The U.S. cybersecurity authority, Cybersecurity and Infrastructure Security Agency (CISA), has officially added a high-severity vulnerability affecting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog after confirming real-world attacks.
Critical Vulnerability Escalates to Remote Code Execution
The flaw, tracked as CVE-2025-53521, carries a CVSS v4 score of 9.3 and allows attackers to execute remote code on vulnerable systems.
Initially, the issue was treated as a denial-of-service vulnerability. However, new findings in March 2026 led to its reclassification as a remote code execution (RCE) flaw, significantly increasing its severity.
According to official details, systems with BIG-IP APM access policies configured on virtual servers can be exploited through specially crafted malicious traffic, enabling attackers to take control of affected devices.
Evidence of Active Exploitation in the Wild
F5 has confirmed that the vulnerability is being actively exploited in real environments, although details about the threat actors remain undisclosed.
Security researchers have also observed a surge in scanning activity targeting exposed F5 BIG-IP systems shortly after the vulnerability was added to the KEV catalog.
Indicators of Compromise Identified
Organizations are urged to check their systems for signs of compromise. Key indicators include:
File-Based Indicators
- Presence of suspicious files such as
/run/bigtlog.pipeand/run/bigstart.ltm - Changes in file hashes, sizes, or timestamps for critical binaries like
/usr/bin/umountand/usr/sbin/httpd
Log-Based Indicators
- Unusual entries in logs showing local access to the iControl REST API
- Evidence of attempts to disable SELinux
- Audit logs showing unauthorized command execution
Behavioral Indicators
- Modifications affecting system integrity tools like sys-eicheck
- Suspicious HTTP/S responses using HTTP 201 codes and CSS content types to mask malicious activity
- Potential changes to specific web interface files
Experts also warn that attackers may deploy webshells that operate entirely in memory, leaving minimal traces on disk and making detection more challenging.
Affected Versions and Patch Availability
The vulnerability impacts multiple versions of F5 BIG-IP software:
- 17.5.0 to 17.5.1 (fixed in 17.5.1.3)
- 17.1.0 to 17.1.2 (fixed in 17.1.3)
- 16.1.0 to 16.1.6 (fixed in 16.1.6.1)
- 15.1.0 to 15.1.10 (fixed in 15.1.10.8)
Government agencies under the Federal Civilian Executive Branch (FCEB) were instructed to apply patches by March 30, 2026, due to the urgency of the threat.
Security Experts Warn of Changing Risk Landscape
Cybersecurity analysts emphasize that the vulnerability’s initial classification led many administrators to underestimate its risk.
Now, with confirmed pre-authentication remote code execution and ongoing exploitation, the threat level has escalated significantly.
Attackers have been seen targeting specific REST API endpoints such as:
/mgmt/shared/identified-devices/config/device-info
This endpoint provides sensitive system information, including hostnames and hardware identifiers, making it valuable for reconnaissance.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
