5's customer base -> score 4.
InsuranceNot disclosed
Filing makes no mention of insurance -> null.
Read the original SEC filing excerpt
Item 1.05 Material Cybersecurity Incidents On August 9, 2025, F5, Inc. (the "Company", "F5", "we", or "our") learned that a highly sophisticated nation-state threat actor had gained unauthorized access to certain Company systems. The Company promptly activated its incident response processes, and has taken extensive actions to contain the threat actor. To support these activities, the Company engaged leading external cybersecurity experts. The Company believes its containment actions have been successful and, since the initiation of its containment efforts, has not observed any evidence of new unauthorized activity. The investigation, monitoring, and related activities are ongoing. The Company is actively engaged with federal law enforcement and government partners in connection with this incident. Additionally, the Company is implementing further measures to strengthen its security environment and protect its customers. During the course of its investigation, the Company determined that the threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform. Through this access, certain files were exfiltrated, some of which contained certain portions of the Company's BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP. We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities. We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by leading cybersecurity research firms. We have no evidence of access to, or exfiltration of, data from our CRM, financial, support case management, or iHealth systems. However, some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers. The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate. We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline.