Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

F5 BIG-IP APM active exploitation wave (CVE-2025-53521)

Exploitation Wave
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

As of 2026-04-02, ongoing attacks are exploiting CVE-2025-53521 against F5 BIG-IP APM systems, leaving more than 14,000 exposed online and at risk of remote code execution. F5 said the flaw was reclassified from DoS to RCE after new information in March 2026, and CISA has added it to its actively exploited list. The exploitation wave targets unpatched systems with access policies configured on a virtual server, which makes internet-facing deployments especially risky.

Cases

F5 BIG-IP APM RCE exploitation and response (4)

Related Happenings

Burst Statistics authentication bypass (CVE-2026-8181)

Vulnerability
First: 15.05.2026 00:07 Last: 15.05.2026 00:07 Sources 1

About this happening: **Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...

Open Happening

Linux kernel XFRM ESP-in-TCP local privilege escalation (CVE-2026-46300)

Vulnerability
First: 14.05.2026 10:06 Last: 14.05.2026 10:06 Sources 1

About this happening: **Fragnesia** adds a fresh **Linux kernel** local privilege-escalation path, putting **unprivileged local attackers** on a route to **root access** across major distributions. The...

Latest development: 14.05.2026 16:00

Cloud security firm Wiz identified Fragnesia (CVE-2026-46300) in the Dirty Frag family, a Linux local privilege escalation that lets unprivileged local users gain root by corrupting the kernel page cache of read-only files. William Bowling of Zellic and the V12 team were credited with the discovery, and a working proof-of-concept exploit was published on May 13, 2026.

Open Happening

Cisco security patch release for CVE-2026-20188

Security Patch Release
First: 06.05.2026 21:06 Last: 06.05.2026 21:06 Sources 1

About this happening: **Cisco** released security updates for **CVE-2026-20188**, a high-severity **DoS vulnerability** in **Crosswork Network Controller (CNC)** and **Network Services Orchestrator (NS...

Open Happening

Palo Alto Networks PAN-OS CVE-2026-0300 patch release

Security Patch Release
First: 06.05.2026 07:46 Last: 06.05.2026 07:46 Sources 1

About this happening: Palo Alto Networks is rolling out **patches** for **CVE-2026-0300**, a **critical PAN-OS zero-day** that has already been **exploited in the wild** against **PA and VM series fire...

Open Happening

MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)

Vulnerability
First: 05.05.2026 14:56 Last: 05.05.2026 14:56 Sources 1

About this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...

Open Happening

Timeline

  1. 02.04.2026 11:25 1 articles · 1mo ago

    CISA adds CVE-2025-53521 to actively exploited list

    Legal Policy Action Update

    CISA adds CVE-2025-53521 to its actively exploited catalog and directs federal agencies to secure F5 BIG-IP APM systems by midnight Monday, escalating the flaw to an urgent remediation priority for exposed deployments.

    Show sources
    Open in new tab
  2. 02.04.2026 11:25 1 articles · 1mo ago

    F5 reclassifies CVE-2025-53521 as RCE

    Technical Analysis Update

    F5 says new information obtained in March 2026 changes CVE-2025-53521 from a denial-of-service bug to a remote code execution bug, and the company warns that the vulnerability has been exploited in vulnerable BIG-IP versions, including unpatched BIG-IP APM systems with access policies configured on a virtual server.

    Show sources
    Open in new tab
  3. 02.04.2026 11:25 1 articles · 1mo ago

    Federal agencies face Monday BIG-IP APM remediation deadline

    Legal Policy Action Update

    CISA requires federal agencies to secure their BIG-IP APM systems by Monday, reinforcing urgent patching and validation for exposed F5 deployments affected by CVE-2025-53521.

    Show sources
    Open in new tab
  4. 02.04.2026 11:25 2 articles · 1mo ago

    Shadowserver measures BIG-IP APM exposure at internet scale

    Campaign Scope Update

    Shadowserver says it now tracks over 17,100 IPs with BIG-IP APM fingerprints and more than 14,000 BIG-IP APM systems remain exposed to CVE-2025-53521 attacks, showing a broad internet-facing exposure base during the ongoing exploitation wave.

    Show sources
    Open in new tab