Vulnerability affecting F5 BIG-IP APM

Summary

The UK's NCSC is urging organisations to immediately mitigate CVE-2025-53521, an unauthenticated remote code execution vulnerability in F5 BIG-IP Access Policy Manager. F5 has confirmed active exploitation in the wild, with the vulnerability affecting all organisations using BIG-IP APM. The NCSC recommends isolation/replacement of affected systems, investigation for compromise, and full system rebuilds where isolation isn't feasible.

Full text

News Download & print article PDF Download & print article PDF Vulnerability affecting F5 BIG-IP APMOrganisations have been encouraged to take action against a vulnerability affecting F5 BIG-IP Access Policy Manager. The NCSC is encouraging UK organisations to take immediate action to mitigate an unauthenticated remote code execution vulnerability affecting F5 BIG-IP Access Policy Manager (CVE-2025-53521). F5 BIG-IP APM is a common component, especially within large enterprises. What has happened?F5 has published an updated security advisory explaining that a previously disclosed vulnerability in BIG-IP APM has been recategorised as an unauthenticated remote code execution vulnerability CVE-2025-53521: When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). ExploitationF5 is aware of active exploitation of CVE-2025-53521 affecting BIG-IP APM.The NCSC is working to fully understand UK impact and any potential cases of active exploitation affecting UK networks.The NCSC recommends investigating for compromise on all affected products regardless of when the system was updated. F5 have published Indicators of Compromise. Who is affected?All organisations using BIG-IP APM are affected by this vulnerability. What should I do?The NCSC recommends following vendor best-practice advice to mitigate vulnerabilities. In this case due to reports of in the wild exploitation, if you use an affected product, you should take these priority actions:Read the security advisory and Indicators of Compromise.If possible, isolate the affected system(s) and replace with a new, fully up-to-date system (NOTE: this may cause service outage).Fully investigate for evidence of compromise following the vendor guidance (an assured Cyber Incident Response provider can assist) Where this isn’t possible; the affected system should be erased/destroyed and rebuilt as new.If you believe you have been compromised, and are in the UK, you should report it and consider using an assured Cyber Incident Response provider. You can also report the compromise to the vendor to assist their investigation.Update to the latest version of the affected product.Apply any appropriate security hardening.Re-enable/reintroduce the affected system(s).Perform continuous threat hunting activities. Further resourcesThe following NCSC guidance and services will help to secure systems:Find an assured Cyber Incident Response provider.Follow NCSC guidance including vulnerability management and preventing lateral movement.If your organisation is in the UK, you can sign up to the free NCSC Early Warning service to receive notifications of potential cyber threats on your network. If you are already an Early Warning user, please check your MyNCSC portal.The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process. Share and print this article Download & print article PDF Download & print article PDF Share Share Close share options Share onFacebook Share onLinkedIn Share onX Copy Link PublishedPublish date 30 March 2026Written forWritten for Cyber security professionals Large organisationsNews type Alert Was this article helpful? Yes the article was helpful No the article was not helpful Close Feedback Form Back to top Share Close share options Share onFacebook Share onLinkedIn Share onX Copy Link Also see News Publish date 25 Mar 2026Vulnerabilities affecting Citrix NetScaler ADC and Citrix NetScaler GatewayUK organisations encouraged to take immediate action to mitigate two recently disclosed vulnerabilities affecting Citrix NetScaler ADC and Citrix NetScaler Gateway. News Publish date 25 Feb 2026Exploitation of Cisco Catalyst SD-WANAgencies strongly encourage immediate investigation of potential compromise of Cisco Catalyst SD-WAN. Blog Post Publish date 10 Feb 2026Improving your response to vulnerability management How to ensure the ‘organisational memory’ of past vulnerabilities is not lost.

Indicators of Compromise

• cve — CVE-2025-53521