The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a significant security flaw affecting F5 BIG-IP Access Policy Manager (APM). This vulnerability, now part of CISA’s Known Exploited Vulnerabilities (KEV) catalog, has been actively exploited in the wild, prompting urgent attention.
Critical Vulnerability Details
Identified as CVE-2025-53521, this vulnerability carries a CVSS v4 score of 9.3. It poses a serious risk by potentially enabling remote code execution (RCE) when specific malicious traffic interacts with a BIG-IP APM-configured virtual server. Initially classified as a denial-of-service (DoS) issue with a lower severity score, recent information has led to its reclassification as an RCE threat.
F5 has acknowledged the exploitation of this flaw in certain BIG-IP versions but has not disclosed specifics about the attackers involved. The company has issued an advisory with indicators that system administrators can use to detect compromises.
Indicators of Compromise
F5 has provided several file-related and log-related indicators to help identify potential compromises. Notable file-related signs include the presence of certain files such as /run/bigtlog.pipe and discrepancies in file hashes, sizes, or timestamps for critical system files like /usr/bin/umount.
Log-related indicators involve unusual entries in system logs, particularly those showing unauthorized access to the iControl REST API from localhost. Additional tactics, techniques, and procedures (TTPs) observed include modifications to system integrity components, leading to unexpected tool failures, and HTTP/S traffic anomalies.
Steps for Mitigation
F5 has released patches for the affected BIG-IP versions, including 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8. Federal Civilian Executive Branch agencies have been instructed to implement these updates by March 30, 2026, to mitigate the risks associated with this vulnerability.
According to Benjamin Harris, CEO of watchTowr, this vulnerability was initially perceived as a minor issue. However, the recent developments have elevated its risk profile significantly, necessitating immediate action to prevent potential exploitation.
Organizations using F5 BIG-IP systems are urged to apply the necessary patches and monitor their systems closely for any signs of compromise. The evolving nature of this threat underscores the importance of maintaining robust cybersecurity measures and staying informed about potential vulnerabilities.
