Last Modified: Dec 15, 2025
Affected Product(s):
BIG-IP F5OS, Install/Upgrade, TMOS
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 15.1.10.7, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1, 17.5.1.2
Fixed In:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8
Opened: Sep 30, 2025 Severity: 1-Blocking
A key update in October 2025 impacts image signature verification for certain BIG-IP and F5OS releases, potentially blocking installations or validations on older systems.
As a result, BIG-IP images signed with new keys may not be automatically verified by earlier BIG-IP and F5OS releases. In addition, earlier BIG-IP releases may not be automatically verified by BIG-IP versions released October 2025 or later.
This change is implemented in BIG-IP versions released October 2025 or later, and all BIG-IP Engineering Hotfixes created on or after October 13, 2025.
BIG-IP ISO Images: Signature verification (as documented in K15225) will block installation of this release on systems running earlier BIG-IP versions. To install this release: 1.Temporarily disable BIG-IP ISO signature verification. 2.Install this BIG-IP release. 3.Re-enable BIG-IP ISO signature verification. Signature verification (as documented in K15225) will also block installation of older BIG-IP versions (released before October 2025) on systems running this BIG-IP release. To install older versions: 1.Temporarily disable BIG-IP ISO signature verification. 2.Install the desired older BIG-IP version. 3.Re-enable BIG-IP ISO signature verification. F5OS Tenant Images: For this BIG-IP release, ".qcow2.zip.bundle" tenant images cannot be validated on F5OS host systems (VELOS chassis or rSeries appliances) running F5OS versions released prior to October 2025. This is due to differences in signing and verification methods. To install F5OS tenant images: Where possible, use the ".tar.bundle" image type, which is compatible with all supported F5OS releases other than F5OS-A 1.5.x. For F5OS-A 1.5.x, upgrade the host to F5OS-A 1.5.4 or later, and then use the ".qcow2.zip.bundle" tenant image. For more information, see: K15225: Enabling signature verification for BIG-IP ISO image files https://my.f5.com/manage/s/article/K15225 K24341140: Verifying BIG-IP software images using SIG and PEM files https://my.f5.com/manage/s/article/K24341140 K000157005: F5 signing certificate and key rotation, October 2025 https://my.f5.com/manage/s/article/K000157005
This BIG-IP release has been signed with cryptographic keys updated as of October 2025.
As the result of rotation of the keys used to sign BIG-IP images, verification of images for this BIG-IP release may not behave as historically expected. - For BIG-IP ISO images, ISO image signature verification documented in K15225 will block installation of this release on systems running earlier releases of BIG-IP. To successfully install this BIG-IP release: 1. Disable BIG-IP ISO signature verification 2. Install this BIG-IP release 3. Re-enable BIG-IP ISO signature verification - For BIG-IP ISO images, ISO image signature verification documented in K15225 will block installation of BIG-IP versions released prior to October 2025. To successfully install older BIG-IP versions while running this BIG-IP release: 1. Disable BIG-IP ISO signature verification 2. Install the desired BIG-IP release 3. Re-enable BIG-IP ISO signature verification - For F5OS tenant images for this BIG-IP release, F5OS tenant images of the ".qcow2.zip.bundle" type cannot be validated when imported into an F5OS host system (VELOS partition or rSeries appliance) for F5OS versions released prior to October 2025. This is due to different signing and verification methods for ".qcow2.zip.bundle" image types. To successfully install an F5OS tenant image for this BIG-IP release: - For F5OS-A 1.5.x, upgrade the system to at least F5OS-A 1.5.4 and then import an ".qcow2.zip.bundle" image. - For all other supported F5OS versions, import an F5OS tenant image of the ".tar.bundle" type. This image type uses a different signing and verification method which is recognized as valid on both newer and older F5OS host software versions. It is highly recommended that all F5-provided software images be manually verified using the procedures described in: K24341140: Verifying BIG-IP software images using SIG and PEM files https://my.f5.com/manage/s/article/K24341140 See also: K15225: Enabling signature verification for BIG-IP ISO image files https://my.f5.com/manage/s/article/K15225