Number: AL25-014
Date: October 15, 2025
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
On October 15, 2025, F5 published security incident K000154696, advising that a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems Footnote 1, including the BIG-IP product development environment and engineering knowledge management platforms, as well as configuration or implementation information for a small percentage of customers.
In response to this security incident, and the release of the F5 Quarterly Security Notification, the Cyber Centre released AV25-669 on October 15, 2025 Footnote 2. The purpose of this alert is to increase awareness of this reported incident.
The Cyber Centre is aware of online interest and speculation about this security incident and is publishing this Alert out of an abundance of caution.
Suggested actions
The Cyber Centre suggests the following actions:
- Perform a thorough inventory of all F5 assets
- Isolate F5 management interfaces that are facing the public internet
- Assess systems for potential compromise, and apply recommended mitigationsFootnote 3Footnote 4Footnote 5
- Patch F5 assets to latest versions
- Decommission End-of-Life F5 products
F5 Support has released a threat hunting guide intended to enhance detection and monitoring within customer environments. However, the Cyber Centre has received feedback indicating that the document may be primarily focused on the specific incident involving F5 and thus may have limited applicability to broader customer contexts.
Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.