On October 15, 2025, F5 reported that a nation-state threat actor had gained long-term access to some F5 systems and exfiltrated data, including source code and information about undisclosed product vulnerabilities. This information may enable threat actors to compromise F5 devices by developing exploits for these vulnerabilities. The UK National Cyber Security Centre also notes that compromises could lead to credential theft, lateral movement, data exfiltration, and persistent access.
Impacted systems include the BIG-IP product development environment and engineering knowledge management platforms. Identified hardware includes BIG-IP iSeries, rSeries, and other F5 devices that have reached end of support. BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE), BIG IP Next, BIG- IQ, and BIG-IP Next for Kubernetes (BNK) / Cloud-Native Network Functions (CNF) software is also affected.
As of this publication, there is no evidence that F5 customer networks have been impacted.
Recommended actions
Organizations should identify vulnerable F5 instances in their environments and upgrade as appropriate. Additionally, organizations should monitor the F5 advisory for updated information and mitigations.
Sophos actions
Sophos does not rely on F5 products. Counter Threat Unit™ (CTU) researchers are monitoring for activity indicating exploitation of F5 vulnerabilities.
