Key Findings

• Over 14,000 F5 BIG-IP APM instances remain exposed online with active exploitation of CVE-2025-53521

• Vulnerability reclassified from denial-of-service to critical remote code execution with CVSS score of 9.8

• Originally disclosed in October 2025, but severity assessment updated in March 2026 after new findings

• Shadowserver tracks over 17,100 total BIG-IP APM fingerprints exposed globally, concentrated in US, Europe, and Asia

• CISA added flaw to Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by March 30, 2026

• Attackers can execute code without privileges on systems with access policies configured on virtual servers

Background

CVE-2025-53521 is a critical vulnerability affecting F5's BIG-IP Access Policy Manager, a centralized access management solution used by over 23,000 customers including 48 Fortune 50 companies. The flaw was initially reported five months ago and categorized as a denial-of-service issue, but researchers discovered in March 2026 that it could be leveraged for full remote code execution, prompting an immediate reclassification and severity upgrade.

Vulnerability Details

The flaw allows specially crafted malicious traffic to trigger remote code execution when a BIG-IP APM access policy is enabled on a virtual server. Attackers without any privileges can exploit this to gain complete control over affected systems. The vulnerability specifically impacts BIG-IP versions that are still receiving technical support, while legacy versions at end-of-life are not evaluated for this particular issue.

Global Exposure Assessment

Shadowserver's internet scanning identified over 14,100 exposed F5 BIG-IP APM instances as of late March. Geographic distribution shows concentrations in the United States with 5,138 instances, Europe with 4,750, and Asia with 2,689. However, the actual number of vulnerable systems with active access policies configured remains unclear, as Shadowserver notes these are population assessments rather than confirmed vulnerable configurations.

Active Exploitation

The vulnerability has moved from theoretical risk to active threat. Attackers are currently exploiting CVE-2025-53521 in the wild against unpatched systems. F5 has provided indicators of compromise and recommends defenders check system disks, logs, and terminal histories for signs of intrusion. The company specifically warns that configuration backups from compromised systems may contain persistent malware, necessitating rebuilds from known-good sources.

Coordinated Response and Attribution

F5 credits Schuberg Philis, Bart Vrancken, Fox-IT, and the Dutch NCSC for their collaborative investigation and responsible disclosure efforts. Following CISA's addition of the vulnerability to its Known Exploited Vulnerabilities catalog, federal agencies received mandatory patching orders with a March 30 deadline. The rapid escalation reflects both the severity of the flaw and evidence of active exploitation by threat actors.

Historical Context

BIG-IP vulnerabilities have become increasingly attractive targets for both nation-state actors and cybercriminal groups in recent years. Previous exploits have been used to breach corporate networks, hijack devices, deploy data-wiping malware, map internal infrastructure, and steal sensitive data over extended periods, underscoring why timely patching of this class of devices is critical.

Sources

• https://securityaffairs.com/190384/security/attackers-exploit-rce-flaw-as-14000-f5-big-ip-apm-instances-remain-exposed.html

• https://www.bleepingcomputer.com/news/security/over-14-000-f5-big-ip-apm-instances-still-exposed-to-rce-attacks/

• https://community.opentextcybersecurity.com/vulnerability-vault-228/attackers-exploit-rce-flaw-as-14-000-f5-big-ip-apm-instances-remain-exposed-363960

• https://x.com/securityaffairs/status/2041141063704797573

• https://www.threads.com/@barrebull/post/DWtf1xHluh8/f-big-ip-apm-devices-exposed-online-amid-active-rce-vulnerability-exploits