F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation Wave
Summary
Hide ▲
Show ▼
As of 2026-04-02, ongoing attacks are exploiting CVE-2025-53521 against F5 BIG-IP APM systems, leaving more than 14,000 exposed online and at risk of remote code execution. F5 said the flaw was reclassified from DoS to RCE after new information in March 2026, and CISA has added it to its actively exploited list. The exploitation wave targets unpatched systems with access policies configured on a virtual server, which makes internet-facing deployments especially risky.
Cases
Related Happenings
UniFi OS Server unauthenticated root RCE chain (multiple vulnerabilities)
Vulnerability
H score25
First: 08.06.2026 18:51
Last: 08.06.2026 18:51
Sources 1
About this happening:
**UniFi OS Server** is exposed to an **unauthenticated root RCE chain** that combines **CVE-2026-34908**, **CVE-2026-34909**, and **CVE-2026-34910**, putting **versions 5.0.6 and...
UniFi OS Server unauthenticated root RCE chain (multiple vulnerabilities)
VulnerabilityAbout this happening: **UniFi OS Server** is exposed to an **unauthenticated root RCE chain** that combines **CVE-2026-34908**, **CVE-2026-34909**, and **CVE-2026-34910**, putting **versions 5.0.6 and...
Latest development: 24.06.2026 15:32
CISA added CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 to the Known Exploited Vulnerabilities (KEV) catalog after warnings that threat actors were targeting UniFi OS Server devices and multiple users reported in-the-wild exploitation that created rogue administrator accounts named 'John Sim' on affected Ubiquiti systems.
Automatic tank gauge (ATG) systems ongoing attacks
Exploitation Wave
H score25
First: 05.06.2026 17:50
Last: 05.06.2026 17:50
Sources 1
About this happening:
**Over 900 internet-exposed ATG systems** across the United States are being targeted in **ongoing attacks**, creating risk of **alert tampering**, **fuel or chemical leaks**, and...
Automatic tank gauge (ATG) systems ongoing attacks
Exploitation WaveAbout this happening: **Over 900 internet-exposed ATG systems** across the United States are being targeted in **ongoing attacks**, creating risk of **alert tampering**, **fuel or chemical leaks**, and...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
Vulnerability
H score26
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
About this happening:
**HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
VulnerabilityAbout this happening: **HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...
Ubiquiti UniFi OS security updates (multiple vulnerabilities)
Security Patch Release
H score28
First: 22.05.2026 15:00
Last: 22.05.2026 15:00
Sources 1
About this happening:
**Ubiquiti** released **security updates** for **UniFi OS** to close **five vulnerabilities**, including **three maximum-severity flaws** that could let **remote attackers without...
Ubiquiti UniFi OS security updates (multiple vulnerabilities)
Security Patch ReleaseAbout this happening: **Ubiquiti** released **security updates** for **UniFi OS** to close **five vulnerabilities**, including **three maximum-severity flaws** that could let **remote attackers without...
Latest development: 24.06.2026 15:32
CISA warned that threat actors were targeting CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 in Ubiquiti UniFi OS devices after the flaws were patched in UniFi OS Server 5.0.8, and multiple users reported that the bugs were exploited in the wild, likely as zero-days, to create rogue administrator accounts named John Sim.
Burst Statistics authentication bypass (CVE-2026-8181)
Vulnerability
H score78
First: 15.05.2026 00:07
Last: 15.05.2026 00:07
Sources 1
About this happening:
**Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...
Burst Statistics authentication bypass (CVE-2026-8181)
VulnerabilityAbout this happening: **Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...
Timeline
-
02.04.2026 11:25 1 articles · 3mo ago
CISA adds CVE-2025-53521 to actively exploited list
Legal Policy Action UpdateCISA adds CVE-2025-53521 to its actively exploited catalog and directs federal agencies to secure F5 BIG-IP APM systems by midnight Monday, escalating the flaw to an urgent remediation priority for exposed deployments.
Show sources
- Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks — www.bleepingcomputer.com — 02.04.2026 11:25
-
02.04.2026 11:25 1 articles · 3mo ago
F5 reclassifies CVE-2025-53521 as RCE
Technical Analysis UpdateF5 says new information obtained in March 2026 changes CVE-2025-53521 from a denial-of-service bug to a remote code execution bug, and the company warns that the vulnerability has been exploited in vulnerable BIG-IP versions, including unpatched BIG-IP APM systems with access policies configured on a virtual server.
Show sources
- Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks — www.bleepingcomputer.com — 02.04.2026 11:25
-
02.04.2026 11:25 1 articles · 3mo ago
Federal agencies face Monday BIG-IP APM remediation deadline
Legal Policy Action UpdateCISA requires federal agencies to secure their BIG-IP APM systems by Monday, reinforcing urgent patching and validation for exposed F5 deployments affected by CVE-2025-53521.
Show sources
- Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks — www.bleepingcomputer.com — 02.04.2026 11:25
-
02.04.2026 11:25 2 articles · 3mo ago
Shadowserver measures BIG-IP APM exposure at internet scale
Campaign Scope UpdateShadowserver says it now tracks over 17,100 IPs with BIG-IP APM fingerprints and more than 14,000 BIG-IP APM systems remain exposed to CVE-2025-53521 attacks, showing a broad internet-facing exposure base during the ongoing exploitation wave.
Show sources
- Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks — www.bleepingcomputer.com — 02.04.2026 11:25
- Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks — www.bleepingcomputer.com — 02.04.2026 11:25