Articles
Confirmed Compromise of F5 Network: What You Need to Know
Marketing and Outreach Team
18 Oct 2025
10 Min Read
The NCSC has confirmed a breach of F5’s internal network. UK organisations should act now to patch, harden, and monitor all F5 devices at the network edge.
The UK’s National Cyber Security Centre (NCSC) has confirmed that F5 Networks has suffered a major internal compromise. NCSC Portions of F5’s BIG-IP source code and internal vulnerability research have been exfiltrated — a development with serious implications for organisations that rely on F5 technologies. NCSC+1
While there is no confirmed evidence yet that customer networks have been exploited via this breach, the nature of what was stolen means the risk is elevated. NCSC+2Help Net Security+2
What Happened & What Was Affected
Incident Summary
F5 has acknowledged that a “sophisticated, nation-state threat actor” maintained persistent access to its internal systems, including development and knowledge management systems. Rapid7+3Help Net Security+3Rapid7+3
The attackers exfiltrated source code related to F5’s BIG-IP platform and documents detailing vulnerabilities that had not yet been publicly disclosed. Help Net Security+2Rapid7+2
Independent assessments by firms such as IOActive, NCC Group, and others found no evidence of tampering of F5’s build pipelines or modification of deployed software. Rapid7+1
F5 also states that core systems such as CRM, financial systems, support case management, and iHealth systems were not impacted. Help Net Security+2Rapid7+2
Affected Products & Scope
The NCSC (and other bodies) have indicated that the following F5 products (hardware, software, and virtual) are at risk:
BIG-IP appliances (iSeries, rSeries), especially those that have reached end-of-support NCSC+3NHS England Digital+3Help Net Security+3
Devices running F5OS, BIG-IP (TMOS), Virtual Edition (VE) Help Net Security+1
BIG-IQ, BIG-IP Next, Kubernetes / cloud-native network function variants (BNK / CNF) Help Net Security+1
Why This Matters: Elevated Risk & Strategic Exposure
The theft of proprietary source code and vulnerability data gives a potential adversary significant advantages:
They can perform static and dynamic analysis on the code to discover new zero-day vulnerabilities that wouldn’t otherwise be publicly known. Help Net Security+2Rapid7+2
The threat actor could use knowledge of these vulnerabilities to craft targeted exploits against organisations using F5 infrastructure. Rapid7+2Help Net Security+2
If management interfaces or API keys are compromised or weakly defended, the adversary might access embedded credentials, move laterally within networks, and establish persistence. NCSC+2Help Net Security+2
Because F5 solutions often sit at high-value network edges (load balancing, application firewalls, traffic management), a breach at that level can expose downstream systems.
Although the NCSC states there is no current indication of compromises to customer networks tied to this breach, that should not be taken as reassurance of safety — it may simply reflect a latency period before exploitation becomes visible. NCSC+2Help Net Security+2
What Organisations Should Do Now: Recommended Actions
Given the severity of this incident, organisations using F5 products should treat this as a high-priority security event. Below is a recommended action roadmap — many of these steps are echoed in NCSC and F5 guidance.
Phase | Action | Details / Notes |
|---|---|---|
1. Inventory & Exposure Assessment | Identify all F5 assets (hardware, virtual, software) in your environment | Include legacy devices, test environments, and cloud instances Rapid7+2Help Net Security+2 |
Check for internet-facing management interfaces | If found, treat as high risk: isolate, assess logs, and assume potential compromise Rapid7+2Help Net Security+2 | |
2. Patch & Upgrade | Apply the latest F5 patches and security updates immediately | F5 has released patches that address the now-exposed vulnerabilities. NHS England Digital+3Rapid7+3Help Net Security+3 |
Decommission or replace end-of-support appliances | Unsupported systems won’t receive necessary security remediation. NHS England Digital+2Rapid7+2 | |
3. Strengthen Hardening & Configurations | Enforce vendor guidance for system hardening | Implement least privilege, strong authentication, segmented access paths. NHS England Digital+2Rapid7+2 |
Integrate F5 logs to SIEM / analytics | Maintain logs for ≥180 days (or as per policy), hunt for anomalies. NHS England Digital+1 | |
4. Threat Hunting & Monitoring | Use F5’s Threat Hunting Guide | Look for IOCs and abnormal behaviour related to the compromise. NHS England Digital+2NCSC+2 |
Monitor for lateral movement, credential use, abnormal config changes | Elevated risk due to possible hidden exploits. | |
5. Incident Response & Reporting | If signs of compromise are detected, engage F5 SIRT and national cyber authority | In UK, report via NCSC / CSOC channels. NHS England Digital+2NCSC+2 |
Coordinate internal and external communications | Ensure clarity, avoid speculation, especially given supply-chain implications. |
Additionally, in the U.S., CISA has issued Emergency Directive 26-01, which mandates federal agencies to inventory, patch, or replace affected F5 devices by October 22, 2025. CISA+2Industrial Cyber+2
Strategic Considerations for Defence & Assurance
For organisations with high assurance requirements (e.g. in defence, government, critical infrastructure), simply patching may not be adequate. Consider:
Red Team / Penetration Testing Focused on Edge Devices
Prioritise reviewing attack paths through F5 devices, configuration drift, key misuse, and lateral movement routes.Supply Chain Risk Review
Given that the breach involves source code and development infrastructure, vet your dependencies and upstream suppliers.Zero Trust & Micro-segmentation
Reduce trust placed in network boundaries handled by F5; aim for stronger segmentation even within environments serviced by those devices.Cryptographic Key Rotation & Certificate Revalidation
Assume that signing keys or certificates might be compromised or at risk; enforce rotation strategies and validate all code signatures.Continuous Threat Intelligence Integration
Monitor for exploit activity in the wild, especially tied to “BRICKSTORM” (a malware family possibly linked to this breach) as public reporting suggests. Rapid7+2Help Net Security+2
Conclusion
This incident underscores an important reality: even trusted cybersecurity vendors are not immune to advanced, persistent threats. The exfiltration of source code and undisclosed vulnerabilities places many organisations in a defensively reactive posture unless proactive measures are taken immediately.
If you use F5 products in your infrastructure, now is the moment to act decisively: inventory, patch, harden, monitor — and prepare for deeper forensics if anomalies emerge. Let me know if you’d like assistance tailoring this to your organisation’s context or producing supporting executive summaries or visuals for the blog post.
Join our newsletter list
Sign up to get the most recent blog articles in your email every week.
Marketing and Outreach Team
AIC’s Marketing and Outreach Team builds visibility and trust across Defence and security. We deliver strategic campaigns, thought leadership, and stakeholder engagement while balancing transparency with discretion. Our mission is to position AIC as a trusted, innovative partner to the UK MoD and beyond.
