F5 BIG-IP Under Active Attack: What CISA's Emergency Warning Means for Your Infrastructure

Your F5 BIG-IP systems are under attack right now. I'm not being dramatic - CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog because attackers are actively exploiting this flaw in the wild. This isn't a theoretical risk; it's happening today.

China-linked threat actors are using this vulnerability to achieve remote code execution on your BIG-IP APM systems without any authentication needed. The CVSS score jumped from 9.3 to 9.8 when researchers discovered the real impact - full system compromise, not just denial of service.

This attack hits at the core of your infrastructure. F5 BIG-IP APM controls access to your apps, APIs, and data. When attackers exploit this, they're not just disrupting service - they're getting direct access to everything behind your load balancers.

I've seen the impact firsthand. Enterprises running vulnerable versions - 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, and 15.1.0-15.1.10 - need immediate action. Even if you patched in October 2025, you might still be compromised.

The scary part? Attackers have been in F5's network for at least 12 months. They deployed Brickstorm backdoors on customer systems and may have accessed your environment before you knew about this vulnerability.

CISA ordered federal agencies to assess and patch by March 30. If you're working with government contractors or handling critical infrastructure, compliance isn't optional - it's mandatory.

Here's your immediate checklist:

1. Check your BIG-IP APM version against the vulnerable ranges
2. Review the F5 indicators of compromise for signs of compromise
3. Look for webshell files, disabled SELinux modules, and suspicious HTTP/S traffic
4. Verify your sys-eicheck system integrity components
5. If compromised, isolate the system before patching
6. Test patches in a non-production environment first

The Dutch National Cyber Security Center has already observed active abuse of this vulnerability. Every day you wait increases your risk of compromise.

This vulnerability exposes a harsh reality: when your infrastructure management tools get compromised, everything they protect becomes vulnerable too. Attackers see F5 BIG-IP as keys to your entire enterprise.

Don't assume you're safe because you patched months ago. Check your systems now before these threat actors exploit this critical flaw in your environment.