CISA Adds CVE-2025-53521 to KEV After Active Exploitation of F5 BIG-IP APM
The Cybersecurity and Infrastructure Security Agency (CISA) of the US on Friday added a critical security flaw affecting the F5 BIG-IP Access Policy Manager (APM) to its catalog known as Know Exploited Vulnerabilities (KEV), citing evidence of active exploitation.
The vulnerability in question CVE-2025-53521 (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution.
“When a BIG-IP APM access policy is configured on a virtual server, some malicious traffic can lead to Remote Code Execution (RCE),” according to the bug description on CVE.org.
While the flaw was initially classified and fixed as a critical denial-of-service (DoS) with a CVSS v4 score of 8.7, F5 said it was reclassified as an RCE due to “new information received in March 2026.”
The company has since updated its advisory to ensure that the vulnerability is “exploited in vulnerable versions of BIG-IP.” It did not share any additional details about who might be behind the exploit.
However, F5 has published a number of indicators that can be used to check if a system has been compromised –
- File related references –
- Existence of /run/bigtlog.pipe and/or /run/bigstart.ltm.
- Mismatch of file hashes compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
- Mismatch in file sizes or timestamps compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
- Each release and EHF may have different file sizes and time stamps.
- Log related pointers –
- Entries in “/var/log/restjavad-audit.
.log” which shows a local user accessing the iControl REST API from the local host. - Entries in “/var/log/auditd/audit.log.
” which shows a local user accessing the iControl REST API from localhost to disable SELinux. - Log messages in “/var/log/audit” show the results of the command used in the audit log.
- Entries in “/var/log/restjavad-audit.
- Other noted TTPs include –
- Modification of the basic components that the system integrity checker, sys-eicheck, relies on, leading to the failure of the tool, specifically /usr/bin/umount and/or /usr/sbin/httpd, indicating unexpected changes in the system software as mentioned above.
- HTTP/S traffic from BIG-IP system containing HTTP 201 response codes and CSS content type to hide attacker’s activities.
- Changes in the following three files, although their presence alone does not indicate a security problem –
- /var/sam/www/webtop/renderer/apm_css.php3
- /var/sam/www/webtop/renderer/full_wt.php3
- /var/sam/www/webtop/renderer/webtop_popup_css.php3
“We have seen cases of webshells being written to disk; however, webshells are known to run in memory only, meaning the files listed above may not be modified,” warns F5.
The problem affects the following versions –
- 17.5.0 – 17.5.1 (Fixed in version 17.5.1.3)
- 17.1.0 – 17.1.2 (Fixed in version 17.1.3)
- 16.1.0 – 16.1.6 (Fixed in version 16.1.6.1)
- 15.1.0 – 15.1.10 (Fixed in version 15.1.10.8)
Due to the active exploit, agencies of the Federal Civilian Executive Branch (FCEB) have been given until March 30, 2026, to implement a fix to secure their networks.
“When F5 CVE-2025-53521 first surfaced last year as a denial-of-service issue, it didn’t show any immediate urgency, and system administrators may have prioritized it accordingly,” said WatchTowr CEO and founder Benjamin Harris in a statement shared with Hacker News.
“Fast forward to today’s big ‘yikes’ era: the landscape has changed dramatically. What we’re seeing now is pre-auth remote code release and evidence of wild animal exploitation, with the CISA KEV list backing it up. That’s a very different risk profile than what was originally talked about.”
Defused Cyber, in an X post, also confirmed that it is seeing “faster scanning activity” for vulnerable F5 BIG-IP devices following the addition of CVE-2025-53521 to the KEV catalog.
“This actor calls /mgmt/shared/identified-devices/config/device-info which is the F5 BIG-IP REST API endpoint used to retrieve system-level information, such as hostname, device ID, and base MAC address,” it said.
