[8-K] F5, INC. Reports Material Event

Rhea-AI Filing Summary

F5, Inc. reported a cybersecurity incident involving a highly sophisticated nation-state actor that gained long-term access to certain systems, including the BIG-IP product development environment and engineering knowledge platform. The company says containment actions have been successful and has not observed new unauthorized activity since initiating its response. Some files were exfiltrated, including portions of BIG-IP source code and information about undisclosed vulnerabilities the company was working on. F5 states it is not aware of undisclosed critical or remote code vulnerabilities or active exploitation, and independent experts validated no modification to its software supply chain.

F5 reports no evidence of access to CRM, financial, support case management, or iHealth systems; there is also no evidence of access to NGINX, Distributed Cloud Services, or Silverline. The U.S. Department of Justice permitted delayed disclosure on September 12, 2025. As of this disclosure, operations have not been materially impacted, and the financial impact is being evaluated. Separately, Michael Montoya resigned from the Board on October 9, 2025, and became Chief Technology Operations Officer effective October 13, 2025; the Board size is now ten members.

Insights

Cybersecurity and Risk Analyst

Significant breach disclosed; containment reported, impact under evaluation.

F5 reports a nation-state intrusion with persistent access to the BIG-IP development environment and knowledge systems. Exfiltrated materials include portions of BIG-IP source code and information about undisclosed vulnerabilities under remediation. The company reports no evidence of supply chain modification, with this assessment validated by independent firms.

Operationally, F5 cites no material impact as of the disclosure. There is no evidence of access to CRM, financial, support case management, or iHealth data, and no evidence of access to NGINX, Distributed Cloud Services, or Silverline. Actual commercial impact will hinge on customer communications and remediation steps described.

Governance-wise, Michael Montoya resigned from the Board on October 9, 2025 and became Chief Technology Operations Officer on October 13, 2025, centralizing security operations under the CEO. Disclosure timing followed a September 12, 2025 DoJ determination permitting delay under Item 1.05(c).

0001048695false00010486952025-10-152025-10-15

UNITED STATES SECURITIES AND EXCHANGE COMMISSION

WASHINGTON, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 or 15(d) of the

Securities Exchange Act of 1934

Date of Report (Date of Earliest Event Reported):

October 15, 2025

F5, Inc.

(Exact name of registrant as specified in its charter)

Washington

000-26041

91-1714307

(State or other jurisdiction

(Commission

(IRS Employer

of incorporation)

File Number)

Identification No.)

801 5th Avenue

Seattle

,

WA

98104

(Address of principal executive offices)

(Zip Code)

Registrant’s telephone number, including area code (206) 272-5555

Not Applicable

Former name or former address, if changed since last report

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

☐ Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

☐ Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

☐ Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

☐ Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of each class			Trading Symbol(s)			Name of each exchange on which registered
Common stock, no par value			FFIV			NASDAQ Global Select Market

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter). Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Item 1.05 Material Cybersecurity Incidents

On August 9, 2025, F5, Inc. (the “Company”, “F5”, “we”, or “our”) learned that a highly sophisticated nation-state threat actor had gained unauthorized access to certain Company systems. The Company promptly activated its incident response processes, and has taken extensive actions to contain the threat actor. To support these activities, the Company engaged leading external cybersecurity experts.

The Company believes its containment actions have been successful and, since the initiation of its containment efforts, has not observed any evidence of new unauthorized activity. The investigation, monitoring, and related activities are ongoing. The Company is actively engaged with federal law enforcement and government partners in connection with this incident. Additionally, the Company is implementing further measures to strengthen its security environment and protect its customers.

During the course of its investigation, the Company determined that the threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform. Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP. We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities. We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by leading cybersecurity research firms.

We have no evidence of access to, or exfiltration of, data from our CRM, financial, support case management, or iHealth systems. However, some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers. The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate.

We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline systems.

On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted pursuant to Item 1.05(c) of Form 8-K. F5 is now filing this report in a timely manner.

As of the date of this disclosure, this incident has not had a material impact on the Company’s operations, and the Company is evaluating the impact this incident may reasonably have on its financial condition or results of operations.

Item 5.02 Departure of Directors or Certain Officers; Election of Directors; Appointment of Certain Officers; Compensatory Arrangements of Certain Officers

On October 9, 2025, Michael Montoya resigned, effective immediately, from his position as a director of F5’s Board of Directors (the “Board”), including his memberships on the Risk Committee and Nominating and Environmental, Social and Governance Committee. His decision to resign from the Board was not the result of any disagreement with the Company. 

Mr. Montoya has been a valuable member of the Board and following his resignation from the Board, Mr. Montoya continued his service with the Company and has been appointed as F5’s Chief Technology Operations Officer, effective October 13, 2025, reporting directly to the Chief Executive Officer (CEO), Montoya will lead the enterprise-wide strategy and execution to build and operate the Company with security at its core.

Pursuant to the recommendation of the Nominating and Environmental, Social and Governance Committee and in connection with Mr. Montoya’s resignation, the Board reduced the size of the Board from eleven to ten members. As a result of such reduction, there are currently no vacancies on the Board.

Item 7.01 Regulation FD Disclosure

On October 15, 2025, F5 posted certain information regarding the incident on its MyF5 customer support site. A copy of that posting is furnished as Exhibit 99.1 to this report.

The information in this Item 7.01 and Exhibit 99.1 shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), or otherwise subject to the liability of that section, and shall not be incorporated by reference into any registration statement or other document filed under the Securities Act of 1933, as amended, or the Exchange Act, except as shall be expressly set forth by specific reference in such filing.

Forward Looking Statements

Certain statements made in this report by F5, which are not historical facts are forward-looking statements subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. These forward-looking statements involve risks and uncertainties which we expect will or may occur in the future and may impact our business, financial condition and results of operations. The words “believe,” “expect,” “may,” “will,” “should,” “could,” and similar expressions are intended to identify those forward-looking statements, although there may be other such statements that do not use such wording. Such forward-looking statements include, but are not limited to, statements regarding the Company’s containment efforts, the results of the Company’s ongoing investigation of the incident, and the impact of the incident on the Company. These forward-looking statements reflect the Company’s best judgment based on current information, and, although we base these statements on circumstances that we believe to be reasonable when made, there can be no assurance that future events will not affect the accuracy of such forward-looking information. Forward-looking statements are not guarantees of future events or circumstances and may vary materially from that discussed in this report. Factors that might cause the Company’s actual results to differ materially from those anticipated in forward-looking statements include, but are not limited to: the Company’s ongoing assessment of the impacts of the cybersecurity incident, including the Company’s potential discovery of additional information related to the incident in connection with its investigation or otherwise; the Company’s expectations regarding its ability to contain and remediate the cybersecurity incident; the impact of the cybersecurity incident on the Company’s relationships with customers, employees, and governmental authorities; the legal, reputational, and financial risks resulting from the cybersecurity incident, including risks, which may arise from any potential regulatory inquiries or litigation to which the Company may become subject in connection with the incident; remediation and other additional costs that may be incurred and borne by the Company in connection with the investigation and remediation of the incident; and the risks and uncertainties discussed in the Company’s annual and quarterly (including the risk factor sections) and other reports and materials provided to the SEC. F5 disclaims any obligation to update or revise any statement contained in this report except as required by law.

Item 9.01 Financial Statements and Exhibits

(d) Exhibits:

Exhibit No.						Exhibit Description
99.1						Website Post dated October 15, 2025 titled "F5 Security Incident"
104.0						Cover Page Interactive Data File (embedded within the Inline XBRL document)

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

F5, INC.  (Registrant)

Date: October 15, 2025

By:

/s/ François Locoh-Donou

François Locoh-Donou

President and Chief Executive Officer

FAQ

What did F5 (FFIV) disclose about the cybersecurity incident?

F5 reported that a nation-state actor gained long-term access to certain systems, exfiltrating portions of BIG-IP source code and information on undisclosed vulnerabilities.

Did the F5 (FFIV) incident affect customer or financial systems?

F5 has no evidence of access to CRM, financial, support case management, or iHealth systems; some exfiltrated files included configuration or implementation information for a small percentage of customers.

Were NGINX or F5’s cloud services impacted?

F5 has no evidence that NGINX source code or development, or its Distributed Cloud Services or Silverline systems, were accessed or modified.

Has F5 (FFIV) contained the threat and is there active exploitation?

F5 believes containment was successful and has seen no new unauthorized activity; it is not aware of active exploitation of undisclosed F5 vulnerabilities.

Why was disclosure delayed and when?

The U.S. Department of Justice determined on September 12, 2025, that delay was warranted under Item 1.05(c).

What leadership changes did F5 (FFIV) announce?

Michael Montoya resigned from the Board on October 9, 2025, and became Chief Technology Operations Officer effective October 13, 2025; the Board was reduced to ten members.

Has the incident materially impacted F5’s operations or finances?

As of this disclosure, F5 states operations have not been materially impacted and it is evaluating potential financial effects.