Nation-State Breach of F5 Creates Widespread Exposure

On October 15, F5 disclosed a security breach in which threat actors exploited an undisclosed vulnerability in F5 BIG-IP systems to access its source code and exfiltrate data, including configuration and/or implementation data for some customers. 

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, and the UK National Cyber Security Centre (NCSC) issued a warning, both citing an imminent threat to networks using F5 devices and software. According to CISA, the attack stemmed from a nation-state actor.

F5 has released patches and is directly communicating with affected customers; however, there may still be other weaknesses or vulnerabilities that the threat actors discovered during the 12 months they had access to F5’s environment. To mitigate risk, businesses should ensure their F5 devices are updated to the patched version and closely follow this evolving incident for the latest guidance.

What happened?

F5 is a multi-billion dollar technology company specializing in application security, multi-cloud management, fraud prevention, application delivery networking (ADN), application availability and performance, and network security, access, and authorization. 

F5 is widely utilized across the internet, as indicated by Coalition’s internet-wide scanning data. 

Additionally, Coalition observed a spike in activity on our honeypot sensors on October 15, indicating increased interest from threat actors in targeting F5 assets. 

This situation presents a complex challenge. A threat actor compromised F5’s network and remained undetected for months. In F5’s US Securities and Exchange Commission (SEC) filing, the company said it “believes its containment actions have been successful,” after first discovering the hackers in August.

As more information is published, key questions arise: What actions did the threat actors take during this time? Were there any code changes made? Did they create backdoors? Were there any changes made by the threat actors in firmware released in the past year? 

Because the threat actors were inside F5’s systems for an extended period, this breach poses additional risks to businesses that use their technologies. 

1. One of the known vulnerabilities may be weaponized and exploited by threat actors before all customers have a chance to patch. This makes patching these vulnerabilities an urgent priority to avoid an incident, especially since we have already observed increased scanning on our honeypots.

2. Some of the stolen customer configuration and implementation data may be used in a subsequent attack, rendering this a persistent and evolving risk. F5 customers should be watchful for any communications from F5 about possible exposure and necessary remediations.

3. While the attackers were dwelling within F5’s network, they could have identified additional vulnerabilities or weaknesses in F5’s source code that F5 has not yet discovered. There is still a possibility of exploitation of future, new zero-day vulnerabilities stemming from this initial breach. 

There is still much more to uncover regarding this incident, and Coalition will continue to provide updates on this evolving situation. Transparency from F5 around any new information or discoveries will be essential for their clients to maintain trust.

Because the threat actors were inside F5’s systems for an extended period, this breach poses additional risks to businesses that use their technologies. 

How do businesses address this?

F5 has provided mitigation guidance in a security advisory. It is critical for businesses to update their F5 BIG-IP software to the latest, patched version as soon as possible. This includes updating BIG-IP software, BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM. 

Coalition also strongly recommends that businesses ensure their management interfaces are not accessible to the public internet, in keeping with CISA best practices.

Organizations should be on the lookout for direct communication from F5 regarding this incident, as the company has stated that it will communicate directly with customers whose configuration or implementation data may have been compromised. F5 also released a threat hunting guide to strengthen detection and monitoring in customer environments. 

Who's at risk?

F5’s technology is used by 85% of Fortune 500 companies and supports over 23,000 enterprise customers in more than 170 countries. Palo Alto Networks researchers reported that more than 600,000 businesses are potentially impacted by this breach and remain vulnerable.

Among Coalition policyholders notified about this vulnerability, businesses in the professional services (16%), hospitality (15%), and healthcare (10%) industries were most impacted. The highest proportion of impacted policyholders had fewer than 50 employees (76%) and were small to midsize businesses by revenue (94%), although it’s likely that many of these impacted policyholders are unaware of the use of Big-IP Proxies by their hosting providers or data centers.

In Coalition’s Risky Tech Ranking, F5 is currently ranked #55, rising 27 places from Q2 to Q3 2025.

How is Coalition responding?

Coalition has notified any impacted policyholders. Coalition policyholders can log in to Coalition Control® for the latest updates. Coalition also recommends that policyholders follow the latest guidance from F5.

We continue to closely monitor the situation. For assistance with mitigation, contact Coalition’s Security Support Center at securitysupport@coalitioninc.com.

PREVENT MORE CYBER INCIDENTS. RESPOND FAST.

Round-The-Clock Threat Detection & Response 

See how Coalition MDR works for your business >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.