On October 15, 2025, F5 disclosed that attackers had gained unauthorized access to its internal systems, specifically those tied to BIG-IP product development. The company described the breach as long-term and persistent. This announcement immediately impacted investor confidence, and more information came out in the following weeks as F5 updated its financial guidance.
Breach Discovery and Reporting
August 9, 2025: F5 Discovered the Breach
F5 learned about the breach on August 9, 2025, after discovering that a sophisticated attacker had accessed its internal systems. The affected systems included the BIG-IP product development environment and engineering documentation platforms.
As of the day of this writing, there is no public information available regarding the identity of the threat actor responsible for the F5 breach. If you want to stay updated on this incident, you can sign up for a free VenairX account to receive instant alerts whenever new information is released about this case.
Attackers stole files containing BIG-IP source code and details about vulnerabilities the company was working to patch. The breach impacted both virtual and hardware BIG-IP products. F5 said it was not aware of any critical vulnerabilities being actively exploited at the time of disclosure.
October 15, 2025: F5 Discloses the Breach
On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted under Item 1.05(c) of Form 8-K. F5 filed its disclosure on October 15, 2025, after the DOJ allowed public reporting.
October 27, 2025: Further Details Emerge in F5 Earnings Call
On October 27, 2025, during its earnings call, F5 provided details on how the breach was affecting its operations and finances. Leaders outlined the steps taken after discovering the intrusion, including containment measures and security upgrades. They also announced that revenue growth for the next year would be lower than expected because customers were delaying purchases and focusing on remediation. This was the first time F5 directly connected the breach to specific financial consequences.
F5 revised its fiscal 2026 revenue growth forecast down to 0–4%. The company said this was due to customers pausing projects and delaying new purchases while they assessed their own risk and applied fixes.
Immediate Market and Analyst Reaction
F5’s stock (NASDAQ: FFIV) fell from $343.17 on October 14, 2025, to $295.35 on October 16, 2025, a drop of about 14%.
Analysts noted that the company had not provided sufficient information about how the breach would affect its business or finances. This uncertainty drove further concern among investors.
After the October 27, 2025, earnings call and guidance update, F5’s stock dropped from $290.41 to $258.76, a nearly 11% decline in a single day.

Investor Lawsuit and Disclosure Criticism
A class action complaint was filed on December 19, 2025, covering investors who purchased F5 securities between October 28, 2024, and October 27, 2025. The complaint alleges that F5’s October 15 disclosure lacked sufficient detail about the projected financial impact, which customers were affected, and remediation costs. It also argues that F5’s statements about its security posture were inconsistent.
Customer Impact
F5 said there was no evidence that the attacker accessed its Distributed Cloud Services or NGINX environments. The breach affected mainly BIG-IP customers. All BIG-IP users were urged to upgrade, but a smaller group of customers whose data was actually taken received direct notifications and support.
BIG-IP is F5’s main product, so the breach raised concerns about future sales and overall business health, especially among investors.
Key Takeaways for Security and Risk Leaders
The F5 breach shows that the way a company communicates about a security incident can have serious financial and reputational consequences. When F5 delayed its disclosure and failed to provide clear information, it created uncertainty for investors and customers. This uncertainty contributed to a sharp drop in stock price and ongoing doubts about the company’s reliability.
For security leaders, the lesson is clear: prompt and transparent communication after a breach is just as important as technical remediation. Fixing the technical issues out of public view is only part of the response. How the company communicates with the public can directly impact both its financial performance and reputation.
F5’s experience is a clear example of how a technical breach can quickly become a financial and reputational issue. Security leaders should view this as a case study in risk management, rapid disclosure, and the need for close coordination with both customers and investors during and after a security event.