• Home
  • cyber
  • F5: Warning: CISA, experts concerned over active exploitation of 6-month-old F5 BIG-IP APM vulnerability
cyber Vulnerability

F5: Warning: CISA, experts concerned over active exploitation of 6-month-old F5 BIG-IP APM vulnerability

Mar 29, 2026 3 min read
F5: Warning: CISA, experts concerned over active exploitation of 6-month-old F5 BIG-IP APM vulnerability

Critical F5 BIG-IP APM Vulnerability Exploited in the Wild, CISA Flags Urgent Risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53521 a critical vulnerability in F5 BIG-IP APM to its Known Exploited Vulnerabilities (KEV) Catalog, signaling active exploitation in the wild. Initially disclosed by F5 in October 2025 as a denial-of-service (DoS) flaw with a CVSS score of 7.5, the vulnerability has since been reclassified as a pre-authentication remote code execution (RCE) issue, now carrying a CVSS score of 9.8.

The flaw affects BIG-IP APM systems, including those in Appliance mode, and allows unauthenticated attackers to execute arbitrary code remotely. Unlike the initial assessment, which suggested no control plane exposure, the updated risk profile has prompted urgent warnings from security experts, including watchTowr CEO Benjamin Harris, who described the shift as a "big ‘yikes’ moment."

Affected Versions & Mitigation

The vulnerability impacts the following BIG-IP APM versions:

  • 17.5.0 – 17.5.1.3 (fixed in 17.5.1.3)
  • 17.1.0 – 17.1.3 (fixed in 17.1.3)
  • 16.1.0 – 16.1.6.1 (fixed in 16.1.6.1)
  • 15.1.0 – 15.1.10.8 (fixed in 15.1.10.8)

F5 has released an updated advisory, urging organizations to upgrade to patched versions or apply mitigations if immediate patching is not feasible. The company confirmed that no control plane exposure exists, but the data plane remains vulnerable until remediated.

Exploitation & Response

With evidence of in-the-wild exploitation, security teams are prioritizing patching and investigating potential breaches. The CISA KEV listing underscores the severity, as federal agencies and private sector organizations are now required to address the flaw under binding operational directives. The shift from a DoS to RCE classification highlights the evolving threat landscape, where initial vulnerability assessments may underestimate risk.

Source: https://www.cyberdaily.au/security/13397-warning-cisa-experts-concerned-over-active-exploitation-of-six-month-old-f5-big-ip-apm-vulnerability

F5 cybersecurity rating report: https://www.rankiteo.com/company/f5

"id": "F51774844643",
"linkid": "f5",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Organizations using affected '
                                              'BIG-IP APM versions',
                        'industry': 'Cybersecurity/Networking',
                        'name': 'F5',
                        'type': 'Technology Vendor'}],
 'attack_vector': 'Network',
 'customer_advisories': 'F5 customers urged to patch or mitigate affected '
                        'systems',
 'date_publicly_disclosed': '2025-10',
 'description': 'CISA has added CVE-2025-53521, a critical vulnerability in F5 '
                'BIG-IP APM, to its Known Exploited Vulnerabilities (KEV) '
                'Catalog due to active exploitation. Initially disclosed as a '
                'denial-of-service (DoS) flaw with a CVSS score of 7.5, it was '
                'later reclassified as a pre-authentication remote code '
                'execution (RCE) issue with a CVSS score of 9.8. The flaw '
                'allows unauthenticated attackers to execute arbitrary code '
                'remotely on affected BIG-IP APM systems, including those in '
                'Appliance mode.',
 'impact': {'operational_impact': 'Potential remote code execution leading to '
                                  'system compromise',
            'systems_affected': 'BIG-IP APM systems (including Appliance '
                                'mode)'},
 'investigation_status': 'Ongoing (active exploitation confirmed)',
 'lessons_learned': 'Initial vulnerability assessments may underestimate risk; '
                    'timely patching and monitoring are critical for '
                    'high-severity flaws.',
 'post_incident_analysis': {'corrective_actions': 'Reclassification of '
                                                  'vulnerability severity; '
                                                  'urgent patching and '
                                                  'mitigation guidance',
                            'root_causes': 'Pre-authentication RCE '
                                           'vulnerability in BIG-IP APM; '
                                           'initial misclassification as DoS '
                                           'flaw'},
 'recommendations': 'Immediately upgrade to patched versions of BIG-IP APM or '
                    'apply mitigations. Monitor for signs of exploitation and '
                    'prioritize remediation for systems exposed to the '
                    'internet.',
 'references': [{'source': 'CISA Known Exploited Vulnerabilities Catalog'},
                {'source': 'F5 Advisory'},
                {'source': 'watchTowr (Benjamin Harris)'}],
 'regulatory_compliance': {'regulatory_notifications': 'CISA KEV listing '
                                                       '(Binding Operational '
                                                       'Directive for federal '
                                                       'agencies)'},
 'response': {'communication_strategy': 'F5 released updated advisory; CISA '
                                        'issued KEV listing',
              'containment_measures': 'Upgrade to patched versions or apply '
                                      'mitigations',
              'remediation_measures': 'Patch affected systems to fixed '
                                      'versions (17.5.1.3, 17.1.3, 16.1.6.1, '
                                      '15.1.10.8)'},
 'stakeholder_advisories': 'CISA KEV listing; F5 advisory update',
 'title': 'Critical F5 BIG-IP APM Vulnerability Exploited in the Wild, CISA '
          'Flags Urgent Risk',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2025-53521'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.