Key Findings

• CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on Friday, citing active exploitation in the wild

• The vulnerability affects F5 BIG-IP Access Policy Manager (APM) and allows unauthenticated remote code execution with a CVSS v4 score of 9.3

• The flaw was initially classified as a denial-of-service issue with a lower severity score but was reclassified as RCE after new information emerged in March 2026

• Federal agencies have until March 30, 2026, to patch affected systems

• Active scanning for vulnerable BIG-IP devices has increased following the KEV listing

Background

CVE-2025-53521 impacts F5 BIG-IP Access Policy Manager when an access policy is configured on a virtual server. The vulnerability allows specific malicious traffic to trigger remote code execution on the affected system. F5 initially categorized this as a denial-of-service vulnerability with a CVSS v4 score of 8.7 before reclassifying it as RCE based on new information obtained in March 2026. The company has confirmed the vulnerability has been actively exploited in vulnerable BIG-IP versions, though details about the threat actors remain undisclosed.

Affected Versions and Fixes

The vulnerability impacts multiple F5 BIG-IP releases with the following fix versions available:

• 17.5.0 to 17.5.1 (Fixed in 17.5.1.3)

• 17.1.0 to 17.1.2 (Fixed in 17.1.3)

• 16.1.0 to 16.1.6 (Fixed in 16.1.6.1)

• 15.1.0 to 15.1.10 (Fixed in 15.1.10.8)

Indicators of Compromise

F5 has published multiple indicators to help organizations determine if their systems have been compromised.

File-related indicators include the presence of /run/bigtlog.pipe and /run/bigstart.ltm, or mismatches in file hashes, sizes, or timestamps for /usr/bin/umount and /usr/sbin/httpd compared to known good versions.

Log-related indicators show local users accessing the iControl REST API from localhost in /var/log/restjavad-audit logs or attempts to disable SELinux in /var/log/auditd/audit.log files. Command execution entries may also appear in /var/log/audit.

Observed Tactics and Techniques

Attackers have been observed modifying components that the sys-eicheck system integrity checker relies on, particularly /usr/bin/umount and /usr/sbin/httpd, to avoid detection. Malicious activity is being disguised through HTTP/S traffic containing HTTP 201 response codes with CSS content-type headers.

Changes to PHP files in /var/sam/www/webtop/renderer/ have been observed, including apm_css.php3, full_wt.php3, and webtop_popup_css.php3. However, F5 notes that webshells are often deployed to work in memory only, so the absence of file modifications does not guarantee the system is clean.

Current Threat Activity

Security researchers at Defused Cyber have confirmed acute scanning activity targeting vulnerable F5 BIG-IP devices following the KEV listing. Attackers are specifically probing the /mgmt/shared/identified-devices/config/device-info REST API endpoint to retrieve system-level information such as hostname, machine ID, and base MAC address.

Security experts note that the reclassification from DoS to RCE significantly changes the risk profile. The initial denial-of-service categorization may have caused system administrators to deprioritize patching, but the discovery of active exploitation and unauthenticated remote code execution demands immediate attention.

Sources

• https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html

• https://x.com/TheHackersNews/status/2037788952971940132

• https://www.linkedin.com/posts/cyber-news-live_cisa-adds-cve-2025-53521-to-kev-after-active-activity-7443652520037498882-rg2D

• https://www.cypro.se/2026/03/28/cisa-adds-cve-2025-53521-to-kev-after-active-f5-big-ip-apm-exploitation/

• https://www.reddit.com/r/SecOpsDaily/comments/1s5ug50/cisa_adds_cve202553521_to_kev_after_active_f5/