CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of F5 BIG-IP RCE vulnerability CVE-2025-53521

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are actively exploiting a critical remote code execution (RCE) vulnerability in F5 BIG-IP Access Policy Manager (APM) systems, previously disclosed as a denial-of-service (DoS) issue in October 2025. The flaw, assigned CVE-2025-53521 (CVSS 9.3), enables unauthenticated attackers to execute arbitrary code on vulnerable BIG-IP systems with access policies configured on virtual servers or in Appliance mode. The issue is classified as a data plane vulnerability with no control plane exposure. Impacted versions include BIG-IP APM releases 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, and 15.1.0–15.1.10. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to remediate within three days. Exploitation has been confirmed in the wild, with F5 validating that patches for the original CVE remediation address the RCE in fixed versions.

Timeline

  1. 30.03.2026 10:07 1 articles · 2h ago

    F5 BIG-IP APM RCE vulnerability CVE-2025-53521 exploited in the wild

    Threat actors are actively exploiting CVE-2025-53521, a critical RCE vulnerability in F5 BIG-IP APM systems, with exploitation confirmed in vulnerable versions 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, and 15.1.0–15.1.10. The flaw enables unauthenticated code execution on systems with access policies configured on virtual servers or in Appliance mode, and has been added to CISA’s KEV catalog with a three-day remediation deadline for federal agencies. F5 has validated that patches address the RCE and published IOCs for detection.

    Show sources
    Open in new tab

Information Snippets