The UK’s National Cyber Security Centre (NCSC) has issued an urgent alert following the confirmation of a serious breach at F5 Networks, one of the world’s leading providers of application delivery and security solutions. If your organisation relies on F5 technology, particularly their BIG-IP products, it’s time to take immediate action.
What’s Happened?
In August 2025, F5 discovered that a highly sophisticated nation-state threat actor had maintained long-term, persistent access to their internal systems. The attackers successfully exfiltrated sensitive technical data, including portions of the BIG-IP source code and details about undisclosed vulnerabilities.
This isn’t just another data breach. The stolen information essentially provides attackers with a roadmap to potentially exploiting multiple F5 cybersecurity technologies in ways that are unlikely to be detected. Think of it as someone stealing the blueprints to your security system whilst you’re still using it.
Why This Matters for Your Organisation
BIG-IP appliances occupy a trusted position in network architecture, making them particularly appealing targets for attackers. By compromising such a device, attackers can exert significant control over network traffic without arousing suspicion.
The NCSC warns that successful exploitation could enable threat actors to access embedded credentials and API keys, move laterally within your network, exfiltrate sensitive data, and establish persistent system access – potentially leading to a full compromise of your information systems.
In the United States, CISA Acting Director Madhu Gottumukkala warned of the “alarming ease with which these vulnerabilities can be exploited,” describing the risks as potentially leading to a “catastrophic compromise of critical information systems”.
Which Products Are Affected?
The NCSC has identified the following products as affected by this breach:
- BIG-IP iSeries, rSeries, or any other F5 appliance that has reached end of support
- All devices running BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE)
- BIG-IP Next, BIG-IQ
- BIG-IP Next for Kubernetes (BNK) / Cloud-Native Network Functions (CNF)
With approximately 680,000 F5 BIG-IP load balancers and application gateways visible on the public internet globally, and over 90% of observed systems running BIG-IP Local Traffic Manager (LTM) or Access Policy Manager (APM), the scope of potential impact is substantial.
What Should You Do Right Now?
The NCSC and F5 have issued clear guidance, and we strongly recommend following these steps immediately:
1. Identify Your F5 Assets Create a complete inventory of all F5products in your environment. Don’t assume you know where everything is – verify it.
2. Apply Security Updates Install the latest security updates provided by F5 as part of their October 2025 quarterly security release. This is non-negotiable.
3. Implement F5’s Hardening Guidance Follow F5’s best practices for system hardening, SIEM integration, and monitoring. If you’re not already monitoring these devices closely, start now.
4. Conduct Threat Hunting F5 has made a threat hunting guide available through their support channels to help strengthen detection and monitoring in your environment. Use it.
5. Assess Your Management Interfaces Check whether your F5 management interfaces are accessible from the public internet. If they are, you need to address this urgently in line with security best practices.
6. Report Suspected Compromises If you identify any signs of compromise, inform the NCSC immediately.
A Word on Perspective
Whilst F5 has stated they’ve seen no evidence of undisclosed critical severity or remote code execution vulnerabilities, nor active exploitation of any undisclosed vulnerabilities, the reality is that the stolen information gives potential adversaries a significant head start.
As cybersecurity expert Chris Woods noted, “Since that vulnerability information is out there, everyone using F5 should assume they’re compromised”. Whilst this may sound alarmist, it reflects the appropriate level of caution organisations should exercise.
How Omnicyber Security Can Help
If you’re feeling overwhelmed by this alert or unsure where to start, that’s completely understandable. Supply chain compromises of this nature are complex, and the technical implications can be difficult to navigate.
At Omnicyber Security, we can help you:
- Identify and inventory all F5 products in your environment
- Assess your current security posture and exposure
- Implement the required patches and hardening measures
- Conduct thorough security assessments of your network infrastructure
- Establish ongoing monitoring and threat detection
Don’t wait for an incident to occur before taking action. The time to strengthen your defences is now.
This blog post is based on guidance from the UK National Cyber Security Centre. For the latest updates, visit the NCSC website or contact our team directly.
