Not sure why I'm downvoted. Literally quoted from their incident page.
> We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP.
> We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.
No, they claimed: "We have no knowledge" and "we are not aware" which does not mean "the vulnerabilities discovered through exfiltration were not used".
That admits nearly every possible class of outcome as long they did not actively already know about it and chose to say they did not. The specific words that their lawyers intentionally drafted explicitly even allow them to intentionally spend effort to destroy any evidence that would lead them to learn if the vulnerabilities were used and still successfully claim that they were telling the truth in a court of law. You should not assume their highly paid lawyers meant anything other than the most tortured possible technically correct statement.
PR statements drafted by legal are a monkey's paw. Treat them like it.
The fact that they didn't know for such a long time makes their statement completely unbelievable. Also pushing new updates? Sure, they'll say it's just a precaution but I'm willing to bet attacker did more damage than they are willing to publicly disclose
They claim the vulnerabilities discovered through the exfiltration were not used though.