Vulnerability Advisory/Mitigation Exploitation Wave Incident

F5 BIG-IP APM RCE exploitation and response

Updated 02.04.2026 11:25

Case score 62

Case score 62 Members 4 Latest activity 02.04.2026 11:25 Active exploitation Public PoC/exploit reported KEV: CISA KEV Patch/mitigation varies by member

Active exploitation Public PoC/exploit reported KEV: CISA KEV Patch/mitigation varies by member

Members 4 First seen 15.10.2025 16:32 Last seen 02.04.2026 11:25 Updated 02.04.2026 11:25

Overview

Attackers are actively exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, turning an issue first disclosed as denial of service into unauthenticated remote code execution on exposed appliances. F5 has published fixed releases and compromise-check guidance, while **CISA** has placed the CVE in **KEV** and pushed rapid remediation. An earlier F5 intrusion into BIG-IP development systems adds background because source code and information about undisclosed vulnerabilities were stolen, but available evidence does not show that material being used in the current attacks. Current priority is patching, checking for indicators of compromise, and validating whether exposed BIG-IP APM systems have already been accessed.

Key facts

**CVE-2025-53521** is being actively exploited against **F5 BIG-IP APM** and now carries unauthenticated remote code execution risk on exposed appliances.
The flaw applies when an access policy is configured on a virtual server, including Appliance mode, and F5 validated fixes in **17.5.1.3**, **17.1.3**, **16.1.6.1**, and **15.1.10.8**.
**CISA** added **CVE-2025-53521** to **KEV** and told federal agencies to patch within **three days**.
Shadowserver measured more than **17,100** fingerprinted BIG-IP APM IPs and more than **14,000** exposed systems online.
F5 published indicators of compromise and advised defenders to inspect rogue files, log anomalies, outbound traffic, disk changes, and suspicious terminal history.
F5 separately disclosed a 2025 intrusion into BIG-IP development systems that stole source code and information about undisclosed vulnerabilities, but available evidence does not prove that material was used in these attacks.

Malware context

1 families · 1 tools

Tools

Coruna Exploit Kit

Signals

8 derived

Exploitation

Exploitation Active exploitation CVSS 9.8 Critical Exploit Public PoC/exploit reported

CVEs/products

CVE

Victims/regions

Victim region United States

Remediation

Remediation KEV CISA KEV

Threat context

Actor nation-state hackers

Member happenings

4 related

Vulnerability F5 BIG-IP APM unauthenticated RCE (CVE-2025-53521)

Updated 30.03.2026 10:07 Lead Contribution 59

Exploitation Active Exploitation Exploit Public Exploit CVSS 9.8 Critical Patch Patch Available

**CVE-2025-53521** is being **actively exploited** against **F5 BIG-IP APM** deployments, creating **unauthenticated remote code execution** risk for exposed systems. The flaw affects BIG-IP APM systems with an **access policy configured on a virtual server**, including **Appliance mode**. F5 says fixed releases are available, and **CISA** has added the CVE to its **Known Exploited Vulnerabilities** list. Organizations should prioritize patching because the weakness has already been abused in the wild.

View happening

Exploitation Wave F5 BIG-IP APM active exploitation wave (CVE-2025-53521)

Updated 02.04.2026 11:25 Scoring Support Contribution 2

Exploitation Active Exploitation Patch Patch Available

As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code execution. F5 said the flaw was reclassified from **DoS** to **RCE** after new information in **March 2026**, and **CISA** has added it to its **actively exploited** list. The exploitation wave targets unpatched systems with access policies configured on a virtual server, which makes internet-facing deployments especially risky.

View happening

Incident F5 hit by network compromise

Updated 15.10.2025 16:32 Scoring Support Contribution 1

Incident Disclosed Extortion None

F5 disclosed a nation-state intrusion that compromised BIG-IP development systems and related engineering knowledge-management resources. The intrusion was first detected on August 9, 2025 and publicly disclosed on October 15, 2025. Files taken in the incident included portions of BIG-IP source code and information about undisclosed vulnerabilities. Investigators described long-term, persistent access and said the company rotated credentials, strengthened access controls, expanded monitoring, and engaged external responders including Google Mandiant and CrowdStrike. F5 also reported that there was no evidence of malicious exploitation of the vulnerabilities and no new unauthorized activity after containment efforts. Some exfiltrated knowledge-management files may have contained customer configuration or implementation information for a small percentage of customers. The company also said other core systems such as CRM, financial, support case management, and iHealth were not reached.

View happening

Advisory/Mitigation CISA KEV patch directive for CVE-2025-53521

Updated 30.03.2026 10:07 Context

Exploitation Active Exploitation Urgency Immediate CVSS 9.8 Critical Patch Patch Available

CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is being **exploited in the wild** and can enable **unauthenticated remote code execution**. F5 says the issue affects **BIG-IP APM** deployments with an access policy configured on a virtual server, and fixed releases are available.

View happening