Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Home/CyberSecurity News/Critical F5 BIG-IP APM RCE Vulnerability Actively Exploited on 14,000+ Devices
CyberSecurity News

Critical F5 BIG-IP APM RCE Vulnerability Actively Exploited on 14,000+ Devices

Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2025-53521, in F5’s BIG-IP APM is being actively exploited. Initially classified as a Denial-of-Service (DoS) flaw, its...

Sarah simpson
Sarah simpson
April 3, 2026 2 Min Read
31 0

Key Takeaways

  • A critical remote code execution (RCE) vulnerability, CVE-2025-53521, in F5’s BIG-IP APM is being actively exploited.
  • Initially classified as a Denial-of-Service (DoS) flaw, its upgrade to RCE poses a severe threat to enterprise networks.
  • Over 14,000 F5 BIG-IP APM instances globally remain exposed, with the highest concentrations in the United States and Japan.
  • CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies and urging broader action.
  • Successful exploitation grants attackers full control over affected appliances and direct access to internal corporate networks.

Thousands of enterprise networks are now under significant threat due to the active exploitation of a critical security vulnerability within F5’s BIG-IP Access Policy Manager (APM).

Table Of Content

  • Key Takeaways
  • The Escalating Threat of CVE-2025-53521
  • What You Should Do

The flaw, identified as CVE-2025-53521, initially raised concerns as a Denial-of-Service (DoS) issue. However, its reclassification to a severe Remote Code Execution (RCE) vulnerability has prompted urgent warnings across the cybersecurity community.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate mitigation. Data from The Shadowserver Foundation paints a grim picture, revealing over 17,100 F5 BIG-IP APM instances exposed to the internet as of March 31, 2026.

Despite ongoing efforts by some organizations to apply necessary updates, more than 14,000 systems remain publicly accessible and vulnerable. According to Shadowserver’s device mapping, the United States and Japan currently host the highest concentrations of these vulnerable systems.

Given that BIG-IP APM functions as a secure gateway for accessing enterprise applications, a successful exploit could allow attackers to bypass perimeter defenses and gain direct entry into internal networks.

The Escalating Threat of CVE-2025-53521

The widespread exposure largely stems from the vulnerability’s initial, less severe classification. When F5 first disclosed CVE-2025-53521, it was exclusively rated as a DoS flaw. This often leads to DoS vulnerabilities being assigned lower priority in enterprise patch management schedules compared to direct intrusion threats.

Security researchers at VulnTracker observed that many IT teams likely deferred patching this vulnerability during its initial release to address more critical alerts. Now, with threat actors demonstrating the ability to weaponize this flaw for arbitrary remote code execution, those delayed patches have become significant security liabilities.

An attacker exploiting this RCE vulnerability can seize full control of the compromised F5 appliance. This could lead to severe consequences, including data theft, the deployment of ransomware, or establishing persistent footholds deep within a network.

What You Should Do

  • Apply Vendor Updates Immediately: Review F5’s updated security advisory (K000156741) and upgrade all BIG-IP APM instances to the latest patched software versions without delay.
  • Conduct a Thorough Compromise Hunt: Given active exploitation, patching alone is insufficient. Administrators must meticulously review system logs and actively search for any indicators of compromise (IoCs).
  • Audit External-Facing Assets: Utilize network monitoring tools to identify, secure, and correctly configure all internet-facing APM interfaces.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVECybersecurityExploitPatchransomwareSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Kimsuky Uses Malicious LNK Files for Python Backdoor in Multi-Stage Attack

Next Post

Anthropic Stops Claude Subscriptions for Third-Party Tools

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
North Korean Hackers Conceal JavaScript Loaders in Open Source Repos
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us