Security Boulevard

Frequently Asked Questions About The August 2025 F5 Security Incident

1 month 4 weeks ago

Frequently asked questions about the August 2025 security incident at F5 and the release of multiple BIG-IP product patches.

Background

Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a recently disclosed security incident affecting F5. Alongside the disclosure of the security incident, F5 also released its October 2025 Quarterly Security Notification.

FAQ

What is the F5 Security Incident?

Starting August 9, 2025, F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. This included access to F5’s BIG-IP product development systems and “engineering knowledge management platforms.” On October 15, F5 released knowledge base (KB) article K000154696 providing current details on the known impacts of the breach, including an acknowledgement that they have not observed further unauthorized activity and believe they have successfully contained the breach.

What data was stolen in this breach?

According to F5, files from their BIG-IP engineering knowledge management systems and product development environments were accessed by the threat actor. The stolen data included details on undisclosed security vulnerabilities that were currently being investigated by F5 as well as source code for its BIG-IP product.

What is the risk of undisclosed vulnerability data being stolen?

With access to vulnerability reports and source code, the threat actor could use that information to develop exploits for issues that have not yet been patched or remediated. While F5 states they “have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” the risk remains that the attackers could use the stolen data to identify other vulnerabilities.

Was any source code modified? Is there a risk of a supply-chain attack?

According to F5, they have “no evidence of modification” to its supply chain, source code, including NGINX source code, build and release pipelines and the F5 Distributed Cloud Services or Silverline systems. These findings have reportedly been independently verified by two security research firms, NCC Group and IOActive.

What are the vulnerabilities associated with the breach?

At this time, F5 has not indicated that any vulnerabilities were exploited by the threat actor in order to gain access to their systems. However, on October 15, in conjunction with its security incident notice, F5 released several patches in KB article K000156572: Quarterly Security Notification (October 2025). While there is no notice in these security advisories that any of the CVEs have been exploited, we strongly recommend applying all available patches.

Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released emergency directive (ED) 26-01: Mitigate Vulnerabilities in F5 Devices on October 15, which includes recommendations to apply all available updates. While the ED is aimed at Federal Civilian Executive Branch (FCEB) agencies, the guidance should be applicable to any organization with F5 devices or software in their environment.

What actions should I take if my environment contains F5 software/devices?

According to both F5 and the CISA ED, inventorying and updating all affected BIG-IP instances is of utmost importance. While it’s always recommended that security updates are applied quickly, in light of the breach, F5 urges “updating your BIG-IP software as soon as possible.” In addition, guidance from CISA suggests hardening any public facing BIG-IP devices and removing any unsupported devices from your network.

Which threat actors are responsible for this attack?

While no specific threat actor has been linked to the F5 breach, F5 says this incident involved a “highly sophisticated” nation-state threat actor.

Are patches or mitigations available for the F5 October Quarterly Security Notification?

Yes, F5 released its quarterly security notification for October 15, which includes fixes for the following products:

BIG-IP (All Modules):