Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Advisory/Mitigation Exploitation Wave Incident

F5 BIG-IP APM RCE exploitation and response

Updated 02.04.2026 11:25
Case score 62
Case score 62 Members 4 Latest activity 02.04.2026 11:25
Active exploitation Public PoC/exploit reported KEV: CISA KEV Patch status varies by member
Members 4 First seen 15.10.2025 16:32 Last seen 02.04.2026 11:25 Updated 02.04.2026 11:25

Overview

Attackers are actively exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, turning an issue first disclosed as denial of service into unauthenticated remote code execution on exposed appliances. F5 has published fixed releases and compromise-check guidance, while **CISA** has placed the CVE in **KEV** and pushed rapid remediation. An earlier F5 intrusion into BIG-IP development systems adds background because source code and information about undisclosed vulnerabilities were stolen, but available evidence does not show that material being used in the current attacks. Current priority is patching, checking for indicators of compromise, and validating whether exposed BIG-IP APM systems have already been accessed.

Signals

10 derived
Impact signals
Exploitation
Exploitation Active exploitation CVSS 9.8 Critical Exploit Public PoC/exploit reported
CVEs/products
CVE
Victims/regions
Victim region United States
Remediation
Urgency Immediate Remediation KEV CISA KEV
Status
Incident status Disclosed
Threat context
Actor nation-state hackers

Malware context

1 families · 1 tools
Tools
Coruna Exploit Kit

Member happenings

4 related
Vulnerability F5 BIG-IP APM unauthenticated RCE (CVE-2025-53521)
Updated 30.03.2026 10:07 Lead Contribution 59
Exploitation Active Exploitation Exploit Public Exploit CVSS 9.8 Critical Patch Patch Available

**CVE-2025-53521** is being **actively exploited** against **F5 BIG-IP APM** deployments, creating **unauthenticated remote code execution** risk for exposed systems. The flaw affects BIG-IP APM systems with an **access policy configured on a virtual server**, including **Appliance mode**. F5 says fixed releases are available, and **CISA** has added the CVE to its **Known Exploited Vulnerabilities** list. Organizations should prioritize patching because the weakness has already been abused in the wild.

Exploitation Wave F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Updated 02.04.2026 11:25 Scoring Support Contribution 2
Exploitation Active Exploitation Patch Patch Available

As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code execution. F5 said the flaw was reclassified from **DoS** to **RCE** after new information in **March 2026**, and **CISA** has added it to its **actively exploited** list. The exploitation wave targets unpatched systems with access policies configured on a virtual server, which makes internet-facing deployments especially risky.

Incident F5 hit by network compromise
Updated 15.10.2025 16:32 Scoring Support Contribution 1
Extortion None Incident Disclosed

F5 disclosed a nation-state intrusion that compromised BIG-IP development systems and related engineering knowledge-management resources. The intrusion was first detected on August 9, 2025 and publicly disclosed on October 15, 2025. Files taken in the incident included portions of BIG-IP source code and information about undisclosed vulnerabilities. Investigators described long-term, persistent access and said the company rotated credentials, strengthened access controls, expanded monitoring, and engaged external responders including Google Mandiant and CrowdStrike. F5 also reported that there was no evidence of malicious exploitation of the vulnerabilities and no new unauthorized activity after containment efforts. Some exfiltrated knowledge-management files may have contained customer configuration or implementation information for a small percentage of customers. The company also said other core systems such as CRM, financial, support case management, and iHealth were not reached.

Advisory/Mitigation CISA KEV patch directive for CVE-2025-53521
Updated 30.03.2026 10:07 Context
Exploitation Active Exploitation CVSS 9.8 Critical Urgency Immediate Patch Patch Available

CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is being **exploited in the wild** and can enable **unauthenticated remote code execution**. F5 says the issue affects **BIG-IP APM** deployments with an access policy configured on a virtual server, and fixed releases are available.