Vulnerability
Advisory/Mitigation
Exploitation Wave
Incident
F5 BIG-IP APM RCE exploitation and response
Updated 02.04.2026 11:25
Case score 62
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 62
- Main story score
- 59
- Related evidence lift
- +3 / 20
- Contributing updates
- 2
- Context updates
- 1
Top contributors
- Vulnerability Defines the exploited flaw, affected product, and fixed-release scope. main
- Advisory Mitigation Provides CISA KEV and patch-deadline context for the same vulnerability. context
- Exploitation Wave Adds active exploitation evidence and large exposed-system measurements. contributes
- Incident Adds background on an earlier F5 BIG-IP intrusion and source-code theft. contributes
Case score 62
Members 4
Latest activity 02.04.2026 11:25
Active exploitation
Public PoC/exploit reported
KEV: CISA KEV
Patch status varies by member
Members 4
First seen 15.10.2025 16:32
Last seen 02.04.2026 11:25
Updated 02.04.2026 11:25
Overview
Attackers are actively exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, turning an issue first disclosed as denial of service into unauthenticated remote code execution on exposed appliances. F5 has published fixed releases and compromise-check guidance, while **CISA** has placed the CVE in **KEV** and pushed rapid remediation.
An earlier F5 intrusion into BIG-IP development systems adds background because source code and information about undisclosed vulnerabilities were stolen, but available evidence does not show that material being used in the current attacks. Current priority is patching, checking for indicators of compromise, and validating whether exposed BIG-IP APM systems have already been accessed.
Attackers are exploiting **CVE-2025-53521** against exposed **F5 BIG-IP APM** systems, turning a bug first disclosed as denial of service into unauthenticated remote code execution on internet-facing appliances. F5 says the flaw affects BIG-IP APM deployments with an access policy configured on a virtual server, including Appliance mode, and the vendor has validated fixed releases. The affected versions are 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, and 15.1.0–15.1.10, with fixes in 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8.
CISA added the CVE to the **Known Exploited Vulnerabilities** catalog and directed federal agencies to patch within three days, later escalating remediation pressure for ongoing attacks. Shadowserver measured more than 17,100 fingerprinted BIG-IP APM IPs and more than 14,000 exposed systems online, showing that a large internet-facing population still needs remediation. F5 published indicators of compromise and told defenders to look for rogue files, log anomalies, outbound traffic, disk changes, and suspicious terminal history, because UCS backups from compromised systems may preserve persistence.
F5 separately disclosed a 2025 intrusion into BIG-IP development and engineering systems in which nation-state hackers stole source code and information about undisclosed vulnerabilities. F5 said it had no evidence that the stolen material was used in live attacks or that other core systems were reached, but the earlier breach remains relevant background for the current BIG-IP security story.
Signals
10 derivedImpact signals
Exploitation
Exploitation
Active exploitation
CVSS
9.8 Critical
Exploit
Public PoC/exploit reported
CVEs/products
CVE
Victims/regions
Victim region
United States
Remediation
Urgency
Immediate
Remediation
KEV
CISA KEV
Status
Incident status
Disclosed
Threat context
Actor
nation-state hackers
Malware context
1 families · 1 toolsTools
Coruna Exploit Kit
Member happenings
4 related
Vulnerability
F5 BIG-IP APM unauthenticated RCE (CVE-2025-53521)
Exploitation
Active Exploitation
Exploit
Public Exploit
CVSS
9.8 Critical
Patch
Patch Available
Vulnerability
F5 BIG-IP APM unauthenticated RCE (CVE-2025-53521)
Exploitation
Active Exploitation
Exploit
Public Exploit
CVSS
9.8 Critical
Patch
Patch Available
Exploitation Wave
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation
Active Exploitation
Patch
Patch Available
Exploitation Wave
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation
Active Exploitation
Patch
Patch Available
Incident
F5 hit by network compromise
Extortion
None
Incident
Disclosed
Incident
F5 hit by network compromise
Extortion
None
Incident
Disclosed
Advisory/Mitigation
CISA KEV patch directive for CVE-2025-53521
Exploitation
Active Exploitation
CVSS
9.8 Critical
Urgency
Immediate
Patch
Patch Available
Advisory/Mitigation
CISA KEV patch directive for CVE-2025-53521
Exploitation
Active Exploitation
CVSS
9.8 Critical
Urgency
Immediate
Patch
Patch Available