(TLP:CLEAR) CISA Releases Emergency Directive to Mitigate Vulnerabilities in F5 Devices (Updated October 23, 2025)
Created: Thursday, October 16, 2025 - 13:47
Categories: Cybersecurity, Federal & State Resources, Security Preparedness
October 23, 2025
Summary: Yesterday, F5 published new information regarding the ongoing security incident involving a highly sophisticated nation-state threat actor that compromised portions of BIG-IP proprietary source code. The blog post includes answers to many questions regarding the ongoing situation and what F5 customers can expect in the near term. WaterISAC is sharing this information for member awareness, and encourages members who use F5 products, particularly BIG-IP, to review F5’s blog post and continue to follow the situation closely. Utilities that outsource technology support may want to consult with their service providers for assistance with remediation actions.
F5 mentioned they will continue issuing updates and fixes and will maintain their current cadence. The updated versions of BIG-IP that customers should install include:
- BIG-IP 17.5.1.3
- BIG-IP 17.1.3
- BIG-IP 16.1.6.1
- BIG-IP 15.1.10.8
October 16, 2025
ACTION MAY BE REQUIRED for utilities using F5 BIG-IP hardware devices and F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IP IQ software, and BNK / CNF.
Summary: On October 15, CISA issued Emergency Directive ED 26-01: Mitigate Vulnerabilities in F5 Devices to direct Federal Civilian Executive Branch agencies to inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from public internet, and apply newly released updates from F5.
A nation-state affiliated cyber threat actor has compromised F5 systems and exfiltrated data, including portions of the BIG-IP proprietary source code and vulnerability information, which provides the actor with a technical advantage to exploit F5 devices and software. This poses an imminent threat to networks using F5 devices and software.
Analyst Note: WaterISAC encourages members to follow CISA’s Emergency Directive and the Key Actions, which include creating an inventory of all vulnerable F5 devices (see directive for full list), updating BIG-IP hardware and software instances, hardening public-facing hardware and software appliances, disconnecting end-of-support devices, and mitigating against cookie leakage. Utilities that outsource technology support may want to consult with their service providers for assistance with remediation actions.
Original Source: https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
Mitigation Recommendations:
Related WaterISAC PIRs: 6, 7, 7.1, 8, 10