Critical F5 BIG-IP APM RCE Vulnerability Actively Exploited on 14,000+ Devices
Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2025-53521, in F5’s BIG-IP APM is being actively exploited. Initially classified as a Denial-of-Service (DoS) flaw, its...
Key Takeaways
- A critical remote code execution (RCE) vulnerability, CVE-2025-53521, in F5’s BIG-IP APM is being actively exploited.
- Initially classified as a Denial-of-Service (DoS) flaw, its upgrade to RCE poses a severe threat to enterprise networks.
- Over 14,000 F5 BIG-IP APM instances globally remain exposed, with the highest concentrations in the United States and Japan.
- CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies and urging broader action.
- Successful exploitation grants attackers full control over affected appliances and direct access to internal corporate networks.
Thousands of enterprise networks are now under significant threat due to the active exploitation of a critical security vulnerability within F5’s BIG-IP Access Policy Manager (APM).
Table Of Content
The flaw, identified as CVE-2025-53521, initially raised concerns as a Denial-of-Service (DoS) issue. However, its reclassification to a severe Remote Code Execution (RCE) vulnerability has prompted urgent warnings across the cybersecurity community.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate mitigation. Data from The Shadowserver Foundation paints a grim picture, revealing over 17,100 F5 BIG-IP APM instances exposed to the internet as of March 31, 2026.
Despite ongoing efforts by some organizations to apply necessary updates, more than 14,000 systems remain publicly accessible and vulnerable. According to Shadowserver’s device mapping, the United States and Japan currently host the highest concentrations of these vulnerable systems.
Given that BIG-IP APM functions as a secure gateway for accessing enterprise applications, a successful exploit could allow attackers to bypass perimeter defenses and gain direct entry into internal networks.
The Escalating Threat of CVE-2025-53521
The widespread exposure largely stems from the vulnerability’s initial, less severe classification. When F5 first disclosed CVE-2025-53521, it was exclusively rated as a DoS flaw. This often leads to DoS vulnerabilities being assigned lower priority in enterprise patch management schedules compared to direct intrusion threats.
Security researchers at VulnTracker observed that many IT teams likely deferred patching this vulnerability during its initial release to address more critical alerts. Now, with threat actors demonstrating the ability to weaponize this flaw for arbitrary remote code execution, those delayed patches have become significant security liabilities.
An attacker exploiting this RCE vulnerability can seize full control of the compromised F5 appliance. This could lead to severe consequences, including data theft, the deployment of ransomware, or establishing persistent footholds deep within a network.
What You Should Do
- Apply Vendor Updates Immediately: Review F5’s updated security advisory (K000156741) and upgrade all BIG-IP APM instances to the latest patched software versions without delay.
- Conduct a Thorough Compromise Hunt: Given active exploitation, patching alone is insufficient. Administrators must meticulously review system logs and actively search for any indicators of compromise (IoCs).
- Audit External-Facing Assets: Utilize network monitoring tools to identify, secure, and correctly configure all internet-facing APM interfaces.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.