CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

Summary

CISA added CVE-2025-53521, a critical remote code execution vulnerability in F5 BIG-IP Access Policy Manager (APM), to its Known Exploited Vulnerabilities catalog after evidence of active in-the-wild exploitation emerged. The flaw was initially disclosed as a denial-of-service issue with a CVSS score of 8.7 but was reclassified as pre-authentication RCE (CVSS 9.3) following new information discovered in March 2026. Federal civilian agencies have been given until March 30, 2026, to patch affected versions (15.1.0–15.1.10, 16.1.0–16.1.6, 17.1.0–17.1.2, and 17.5.0–17.5.1).

Full text

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation Ravie LakshmananMar 28, 2026Vulnerability / Network Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2025-53521 (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution. "When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE)," according to a description of the flaw in CVE.org. While the shortcoming was initially categorized and remediated as a denial-of-service (DoS) vulnerability with a CVSS v4 score of 8.7, F5 said it has been reclassified as a case of RCE in light of "new information obtained in March 2026." The company has since updated its advisory to confirm that the vulnerability "has been exploited in the vulnerable BIG-IP versions." It did not share any additional details on who may be behind the exploitation activity. However, F5 published a number of indicators that can be used to assess if the system has been compromised - File-related indicators - Presence of /run/bigtlog.pipe and/or /run/bigstart.ltm. Mismatch of file hashes when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd. Mismatch of file sizes or timestamps when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd. Each release and EHF may have different file sizes and timestamps. Log-related indicators - An entry in "/var/log/restjavad-audit.<NUMBER>.log" showing a local user accessing the iControl REST API from localhost. An entry in "/var/log/auditd/audit.log.<NUMBER>" showing a local user accessing the iControl REST API from localhost to disable SELinux. Log messages in "/var/log/audit" show the results of a command being run in the audit log. Other TTPs observed include - Modifications to the underlying components that the system integrity checker, sys-eicheck, relies on, resulting in a failure of the tool, specifically /usr/bin/umount and/or /usr/sbin/httpd, indicating unexpected changes to the system software as mentioned above. HTTP/S traffic from the BIG-IP system that contains HTTP 201 response codes and CSS content-type to disguise the attacker's activities. Changes to the following three files, although their presence alone does not signal a security issue - /var/sam/www/webtop/renderer/apm_css.php3 /var/sam/www/webtop/renderer/full_wt.php3 /var/sam/www/webtop/renderer/webtop_popup_css.php3 "We have observed cases of webshell being written to disk; however, the webshells have been observed to work in memory only, meaning the files listed above might not be modified," F5 cautioned. The issue impacts the following versions - 17.5.0 - 17.5.1 (Fixed in version 17.5.1.3) 17.1.0 - 17.1.2 (Fixed in version 17.1.3) 16.1.0 - 16.1.6 (Fixed in version 16.1.6.1) 15.1.0 - 15.1.10 (Fixed in version 15.1.10.8) In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been given until March 30, 2026, to apply the fixes to secure their networks. "When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn't immediately signal urgency, and many system administrators likely prioritized it accordingly," watchTowr CEO and founder Benjamin Harris said in a statement shared with The Hacker News. "Fast forward to today's big 'yikes' moment: the situation has changed significantly. What we're observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That's a very different risk profile than what was initially communicated." Defused Cyber, in an X post, has also confirmed that it's seeing "acute scanning activity" for vulnerable F5 BIG-IP devices following the addition of CVE-2025-53521 to the KEV catalog. "This actor is hitting /mgmt/shared/identified-devices/config/device-info which is a F5 BIG-IP REST API endpoint used to retrieve system-level information, such as hostname, machine ID, and base MAC address," it said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  BIG-IP, CISA, cybersecurity, F5, network security, Patch Management, remote code execution, Vulnerability, Webshell Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

• cve — CVE-2025-53521
• mitre_attack — T1190
• mitre_attack — T1505.003