CISA Warns about Active Exploitation of F5 BIG-IP Vulnerability (CVE-2025-53521)

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2025-53521, this flaw carries a CVSSv4.0 score of 9.3 and enables remote code execution if successfully exploited. Evidence confirms active exploitation in the wild, prompting urgent mitigation efforts. Initially misclassified as a denial-of-service issue, the severity was upgraded following vendor acknowledgment of malicious activity. Attackers are observed disguising traffic using HTTP 201 response codes and CSS content types to evade detection. F5 Networks has released patches for affected versions across branches 15.x, 16.x, and 17.x. Organizations are strongly urged to apply updates before the March 30, 2026 deadline. Qualys assigns a high threat score of 95, indicating significant risk. Immediate patching and monitoring for specific indicators of compromise, such as unauthorized REST API access and SELinux disabling, are essential to prevent unauthorized system control and potential data breaches within affected environments.

CISA added a critical vulnerability in F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities catalog on Friday, based on evidence of ongoing exploitation. Tracked as CVE-2025-53521, successful exploitation of the vulnerability could allow a threat actor to achieve remote code execution. CISA urges users to patch the vulnerability before March 30, 2026. F5 BIG-IP Access Policy Manager … Continue reading "CISA Warns about Active Exploitation of F5 BIG-IP Vulnerability (CVE-2025-53521)"

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2025-53521, this flaw carries a CVSSv4.0 score of 9.3 and enables remote code execution if successfully exploited. Evidence confirms active exploitation in the wild, prompting urgent mitigation efforts. Initially misclassified as a denial-of-service issue, the severity was upgraded following vendor acknowledgment of malicious activity. Attackers are observed disguising traffic using HTTP 201 response codes and CSS content types to evade detection. F5 Networks has released patches for affected versions across branches 15.x, 16.x, and 17.x. Organizations are strongly urged to apply updates before the March 30, 2026 deadline. Qualys assigns a high threat score of 95, indicating significant risk. Immediate patching and monitoring for specific indicators of compromise, such as unauthorized REST API access and SELinux disabling, are essential to prevent unauthorized system control and potential data breaches within affected environments. CISA added a critical vulnerability in F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities catalog on Friday, based on evidence of ongoing exploitation. Tracked as CVE-2025-53521, successful exploitation of the vulnerability could allow a threat actor to achieve remote code execution. CISA urges users to patch the vulnerability before March 30, 2026. F5 BIG-IP Access Policy Manager … Continue reading "CISA Warns about Active Exploitation of F5 BIG-IP Vulnerability (CVE-2025-53521)" CISA added a critical vulnerability in F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities catalog on Friday, based on evidence of ongoing exploitation. Tracked as CVE-2025-53521, successful exploitation of the vulnerability could allow a threat actor to achieve remote code execution. CISA urges users to patch the vulnerability before March 30, 2026. F5 BIG-IP Access Policy Manager (APM) is a flexible, high-performance access management solution from F5 Networks. It acts as a secure proxy to control and enforce unified access policies for users, devices, applications, networks, cloud resources, and APIs across remote, mobile, LAN, web, and virtual environments. Vulnerability Details The vulnerability has a critical severity rating with a CVSSv4.0 score of 9.3. The vendor mentioned in the advisory that when a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can allow an attacker to achieve remote code execution. The vendor initially addressed the vulnerability in Oct 2025, when it was classified as a denial-of-service vulnerability. Later in March, the vendor updated the advisory to acknowledge the active exploitation of the vulnerability. Qualys Threat Intelligence assigned a Qualys Vulnerability Score (QVS) of 95 to CVE-2025-53521. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS scores and external threat indicators like active exploitation, exploit code maturity, CISA known exploits, and more. Indicators of Compromise F5 has also listed many indicators of compromise to show whether the system is vulnerable. The IoCs are divided into different categories; some of them are listed below: Files on disk Presence of /run/bigtlog.pipe and/or /run/bigstart.ltm . Mismatch of file hashes when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd . Log entries /var/log/restjavad-audit. .log [ForwarderPassThroughWorker{"user": "local/f5hubblelcdadmin", "method": "POST", "uri": "http://localhost:8100/mgmt/tm/util/bash", "status":200, "from": "Unknown"} This entry shows a local user accessing the iControl REST API from localhost. /var/log/auditd/audit.log. msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' This entry shows a local user accessing the iControl REST API from localhost to disable SELinux. Command output lsof –n The output of this command contains entries for /run/bigtlog.pipe. TTPs The user may observe HTTP/S traffic from the BIG-IP system that contains HTTP 201 response codes and CSS content-type to disguise the attacker’s activities. Affected and Patched Versions Product Branch Affected Versions Patched Versions BIG-IP APM 17.x 17.5.0 – 17.5.1 17.1.0 – 17.1.2 17.5.1.3 17.1.3 16.x 16.1.0 – 16.1.6 16.1.6.1 15.x 15.1.0 – 15.1.10 15.1.10.8 Customers can refer to the F5 security advisory for more information about the patches issued for this vulnerability. Qualys Detection Qualys customers can scan their devices with QIDs 385564 and 531080 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities. References https://my.f5.com/manage/s/article/K000156741...