F5 2024 Breach: Nation-State Attack Highlights Supply Chain Risks
Executive Summary
In June 2024, F5—a leading provider of application security and delivery products—disclosed a sophisticated cyberattack attributed to a nation-state actor. The breach was first discovered on August 9, 2023, and involved unauthorized, prolonged access to F5’s BIG-IP product development environment and its internal engineering knowledge platform. Although the attackers exfiltrated files containing segments of BIG-IP source code and limited customer configuration details, external forensic reviews confirmed no tampering with F5’s supply chain processes or build systems. No customer-facing platforms, including NGINX and Distributed Cloud Services, were affected, and the company found no evidence of critical vulnerabilities or malicious code insertion.
This incident is particularly important due to increasing nation-state supply chain attacks targeting core infrastructure vendors. It highlights growing risks to software development environments and the potential cascade effects on enterprise and government clients dependent on widely used technologies.
Why This Matters Now
Recent high-profile supply chain attacks underscore the critical need for deep security in development pipelines. Sophisticated nation-state actors increasingly target trusted vendors, seeking to compromise source code and sensitive configurations before products reach global customers. This breach spotlights the urgency of resilient DevSecOps and proactive threat detection today.
Attack Path Analysis
The threat actor achieved initial compromise of F5's development infrastructure, likely via exploitation of a misconfiguration or vulnerability. They escalated privileges to gain persistent access to sensitive environments like the BIG-IP development systems. Lateral movement enabled access to engineering knowledge management platforms and additional product development assets. The attacker maintained command and control by establishing sustained connections to the compromised infrastructure while evading detection. Eventually, sensitive files—including source code, implementation details, and customer configurations—were exfiltrated. The overall impact included confidential data loss and heightened risk to F5 and a subset of customers, though no software supply chain tampering or business disruption was detected.
Kill Chain Progression
Initial Compromise
Description
The attacker gained an initial foothold in F5's internal development environment, likely by exploiting an exposed service, misconfiguration, or vulnerability.
Related CVEs
CVE-2023-46748
CVSS 8.8An authenticated SQL injection vulnerability in the BIG-IP Configuration utility allows an attacker to execute arbitrary system commands.
Affected Products:
F5 Networks BIG-IP – 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, 11.6.x
Exploit Status:
exploited in the wildCVE-2025-59481
CVSS 8.5A vulnerability in undisclosed iControl REST and BIG-IP TMOS Shell commands may allow an authenticated attacker to execute arbitrary system commands with higher privileges.
Affected Products:
F5 Networks BIG-IP – 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, 11.6.x
Exploit Status:
no public exploitCVE-2025-59478
CVSS 8.7When a BIG-IP AFM DoS protection profile is configured, certain requests can cause the TMM process to terminate.
Affected Products:
F5 Networks BIG-IP – 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, 11.6.x
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Supply Chain Compromise
Data from Local System
Exfiltration Over Web Service
Indicator Removal on Host
Account Access Removal
Modify Authentication Process
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and detect unauthorized activity
Control ID: 10.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Credential and Access Defense
Control ID: Identity Pillar: Credential and Access Management
NIS2 Directive – Incident Handling and Response
Control ID: Article 21(2)(d)
ISO/IEC 27001:2022 – Technical Vulnerability Management
Control ID: A.12.6.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
F5's supply-chain breach exposes critical application delivery infrastructure used by Fortune 500 financial institutions, compromising zero trust segmentation and encrypted traffic capabilities.
Government Administration
Nation-state actor targeting F5 BIG-IP systems creates national security risks for government agencies relying on these application security and network traffic management solutions.
Health Care / Life Sciences
Exfiltrated F5 source code and vulnerabilities threaten HIPAA compliance through compromised east-west traffic security and threat detection capabilities in healthcare networks.
Computer Software/Engineering
Supply-chain compromise of F5's development environment affects software companies using BIG-IP products for secure hybrid connectivity and Kubernetes security implementations.
Sources
- F5 discloses breach tied to nation-state threat actorhttps://cyberscoop.com/f5-breach-nation-state-actor-sec-8k-justice-department/Verified
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systemshttps://www.cisa.gov/news-events/alerts/2025/08/27/cisa-and-partners-release-joint-advisory-countering-chinese-state-sponsored-actors-compromiseVerified
- NVD - CVE-2023-46748https://nvd.nist.gov/vuln/detail/CVE-2023-46748Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
By applying zero trust segmentation, east-west traffic controls, continuous threat detection, and strong egress enforcement, CNSF-aligned controls would have limited attacker traversal, exposed command & control, and reduced the likelihood of data exfiltration or misuse of sensitive assets in cloud-connected environments.
Control: Zero Trust Segmentation
Mitigation: Ingress paths to sensitive development resources would be tightly restricted.
Control: Multicloud Visibility & Control
Mitigation: Anomalous privilege-correlation or suspicious elevation events would be surfaced.
Control: East-West Traffic Security
Mitigation: Unapproved east-west network flows would be segmented and alerted.
Control: Threat Detection & Anomaly Response
Mitigation: Covert or unauthorized command & control channels would trigger alerts and response.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound exfiltration attempts would be blocked or flagged.
Integrated distributed enforcement reduces blast radius and enables rapid incident response.
Impact at a Glance
Affected Business Functions
- Product Development
- Customer Support
Estimated downtime: 7 days
Estimated loss: $5,000,000
Exfiltrated files included segments of BIG-IP source code and configuration details for a small percentage of customers.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation and microsegmentation across all sensitive cloud and development environments to constrain unauthorized access.
- • Deploy east-west traffic security controls with centralized visibility for rapid detection of anomalous internal movement.
- • Enforce strict egress policy controls and application-layer inspection to detect or block malicious exfiltration attempts.
- • Integrate advanced threat detection and response capabilities for behavioral anomaly detection and real-time incident response.
- • Continuously monitor, audit, and harden privileged access and credentials in product development and engineering platforms.
