Attackers Exploiting RCE in BIG-IP APM Systems (CVE-2025-53521)

Bad news for anyone running F5 BIG-IP. Attackers are actively exploiting CVE-2025-53521, a Remote Code Execution vulnerability in the Access Policy Manager. It's on CISA's Known Exploited Vulnerabilities catalog.

How it happened

In October 2025, F5 disclosed a data breach. A sophisticated threat actor had been in their network for at least 12 months, grabbed source code, and found zero-day vulnerabilities. Initially they thought CVE-2025-53521 was just a denial-of-service issue. In March 2026, they realized it's actually RCE with CVSS scores of 9.8 and 9.3.

The technical details

CVE-2025-53521 hits the apmd process that handles live traffic in BIG-IP APM. It allows unauthenticated remote code execution — no credentials needed.

Vulnerable versions:

• BIG-IP APM 17.5.0 to 17.5.1
• BIG-IP APM 17.1.0 to 17.1.2
• BIG-IP APM 16.1.0 to 16.1.6
• BIG-IP APM 15.1.0 to 15.1.10

The attack triggers when a BIG-IP APM access policy is active on a virtual server. Appliance mode systems are also affected.

What a breach means for you

• Full network control — these systems manage access to critical apps and data
• Service disruption — guaranteed, since RCE lets attackers shut down operations
• Customer data exposure and the regulatory fallout that follows
• Reputation damage that takes years to rebuild
• Remediation costs, legal fees, and lost revenue adding up fast

What to do right now

1. Check if your BIG-IP APM systems are running vulnerable versions
2. Apply F5's patches immediately (test in non-prod first if possible)
3. Review system logs for signs of compromise — unusual admin activity, webshell files, modified system files
4. Isolate BIG-IP systems from critical business networks
5. Set up enhanced monitoring for unusual traffic patterns
6. Make sure you have tested backups of BIG-IP configurations

Patch now, monitor closely, and have your incident response plan ready.