Find updated information about this advisory here.

On October 15th, F5 SIRT reported to customers and partners that a highly sophisticated unnamed nation-state threat actor (TA) was detected within their environments in August 2025.

The actor has maintained long-term, persistent access to and downloaded files from F5 systems. These systems include product development environments and engineering knowledge management platforms. The reported status from F5 as of October 15th is that their containment efforts have been successful. 

F5 SIRT strongly advise to update your BIG-IP software as soon as possible. Information about the updates are available at K000156572: Quarterly Security Notification (October 2025).

Based on the official report, the TA has exfiltrated the following information:

• BIG-IP source code
• Information about undisclosed vulnerabilities that F5 worked on in BIG-IP
• Configuration or implementation information for a small percentage of customers

F5 SIRT are currently reviewing these files and will communicate directly with affected customers.

Based on the official report, the TA has not gained access data from F5 CRM, financial, support case management, or iHealth systems. There is no evidence that the TA has modified software supply chain, or that the TA has accessed or modified NGINX source code, F5 Distributed Cloud Services, or Silverline systems.

Recommendations

mnemonic recommends the following:

• If possible, perform a memory and disk dump (snapshot) of the host before applying the patch for later analysis if necessary
• Apply the patches provided by F5 as soon as possible
• Follow the hardening guide from F5 in K53108777: Hardening your F5 system
• Consider to take part in Early Access Program for Crowdstrike Falcon EDR sensor on VIRTUAL BIG-IP plattforms (BIG-IP VE). More information available at K000154696: F5 Security Incident, K000157015: Getting Started with Falcon sensor for BIG-IP and K000156881: Install Falcon sensor for BIG-IP on the BIG-IP system
• F5 customers capable of applying IOCs can download IOCs from MyF5 using their F5 customer account 
• If using BIG-IP VE (Virtual Edition) and VMWare, consider to execute the Threat Hunting guide from Crowdstrike mentioned in K000154696: F5 Security Incident, also available at MyF5 or via Argus ticket

Threat Intelligence assessment

While F5 SIRT reports successful containment, including overview of TA activity, mnemonic assesses that it is possible that additional information about the criticality of the breach will surface. The vulnerabilities that have been patched are not considered critical at this stage. However, we recommend paying attention to F5's strong advice to update immediately.

Information for mnemonic customers

We are actively monitoring the situation and will provide updates if additional information surfaces. We are working closely with F5 customers who may be impacted, and for MDR customers implementing detection opportunities and indicators that can be used in sweeps, threat hunting, and real-time detections. 

For further inquiries regarding Argus services and coverage, please create a ticket in the Argus portal.

Actions from Secure Network Operations

We are actively following up our customer obligations. All Operations customers were offered immediate patching during the evening of October 15th, or at an agreed time more suitable to maintain customer business needs. All Support customers have been or will be contacted by phone to verify that our advisory is received, will get advice to upgrade and offered assistance if needed.

We will share all relevant information via Argus and call customers whenever urgent. We work closely with F5 and mnemonic MDR to pass on relevant updated information about recommended customer actions and MDR detections.