F5 Tells the SEC a Nation-State Sat Inside Its BIG-IP Build Environment for Months

F5, Inc. (NASDAQ: FFIV) filed an 8-K under Item 1.05 on October 15, 2025, and the filing itself is unusually candid about how deep the intrusion ran. The company states that on August 9, 2025 it learned a “highly sophisticated nation-state threat actor had gained unauthorized access to certain Company systems,” activated its incident response processes, and engaged external cybersecurity experts to contain the threat.

The detail that makes this filing matter is dwell time. F5 determined that the threat actor “maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform.” Through that access, the filing says, files were exfiltrated — “some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP.”

F5 is careful to bound the damage. It says it is not aware of any undisclosed critical or remote-code vulnerabilities, has no evidence of active exploitation of undisclosed F5 vulnerabilities, and “no evidence of modification to our software supply chain, including our source code and our build and release pipelines” — an assessment it says was validated by independent reviews. It also reports no evidence of access to its CRM, financial, support case management, or iHealth systems, while acknowledging that some exfiltrated files contained configuration or implementation information for a small percentage of customers.

The timing is its own story. The intrusion was learned of on August 9 but disclosed October 15. The filing explains the gap: “On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted pursuant to Item 1.05(c) of Form 8-K.” That national-security delay provision is built into the rule, and this is one of the clearer real-world invocations of it — the four-business-day clock can be paused when the Attorney General so determines.

For readers tracking how vendors word materiality, F5’s closing language is textbook hedge: “this incident has not had a material impact on the Company’s operations, and the Company is evaluating the impact this incident may reasonably have on its financial condition or results of operations.” Read the primary record at sec.gov; this filing was surfaced through EdgarBeast, the SEC filing data API and evidence index. The takeaway for defenders: a stolen-source-code disclosure with a DOJ delay is the rare 8-K that tells you the adversary was both patient and serious.