Cyber Alert: F5 Security Incident and BIG-IP Exfiltration

Attention HIROC Subscribers:
As your proactive partner in safety, HIROC is sharing the following important notice.
Please share this Alert with your Information Technology (IT) team, Information Security Management team, Chief Information Officer, and Chief Technology Officer and, as appropriate, with your users, to raise awareness about a potential cyber threat and to address potential risks promptly.
The purpose of this Alert is to raise awareness about a recently-reported F5 security incident, its potential impact on certain F5 systems, and the measures that can be taken to reduce exposure. HIROC recognizes that third-party technology risks continue to be a source of concern for our Subscribers. We encourage you to review your environments and take the recommended precautions.
HIROC has become aware of the F5 security incident K000154696, published on October 15, 2025, which reported that a highly sophisticated nation-state threat actor maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment, engineering knowledge management platforms, and configuration or implementation information for a small percentage of customers.
F5 has confirmed that files were exfiltrated from these systems. While there are no known active exploits of undisclosed F5 vulnerabilities currently, the incident underscores the importance of assessing your F5 assets and mitigating potential exposure.
Additionally, HIROC recommends the following for our Subscribers:
- Perform a thorough inventory of all F5 assets in your environment.
- Isolate F5 management interfaces from the public internet wherever possible.
- Assess systems for potential compromise and apply recommended mitigations:
- Patch all F5 assets to the latest-available versions.
- Decommission any End-of-Life F5 products.
- F5 Support has also released a threat hunting guide to enhance detection and monitoring within customer environments. While this guide primarily addresses the specific incident, it may provide useful insights for assessing risk in broader contexts.
- Should you discover activity matching the content of this Alert, recipients are encouraged to report via Cyber Centre Incident Management: https://www.cyber.gc.ca/en/incident-management, or email [email protected].
We are here for you!
In the event of a cyber loss, please contact HIROC’s Claims Department at [email protected].
For Healthcare Safety and Risk Management resources and advice, please contact [email protected].
If you have any questions about this Alert, please contact Kopiha Nathan, HIROC’s Privacy and Compliance Officer at [email protected].
Thank you for your vigilance and attention to this matter.
References
- F5 Security Incident K000154696: https://my.f5.com/manage/s/article/K000154696
- F5 Hardening Your System K53108777: https://my.f5.com/manage/s/article/K000156572
- CISA – Directives to Mitigate Vulnerabilities in F5 Devices: https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices