On October 15, 2025, F5 Networks disclosed a breach attributed to a sophisticated nation-state actor. In an SEC 8-K form also filed that same day, F5 confirmed unauthorized access to its internal development and knowledge-management systems dating back to August 9, 2025. Some source-code and vulnerability-related materials were exfiltrated, though F5 states it found no evidence of modified software builds or supply chain compromise. F5 released an advisory of the incident.
Rapid7 has conducted an internal investigation and is not impacted by this incident. As part of our due diligence, we are also monitoring the situation with our third-party vendors.
All known detections have been implemented across the Rapid7 portfolio, and threat hunts across our MDR customer base are being rolled out proactively. Further details are provided below, and this publication will be updated as new information becomes available.
Scope and investigation
F5 commissioned independent assessments by IOActive and NCC Group. Both parties confirmed no tampering in build pipelines or release artifacts had occurred.
Connection to BRICKSTORM
Public reporting has linked the F5 breach with the BRICKSTORM malware family, based on customer communications from F5. Mandiant’s BRICKSTORM report links the adversary to campaigns targeting software and cloud vendors to harvest source code and credentials for downstream supply-chain exploitation.
CISA and NCSC actions
Following coordinated disclosure, CISA issued Emergency Directive 26-01 instructing federal agencies to audit and patch affected F5 systems, while the UK NCSC confirmed compromise of F5 development infrastructure and is advising UK operators to validate firmware and signatures.
Patch cycle and clarification
F5 emphasized that its October 2025 quarterly patches — released the same day as the SEC filing — are unrelated to the breach, and part of its regular maintenance cadence. However F5 is strongly advising customers to apply the patches, which remediate 44 newly disclosed vulnerabilities, as soon as possible. This is due to the context of the breach, whereby the threat actor was able to learn sensitive information on previously undisclosed vulnerabilities, which may give the attacker a tactical advantage in terms of leveraging these vulnerabilities.
Rapid7 InsightVM and Nexpose customers will have coverage for all the vulnerabilities affecting BIG-IP (all modules), BIG-IP APM, BIG-IP AFM, BIG-IP ASM and BIG-IP PEM in the October 16, 2025 content release.
The Rapid7 Labs perspective
The Rapid7 Labs research team assesses that, while there is no evidence of active exploitation of undisclosed F5 vulnerabilities, the compromise of internal development systems represents a long-tail risk.
Adversaries with access to proprietary source code or vulnerability research may attempt to identify latent weaknesses in future operations.
Rapid7 Labs continues to track the BRICKSTORM cluster and any follow-on exploitation of network-edge technologies derived from this intrusion. We will update customers as new intelligence emerges and share it through Intelligence Hub.
What you should do now
Organizations using F5 technologies should take immediate, prioritized action to validate the integrity of their environments and reduce potential exposure stemming from this incident.
1. Identify and assess your footprint
Inventory all deployed F5 assets — including hardware appliances, software instances, and virtualized deployments.
Determine whether any of these systems provide remote management access or administrative interfaces that are reachable from the public internet.
2. Restrict management exposure and validate configurations
F5 management interfaces should never be internet-facing. If external exposure is detected, assume potential compromise and conduct a focused assessment of logs, configurations, and credentials.
Implement F5’s published hardening guidance and align configurations with vendor best practices for access control, authentication, and telemetry.
3. Apply updates and replace unsupported systems
Immediately install the latest F5 security updates released in October 2025.
Retire or replace any F5 products that have reached end-of-support, as these devices will not receive future security fixes.
4. Enhance monitoring and detection coverage
Conduct continuous monitoring and proactive threat hunting for anomalous activity related to management logins, credential use, and system modifications.
5. Report and coordinate if compromise is suspected
If indicators of compromise or unauthorized access are detected, contact F5’s Security Incident Response Team (SIRT) for coordinated remediation.
Engage your national cybersecurity authority or incident response partner where applicable.
How Rapid7 is supporting customers
At present there are no known exploited CVEs associated with the disclosure. Rapid7 has implemented honeypot sensors to detect if exploitation of affected F5 products does begin. In addition, we are undertaking the following measures for our customers.
Vulnerability management
Vulnerability Management (InsightVM and Nexpose) customers that run F5 BIG-IP models will be able to assess exposure to the vulnerabilities affecting BIG-IP (all modules), BIG-IP APM, BIG-IP AFM, BIG-IP ASM and BIG-IP PEM, with vulnerability checks available in the October 16 content release.
MDR and IDR customers
Rapid7 has proactively updated our threat detection capabilities in response to this threat. Our Threat Intelligence and MDR teams have launched targeted hunts for IOCs related to BRICKSTORM and are continuously refining our detection rules to identify these attacks early.
Suspicious Process - BRICKSTORM targets U.S. Tech and Legal sectors with Stealthy Espionage
Suspicious Network Connection - BRICKSTORM targets U.S. Tech and Legal sectors with Stealthy Espionage
The Rapid7 MDR team has completed all threat hunts utilizing the available indicators of compromise (IOCs) and did not find any indications of customer exposure. Threat hunting will continue in an effort to identify new activity.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding the F5 breach and associated indicators.
Updates
- Oct 17, 20925: Updated the Vulnerability management section to confirm that VM checks were successfully shipped on Oct 16.
