On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that they have added a significant vulnerability of the F5 BIG-IP Access Policy Manager (APM) to their Known Exploited Vulnerabilities (KEV) catalog, stating that they had received confirmation of its active exploitation in the wild.
The vulnerability assigned the identifier CVE-2025-53521 (CVSS v4 score of 9.3), allows for remote code execution (RCE) of the system by an attacker via the configuration and existence of an APM resource as an access policy for a virtual server. Once an APM access policy is created on a virtual server, an attacker can send well-crafted traffic to exploit the vulnerability, allowing for arbitrary code execution on the affected system.
Further, the vulnerability had previously been disclosed by F5 and patched as a denial-of-service vulnerability last year and assigned a lower severity rating; however, in March of 2026, F5 reclassified the vulnerability as RCE due to new information and has confirmed to CISA this vulnerability has been actively exploited.
F5 has amended its security advisory and has shared various indicators of compromise (IoCs) which can help organisations identify if their systems may have been hacked.
The accepted IoCs consist of:
1) File signs: An unexpected (or unsolicited) file found either at /run/bigtlog.pipe or /run/bigstart.ltm, along with unanticipated changes (to the hashes, sizes, or timestamps) in the file for the execution path /usr/bin/umount or /usr/sbin/httpd
2) Log signs: Entries in either the file restjavad-audit.log or in either auditd/audit.log indicating a local user/administrator has accessed the iControl REST API from 'localhost' to disable SELinux
3) Other signs: Changes to integrity-check software, abnormal HTTP/S traffic containing response codes of 201 (indicating success) and with Content-Type of 'text/css, and modifications to the following file types which relate to specific webtop renderers: apm_css.php3, full_wt.php3, webtop_popup_css.php3
F5 stated that wherever web shells are deployed by an attacker, they appear to be active within computer RAM (i.e. they are not stored on disk), thereby making them difficult to detect through traditional means of endpoint file-based detection methods.
Affected Versions
The vulnerability impacts the following BIG-IP versions (with fixed builds listed):
1) 17.5.0 – 17.5.1 → Fixed in 17.5.1.3
2) 17.1.0 – 17.1.2 → Fixed in 17.1.3
3) 16.1.0 – 16.1.6 → Fixed in 16.1.6.1
4) 15.1.0 – 15.1.10 → Fixed in 15.1.10.8
Federal Civilian Executive Branch (FCEB) agencies have been given until March 30, 2026, to apply the necessary patches.
Security experts are urging immediate action. Benjamin Harris, CEO of watchTowr, highlighted the sharp change in risk profile: what was initially seen as a lower-priority DoS issue is now confirmed pre-authentication remote code execution under active exploitation.
Defused Cyber also reported seeing increased scanning activity targeting the /mgmt/shared/identified-devices/config/device-info REST API endpoint on vulnerable F5 BIG-IP devices shortly after the KEV listing.
Recommendation
If your organization uses F5 BIG-IP APM, treat this as a high-priority update. Analyze your systems with F5’s published compromise indicators and promptly apply the latest patches. Due to confirmed, real-world exploitations and CISA’s engagement, delaying remediation will greatly increase your risk of compromise. Typically, F5 BIG-IP appliances are located at critical network boundaries, so timely patching is critical to secure your infrastructure.
Source: The Hacker News