Lessons we are learning from our security incident
Last week, we disclosed a major security incident involving a highly sophisticated nation-state threat actor. As a CISO, I know what it is like to hear this kind of news from a partner. I understand how difficult and disruptive this has been for customers, and we truly apologize for—and take full ownership of—the incident.
Over the last week, we have spoken with hundreds of our customers as well as groups of fellow CISOs. I want to thank our customers and the broader security community for the partnership you’ve shown during this challenging time.
We are committed to learning from this incident, and we know there are things we could improve. Our top takeaway so far: Our controls were uneven—strong in some places and not in others. We will do better.
Teams across the company have mobilized to take swift, coordinated action aimed at restoring trust and permanently raising the security bar. We have improved automation in our inventory and patch management, and strengthened our monitoring for detection and response. We are enhancing our zero-trust capabilities across our infrastructure and operations, and we are partnering with CrowdStrike to bring advanced endpoint visibility to F5 BIG-IP. In fact, we are running CrowdStrike EDR on our corporate edge BIG-IP devices. We’re also offering that same protection to our customers for their BIG-IP fleets.
We are continuing to work around the clock to make this right, partnering with our customers every step of the way. As we continue our investigation and develop lessons learned from this incident, we will share our takeaways to help strengthen the broader security community.
To that end, below are the most common questions I‘m hearing from customers right now, along with answers and guidance:
What kind of customer data did the threat actor access?
Some of the exfiltrated files from our knowledge management platform contained information related to a small percentage of customers. Importantly, we continue to have no evidence of access to, or exfiltration of, data from our CRM, financial, support case management, or F5 iHealth systems. The affected customer data we have found is primarily internal notes about customer interactions, which can include information used for trouble shooting, feature development, and bug fix requests.
Our detailed review of these files is ongoing. While we are moving quickly, we are taking the time to provide accurate information. We have already notified customers whose data we have identified so far, and we will continue to update customers directly as we learn more.
Has the exfiltrated information been leaked publicly or on the Dark Web?
We have not seen information exfiltrated in this incident being shared publicly or on the Dark Web, nor have we seen any evidence of active exploitation of the vulnerabilities that were accessed.
CISA issued an Emergency Directive on the incident. Should customers be alarmed?
While we have no knowledge of undisclosed critical or remote code execution vulnerabilities, or exploitation of the vulnerabilities we disclosed last week, CISA’s directive reinforces (1) the strong advice in our disclosure that customers update their BIG-IP software as soon as possible, and (2) our configuration guidance that management interfaces should never be exposed to the public Internet and should always be protected through proper segmentation, network isolation, and access control.
The updates announced in our Quarterly Security Notification address high-severity vulnerabilities in the information accessed by the threat actor, and we have provided additional resources to help customers harden and monitor their F5 environments here. We’ll continue to collaborate closely with CISA and our customers to ensure clarity, transparency, and confidence in our products.
Why didn’t you disclose the incident sooner?
We know speed is important when communicating about security incidents, and we strived to disclose the incident in a timely, responsible, accurate, and actionable way. We have also been working closely with law enforcement and our government partners.
What is the impact of the threat actor accessing BIG-IP source code?
First, we have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by leading cybersecurity research firms NCC Group and IOActive. To maintain rigorous oversight, we will continue to engage them for ongoing analysis.
Second, we are urging customers to update their BIG-IP software as quickly as possible. There have been 24,000 downloads of the new releases, so a significant number of our customers are on the way to running the updated software. We have also provided over 200 custom releases to customers.
In the coming weeks, we will also launch a bug bounty program to further strengthen product security.
How can I get started with CrowdStrike Falcon on BIG-IP?
CrowdStrike Falcon Sensor and Overwatch Threat Hunting are available now for early access on BIG-IP Virtual Edition (VE), with availability on BIG-IP hardware systems to follow. By enabling F5 customers to embed CrowdStrike’s Falcon Sensor directly into the F5 BIG-IP platform and leverage CrowdStrike Falcon Adversary OverWatch managed threat hunting service, the companies are advancing adaptive, AI-driven security to the network perimeter where enterprises front their most critical application and API traffic.
F5 is providing eligible BIG-IP customers with complimentary access through October 14, 2026, to enable the immediate adoption of AI-native security and threat hunting at the network level without upfront costs. Interested F5 BIG-IP customers can find more details and get started here.
Are you going to be issuing more patches? Should we expect additional releases soon?
We plan to maintain our ongoing cadence of BIG-IP updates and fixes. We will address and communicate any vulnerabilities according to our vulnerability response policy. That said, at this time, based on our investigation of available logs, we have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of reports of active exploitation of any undisclosed F5 vulnerabilities.
Can we get IOCs?
IOCs are available to F5 customers upon request. Customers can open a MyF5 support case, or contact F5 support or their account teams directly to obtain IOCs and a threat hunting guide.
The threat hunting guide was prepared by CrowdStrike and is not specific to F5. It is intended to support you in hunting for the threat actor in your own environment.
What are the fixed versions of BIG-IP?
The updated versions of BIG-IP that customers should install:
- BIG-IP 17.5.1.3
- BIG-IP 17.1.3
- BIG-IP 16.1.6.1
- BIG-IP 15.1.10.8
You can find more information about these releases and the vulnerabilities we fixed in the October Quarterly Security Notification.
What should we do if we are running an end-of-life (EOL) version not supported by F5?
We strongly recommend updating any EOL software versions to those currently supported by F5 to ensure you have the latest security updates and enhancements.
You can contact F5 support directly for help with updating your BIG-IP systems.