The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a critical vulnerability in F5’s BIG-IP systems. This flaw, identified as CVE-2025-53521 and originally disclosed in October 2025, was initially classified as a high-severity denial-of-service (DoS) issue. However, it has recently been upgraded to a remote code execution (RCE) vulnerability.
Details of the Vulnerability
F5’s updated advisory highlights the increased severity of this bug, which threatens BIG-IP Access Policy Manager (APM) systems with configured access policies on virtual servers. The vulnerability allows attackers to execute remote code on unauthenticated systems operating in Appliance mode, focusing on the data plane without affecting the control plane.
The affected versions of BIG-IP APM include 17.5.0 to 17.5.1, 17.1.0 to 17.1.2, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10. F5 has addressed this issue in patches for versions 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8, confirming that these updates mitigate the RCE threat.
CISA’s Response
In response to this critical security threat, CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog. The agency is urging federal entities to implement the necessary patches within a three-day timeframe to protect their systems from potential breaches.
Alongside this, F5 has released several indicators of compromise (IOCs) to help organizations identify malicious activities on their networks. These indicators include unexpected file changes, mismatches in file hashes and sizes, and unusual command outputs. If detected, these signs suggest a successful breach of vulnerable systems.
Recommendations for Organizations
Organizations are strongly advised to apply the latest fixes for CVE-2025-53521 and to remain vigilant against other vulnerabilities listed in CISA’s KEV catalog. Prioritizing these updates is critical to safeguarding IT infrastructure from exploitation by cyber threat actors.
By staying informed and proactive, companies can mitigate risks and protect their data from unauthorized access and potential damage.
For further insights, explore similar vulnerabilities such as those patched by QNAP and the critical Quest KACE and Langflow vulnerabilities, which have seen exploitation soon after their disclosure.
