The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant security vulnerability, identified as CVE-2025-53521, to its Known Exploited Vulnerabilities (KEV) catalog. This decision comes in response to confirmed instances of active exploitation affecting the F5 BIG-IP Access Policy Manager (APM).
Details of the Vulnerability
CVE-2025-53521 has a CVSS v4 score of 9.3, indicating a critical level of severity. The vulnerability allows threat actors to execute remote code under specific conditions when a BIG-IP APM access policy is configured on a virtual server. According to the description provided by CVE.org, certain malicious traffic can lead to Remote Code Execution (RCE).
Reclassification and Exploitation
Initially, this flaw was classified as a denial-of-service (DoS) vulnerability with a CVSS v4 score of 8.7. However, F5 has since reclassified it as a remote code execution issue based on new information obtained in March 2026. The company has confirmed that the vulnerability has been actively exploited in vulnerable versions of the BIG-IP software.
Indicators of Compromise
F5 has provided several indicators that can help organizations determine if their systems have been compromised. These include:
- File-related indicators, such as the presence of /run/bigtlog.pipe and/or /run/bigstart.ltm.
- Mismatch of file hashes or sizes for /usr/bin/umount and /usr/sbin/httpd.
- Log entries indicating unauthorized access to the iControl REST API from localhost.
F5 also noted that modifications to certain system files could indicate unexpected changes to the software, and that webshells have been observed operating in memory.
Affected Versions and Urgency for Patching
The vulnerability impacts several versions of F5 BIG-IP:
- 17.5.0 – 17.5.1 (Fixed in version 17.5.1.3)
- 17.1.0 – 17.1.2 (Fixed in version 17.1.3)
- 16.1.0 – 16.1.6 (Fixed in version 16.1.6.1)
- 15.1.0 – 15.1.10 (Fixed in version 15.1.10.8)
In light of the active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by March 30, 2026. The urgency of this situation has been highlighted by industry experts, noting that the risk profile has changed significantly since the vulnerability was first reported.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
