Risk Advisory: Compromise of F5 Network Systems

Risk Advisory

Monday, 20 October, 2025

F5 Systems

Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.

Immediate action: Review reliance on F5 products and services, monitor for further vendor updates, and assess internal exposure to F5-managed or integrated systems.

What has happened?

F5 has confirmed unauthorised access to its internal network by a likely state-sponsored actor.
The company reports that its investigation, supported by external forensic specialists and law enforcement, is ongoing.

Stolen data includes portions of BIG-IP source code, internal vulnerability research, and files from an engineering knowledge platform. F5 states there is no evidence of modification to its source code, build pipelines, or product releases, and that both NCC Group and IOActive have independently reviewed and validated these findings.

F5 has also confirmed that no customer personal data, financial information, or support case records were accessed. However, some files contained configuration or implementation information for a small percentage of customers, and those affected are being notified directly.

The UK NCSC has issued a related advisory encouraging organisations to follow F5’s guidance, apply the latest security updates, and review the exposure of management interfaces.

Sources:

What is the risk?

This incident highlights the risk of vendor compromise where trusted technology suppliers are targeted for access to sensitive code and vulnerability research. Even without evidence of tampering, the theft of source code and vulnerability data increases the likelihood that attackers could develop new exploits targeting F5 products.
The limited exposure of customer configuration information may also enable more targeted intrusion attempts against specific organisations.

Source:

Likely state-sponsored or advanced criminal actor

Risk events:

System Intrusion (Unauthorised access to vendor environment)
Supply-Chain Compromise (Potential future exploitation of stolen code or vulnerability data)
Information Breach (Exposure of internal technical and limited customer configuration information)

Consequences:

Strategic (Reduced confidence in vendor security and product assurance)
Operational (Increased monitoring, validation, and patching workload)
Financial (Unplanned costs for assurance, response, and due diligence)

What factors drive the consequences?

F5’s widespread use in critical infrastructure and network management
Stolen code and vulnerability information may shorten exploit development cycles
Dependency on F5 for network availability and application delivery

What factors drive the frequency?

Persistent targeting of network and infrastructure vendors
Sophisticated intrusion capabilities used for long-term access
Limited visibility into vendor-managed environments

How may it evolve?

If further investigation reveals deeper network access or data exfiltration, the event could transition into a supply-chain risk.
Attackers with access to internal systems might attempt to manipulate update mechanisms or steal credentials, though there is no evidence of this currently.

Source:

Likely state-sponsored threat actor

Risk events:

Malware or backdoor insertion (if software integrity were later compromised)
Information Breach (if customer support data was accessed)

Consequences:

Compliance (Regulatory exposure under NIS2 or GDPR)
Strategic (Reputational damage from reliance on compromised suppliers)

What action is required?

Monitor F5’s official advisory page and communications for incident updates.
Assess vendor dependency: Identify where F5 systems or managed services are integrated into business-critical functions.
Review supply-chain assurance practices: Ensure vendor risk management processes include monitoring and validation of security incidents.
Restrict trust boundaries: Where feasible, isolate F5 management interfaces and reduce third-party remote access privileges.
Reconfirm incident escalation paths with any suppliers or partners reliant on F5 systems.

For further information or assistance in understanding or measuring this risk to your organisation please contact us at hello@cydea.com for a session with one of our cyber risk consultants.

Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.