F5 Security Incident: Disclosure Statement (Form 8-K)

F5 Security Incident: Disclosure Statement

The following message will be posted on MyF5.com and emailed to customers

We want to share information with you about steps we've taken to resolve a security incident at F5 and our ongoing efforts to protect our customers.

In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems. These systems included our BIG-IP product development environment and engineering knowledge management platforms. We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.

In response to this incident, we are taking proactive measures to protect our customers and strengthen the security posture of our enterprise and product environments. We have engaged CrowdStrike, Mandiant, and other leading cybersecurity experts to support this work, and we are actively engaged with law enforcement and our government partners.

We have released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. More information can be found in our October 2025 Quarterly Security Notification. We strongly advise updating to these new releases as soon as possible.

What we know

At this time, based on our investigation of available logs:

•We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP. We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.

•We have no evidence of access to, or exfiltration of, data from our CRM, financial, support case management, or iHealth systems. However, some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers. We are currently reviewing these files and will be communicating with affected customers directly as appropriate.

•We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by leading cybersecurity research firms NCC Group and IOActive.

•We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline systems.

What you can do

Our priority right now is helping you strengthen and secure your F5 environment against risks from this incident. We are providing a number of resources to support actions you can take:  

•Updates to BIG-IP software. Updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients are available now. Though we have no knowledge of undisclosed critical or remote code execution vulnerabilities, we strongly advise updating your BIG-IP software as soon as possible. More information about these updates can be found in the Quarterly Security Notification.

•Threat intelligence. A threat hunting guide to strengthen detection and monitoring in your environment is available from F5 support.

•Hardening guidance with verification. We publish best practices for hardening your F5 systems and have added automated hardening checks to the F5 iHealth Diagnostic Tool. This tool will surface gaps, prioritize actions, and provide links to remediation guidance.

•SIEM integration and monitoring guidance. We recommend enabling BIG-IP event streaming to your SIEM and provide step-by-step instructions for syslog configuration (KB13080) and monitoring for login

1

attempts (KB13426). This will enhance your visibility and alerting for admin logins, failed authentications, and privilege and configuration changes.

Our global support team is available to assist. You can open a MyF5 support case or contact F5 support directly for help updating your BIG-IP software, implementing any of these steps, or to address any questions you may have. We will keep this page updated with new information and resources.

What we are doing

We have taken, and will continue to take, significant steps to protect customers by remediating this threat and strengthening the security of our core enterprise and product infrastructure.

Since initiating our incident response efforts, we have:

•Rotated credentials and strengthened access controls across our systems.

•Deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats.

•Implemented enhancements to our network security architecture.

•Hardened our product development environment, including strengthening security controls and monitoring of all software development platforms.

We are taking additional actions to further strengthen the security of our products:

•Continuing code review and penetration testing of our products with support from both NCC Group and IOActive to identify and remediate vulnerabilities in our code.

•Partnering with CrowdStrike to extend Falcon EDR sensors and Overwatch Threat Hunting to BIG-IP for additional visibility and to strengthen defenses. An early access version is available to BIG-IP customers and F5 is providing supported customers with a free Falcon EDR subscription through October 14, 2026.

Your trust matters. We know it is earned every day, especially when things go wrong. We truly regret that this incident occurred and the risk it may create for you. We are committed to learning from this incident and sharing those lessons with the broader security community.

2