F5 Networks said in mid-October that its engineering systems were breached, and investigators later confirmed the intruders removed development materials. U.S. agencies responded with emergency guidance after reports the actor accessed source code and internal vulnerability files.
What happened
On Oct. 15, 2025, F5 Networks announced unauthorized access to parts of its internal development environment. The company said certain code repositories and bug-tracking records were reached by an intruder. Reuters reported U.S. officials attributed the incident to a nation-state actor. The stolen data reportedly included code and vulnerability reports.
Timeline and discovery
F5 identified the activity after internal monitoring flagged unusual access. The company notified law enforcement and began an internal review. Public reporting traces disclosure to F5 statements and follow-up coverage by security vendors. For an overview of related advisories, see our tag page at F5 breach and the site category Cyber News & Updates.
Scope of what was taken
Companies and researchers reported the actor obtained portions of the codebase and internal vulnerability tickets. Tenable and other vendors described copies of engineering material and reports that could expose unknown flaws. F5 has said customer-facing services were not directly affected at disclosure.
How it happened
F5’s public statements and vendor analyses indicate the intruders kept prolonged access to development systems. Evidence points to targeted use of developer credentials or systems, rather than broad service compromise. Security firms report the attacker removed traces and maintained stealth over months.
Immediate impact
After disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) issued emergency guidance. That directive, ED 26-01, instructed federal agencies to apply vendor updates for affected F5 products. The directive is available at CISA ED 26-01. Canada’s communications security center issued a matching alert.
Why this matters
F5 develops networking appliances used for application delivery and security. Engineering records and vulnerability notes can show where weaknesses lie. Stolen development material can shorten the time for attackers to make functioning exploits.
Steps investigators and vendors are taking
F5, federal agencies, and third-party vendors continue forensic work. Researchers are scanning public and private networks for signs of exploitation. Security advisories and technical write-ups are emerging from multiple vendors, including Tenable and Security Boulevard. Those posts summarize observed artefacts and vendor responses.