F5 Under Scrutiny for Alleged Hack
Law firm Hagens Berman is scrutinizing networking hardware company F5 over an alleged long-term, undetected hack and nation-state infiltration. The investigation questions the company's claims of having "best in industry security" following the purported theft of source code. The situation highlights ongoing risks in supply chain security for critical infrastructure components.
- The securities class action lawsuit centers on F5's alleged failure to disclose the breach in a timely manner, claiming the company learned of the incident on August 9, 2025, but only revealed it to investors on October 15, 2025. This delay, coupled with a subsequent downward revision of its 2026 revenue guidance, led to a stock price drop that erased over $2 billion in market value. - F5's BIG-IP product, the primary target of the alleged hack, is a suite of software and hardware that provides application delivery services, including load balancing, SSL offloading, and web application firewalls. Its widespread use in corporate and government networks makes any vulnerability a significant supply chain risk. - Nation-state hacks often aim to remain undetected for long periods to exfiltrate data and establish persistent access, which aligns with the allegations of a "long-term, persistent" breach at F5. The goal frequently extends beyond immediate disruption to include intellectual property theft for competitive advantage. - This incident follows previous critical vulnerabilities in the BIG-IP platform, such as CVE-2022-1388, a flaw with a 9.8 CVSS score that allowed for unauthenticated remote code execution. Publicly available exploits for past vulnerabilities have led to widespread scanning and active exploitation attempts shortly after disclosure. - The alleged theft of source code is particularly damaging as it could allow attackers to discover new vulnerabilities, creating further risks for F5's customers long after the initial breach is contained. - The pending lawsuit covers an investor class period from October 28, 2024, to October 27, 2025, with a lead plaintiff deadline of February 17, 2026. - Geopolitical tensions are increasingly linked to cybersecurity, with a 2022 Microsoft report noting that attacks from nation-states like Russia, Iran, and China had doubled from 20% to 40% of observed incidents. A study found that 64% of organizations suspect they have been targeted or impacted by a nation-state attack.
