F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild

Summary

A critical remote code execution vulnerability in F5 BIG-IP (CVE-2025-53521, CVSS 9.3) has been actively exploited by threat actors after being reclassified from a high-severity DoS issue. The flaw affects BIG-IP APM versions 15.1.0–17.5.1 and allows unauthenticated attackers to execute code on vulnerable systems. CISA has added it to the Known Exploited Vulnerabilities catalog and mandated patching within three days for federal agencies, with F5 providing indicators of compromise including rogue files, hash mismatches, and suspicious HTTP traffic patterns.

Full text

The US cybersecurity agency CISA on Friday warned that threat actors have been exploiting a critical-severity F5 BIG-IP vulnerability in the wild. Tracked as CVE-2025-53521 (CVSS score of 9.3), the flaw was publicly disclosed in October 2025 as a high-severity denial-of-service (DoS) issue, but was reclassified as a remote code execution (RCE) vulnerability last week. F5 has updated its original advisory to reflect the bug’s severity, noting that attackers can exploit it on BIG-IP APM systems that have an access policy configured on a virtual server. “This vulnerability allows an unauthenticated attacker to perform remote code execution. The BIG-IP system in Appliance mode is also vulnerable. This is a data plane issue; there is no control plane exposure,” F5 notes. CVE-2025-53521 impacts BIG-IP APM versions 17.5.0 – 17.5.1, 17.1.0 – 17.1.2, 16.1.0 – 16.1.6, and 15.1.0 – 15.1.10, and was addressed in versions 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8. “We have learned that this vulnerability has been exploited in the vulnerable BIG-IP versions. The original CVE remediation has been validated to address the RCE in the fixed versions,” F5 notes in its advisory.Advertisement. Scroll to continue reading. On Friday, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days. Simultaneously, F5 published indicators of compromise (IOCs) associated with the malicious activity targeting vulnerable BIG-IP systems. These include the presence of rogue files, mismatches in file hashes, mismatches in file sizes or timestamps, and different file sizes and timestamps across releases and Engineering Hotfix (EHF) releases. The presence of specific log entries and command outputs on vulnerable systems, as well as outbound HTTP/S traffic containing CSS content-type and HTTP 201 response codes, also indicates successful compromise. Organizations of all types are advised to apply fixes for CVE-2025-53521 and to prioritize mitigations for all vulnerabilities in CISA’s KEV list. Related: QNAP Patches Four Vulnerabilities Exploited at Pwn2Own Related: CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List Related: Critical Quest KACE Vulnerability Potentially Exploited in Attacks Related: Critical Langflow Vulnerability Exploited Hours After Public Disclosure Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Hightower Holding Data Breach Impacts 130,000BIND Updates Patch High-Severity VulnerabilitiesChinese Hackers Caught Deep Within Telecom Backbone InfrastructureCisco Patches Multiple Vulnerabilities in IOS SoftwareOnit Security Raises $11 Million for Exposure Management PlatformiOS, macOS 26.4 Roll Out With Fresh Security PatchesFCC Bans New Routers Made Outside the US Over National Security RisksFrom Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPI Latest News Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on MacsPro-Iranian Hacking Group Claims Credit for Hack of FBI Director Kash Patel’s Personal AccountIn Other News: Palo Alto Recruiter Scam, Anti-Deepfake Chip, Google Sets 2029 Quantum DeadlineOpenAI Launches Bug Bounty Program for Abuse and Safety RisksTP-Link Patches High-Severity Router VulnerabilitiesRSAC 2026 Conference Announcements Summary (Days 3-4)Coruna iOS Exploit Kit Likely an Update to Operation TriangulationCISA Flags Critical PTC Vulnerability That Had German Police Mobilized Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2025-53521
• mitre_attack — T1190 (Exploit Public-Facing Application)