Cybersecurity and networking company F5 disclosed that a “highly sophisticated” nation-state threat actor infiltrated its internal systems this summer, stealing portions of the company’s BIG-IP source code and details about software vulnerabilities.
The Seattle-based company disclosed the incident Wednesday in an SEC filing and a customer memo, saying the attacker maintained “long-term, persistent access” to some of its product development and engineering systems before the breach was contained.
F5 said it learned of the intrusion on Aug. 9, and that the U.S. Department of Justice authorized a delay in public disclosure. The company said it believes its containment efforts have been successful and that it has seen no new unauthorized activity.
F5 shares were down more than 3% in early trading Wednesday.
Some of the breached files contained configuration details for a small percentage of customers, the company said, and those customers are being notified directly.
F5 said it has no evidence that the attackers accessed CRM or financial data, or tampered with its software supply chain. Independent reviews by NCC Group and IOActive confirmed that the company’s build and release systems were not modified.
The company also said the attackers did not reach its other major product lines, including NGINX, F5 Distributed Cloud Services, or Silverline.
F5 released software updates for several products, including BIG-IP, F5OS, and BIG-IP Next, urging customers to patch immediately. F5 is providing a threat-hunting guide and new tools to help users harden systems and monitor for suspicious activity.
F5 is one of Seattle’s largest public tech companies, with a market capitalization around $19 billion and thousands of enterprise customers worldwide, including 80% of the Fortune Global 500. Its hardware and software sit in the middle of much of the world’s internet traffic, providing load-balancing, application delivery, and security services for major corporations and government agencies.
While F5 products themselves have been targeted in the past — including a vulnerability in 2020 and the “Velvet Ant” malware campaign uncovered in 2024 — this appears to be the first publicly disclosed breach of F5’s internal systems.
Separately, F5 announced Wednesday that Michael Montoya resigned from the company’s board and became its chief technology operations officer. Montoya was most recently COO at New York-based cybersecurity company BlueVoyant.
F5 reported revenue growth of 12% to $780 million in its most recently fiscal earnings, with GAAP net income of $190 million, up from $144 million in the year-ago period.
