F5 has disclosed that it was the target of a state-sponsored cyberattack, likely linked to Chinese threat actors, with attackers exfiltrating files that included BIG-IP source code and vulnerability information.
It’s unclear how long the hackers maintained access, but the company confirmed that they stole source code, vulnerability data, and some configuration and implementation details for a limited number of customers.
“Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP,” the company states.
Despite this critical exposure of undisclosed flaws, F5 says there’s no evidence that the attackers leveraged the information in actual attacks, such as exploiting the undisclosed flaw against systems. The company also states that it has not seen evidence that the private information has been disclosed.
F5 claims that the threat actors’ access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
This includes its platforms that contain customer data, such as its CRM, financial, support case management, or iHealth systems. Furthermore, other products and platforms managed by the company are not compromised, including NGINX, F5 Distributed Cloud Services, or Silverline systems’ source code.
Will Baxter, Field CISO, Team Cymru had this comment:
“This is another reminder that the modern attack surface extends deep into the software development lifecycle. Threat groups targeting source code repositories and build environments are seeking long-term intelligence value—understanding how security controls operate from the inside. Visibility into outbound connections, threat actor command-and-control infrastructure, and unusual data exfiltration patterns is key to identifying this activity early. Combining external threat intelligence with internal telemetry gives defenders the context needed to detect and contain these advanced intrusions.”
If I were a F5 customer, I’d be kind of nervous right now. Because there’s no telling what this threat actor can do with the data that they stole. Other than the fact that whatever they do with that data, it won’t be good for anyone.
UPDATE: Cybercrime expert and VP of Cyber Risk for HITRUST, Tom Kellermann offers up this comment:
“This is the first stage of a supply chain campaign designed to compromise trust in digital infrastructure. Rogue nation-state actors consistently show us how successful and well-resourced they are. Once adversaries gain access at the application layer, they’re not just stealing data but embedding themselves for command and control. F5 customers must immediately enhance detection and response at the application layer through ADR. Supply chain attacks have become the preferred tactic of modern cyber warfare. We need to start treating third-party risk as a national security issue.”
Related
This entry was posted on October 15, 2025 at 12:58 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
F5 Has Apparently Been Pwned By The Chinese
F5 has disclosed that it was the target of a state-sponsored cyberattack, likely linked to Chinese threat actors, with attackers exfiltrating files that included BIG-IP source code and vulnerability information.
It’s unclear how long the hackers maintained access, but the company confirmed that they stole source code, vulnerability data, and some configuration and implementation details for a limited number of customers.
“Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP,” the company states.
Despite this critical exposure of undisclosed flaws, F5 says there’s no evidence that the attackers leveraged the information in actual attacks, such as exploiting the undisclosed flaw against systems. The company also states that it has not seen evidence that the private information has been disclosed.
F5 claims that the threat actors’ access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
This includes its platforms that contain customer data, such as its CRM, financial, support case management, or iHealth systems. Furthermore, other products and platforms managed by the company are not compromised, including NGINX, F5 Distributed Cloud Services, or Silverline systems’ source code.
Will Baxter, Field CISO, Team Cymru had this comment:
“This is another reminder that the modern attack surface extends deep into the software development lifecycle. Threat groups targeting source code repositories and build environments are seeking long-term intelligence value—understanding how security controls operate from the inside. Visibility into outbound connections, threat actor command-and-control infrastructure, and unusual data exfiltration patterns is key to identifying this activity early. Combining external threat intelligence with internal telemetry gives defenders the context needed to detect and contain these advanced intrusions.”
If I were a F5 customer, I’d be kind of nervous right now. Because there’s no telling what this threat actor can do with the data that they stole. Other than the fact that whatever they do with that data, it won’t be good for anyone.
UPDATE: Cybercrime expert and VP of Cyber Risk for HITRUST, Tom Kellermann offers up this comment:
“This is the first stage of a supply chain campaign designed to compromise trust in digital infrastructure. Rogue nation-state actors consistently show us how successful and well-resourced they are. Once adversaries gain access at the application layer, they’re not just stealing data but embedding themselves for command and control. F5 customers must immediately enhance detection and response at the application layer through ADR. Supply chain attacks have become the preferred tactic of modern cyber warfare. We need to start treating third-party risk as a national security issue.”
Share this:
Like this:
Related
This entry was posted on October 15, 2025 at 12:58 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.