Citrix and F5: Vulnerability affecting F5 BIG-IP APM

Critical Vulnerabilities in F5 BIG-IP and Citrix NetScaler Demand Immediate Action from UK Organizations

The UK’s National Cyber Security Centre (NCSC) has issued urgent guidance for organizations to mitigate active exploitation of severe vulnerabilities in F5 BIG-IP Access Policy Manager (APM) and Citrix NetScaler ADC/Gateway. Both flaws enable unauthenticated remote code execution (RCE), posing significant risks to enterprise networks.

F5 BIG-IP APM (CVE-2025-53521)

• Impact: Affects all organizations using BIG-IP APM, particularly large enterprises. Exploitation occurs when a malicious actor sends crafted traffic to a virtual server configured with an APM access policy.
• Active Exploitation: F5 has confirmed in-the-wild attacks targeting this vulnerability.
• Recommended Actions:
  • Isolate affected systems immediately to prevent further compromise.
  • Update to the latest patched version or rebuild systems from scratch if updates are not feasible.
  • Investigate for compromise, even if systems were recently updated, as exploitation may have occurred prior to patching.
  • Report incidents to F5 and UK authorities if a breach is suspected.

Citrix NetScaler ADC/Gateway Vulnerabilities

• Impact: Two recently disclosed flaws in Citrix NetScaler products could allow attackers to execute arbitrary code without authentication.
• Recommended Actions:
  • Apply vendor patches without delay.
  • Monitor for signs of compromise, including unusual network activity or unauthorized access.
  • Consider engaging an assured Cyber Incident Response provider for forensic analysis if exploitation is suspected.

Broader Context & NCSC Support

The NCSC is actively assessing the UK impact of these vulnerabilities and collaborating with industry partners to track exploitation. Organizations are advised to:

• Enable continuous threat hunting to detect post-exploitation activity.
• Follow NCSC’s hardening guidance to reduce attack surfaces.
• Leverage the NCSC Early Warning service for real-time threat notifications.

Both F5 BIG-IP APM and Citrix NetScaler are widely deployed in critical infrastructure, making these vulnerabilities high-priority targets for threat actors. Immediate remediation is essential to prevent potential breaches.

Source: https://www.ncsc.gov.uk/news/vulnerability-affecting-f5-big-ip-apm

F5 cybersecurity rating report: https://www.rankiteo.com/company/f5

Citrix cybersecurity rating report: https://www.rankiteo.com/company/citrix

"id": "F5CIT1774873786",
"linkid": "f5, citrix",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'location': 'UK',
                        'name': 'Organizations using F5 BIG-IP APM',
                        'size': 'Large enterprises',
                        'type': 'Enterprise'},
                       {'location': 'UK',
                        'name': 'Organizations using Citrix NetScaler '
                                'ADC/Gateway',
                        'type': 'Enterprise'}],
 'attack_vector': 'Remote Code Execution (RCE)',
 'description': 'The UK’s National Cyber Security Centre (NCSC) has issued '
                'urgent guidance for organizations to mitigate active '
                'exploitation of severe vulnerabilities in F5 BIG-IP Access '
                'Policy Manager (APM) and Citrix NetScaler ADC/Gateway. Both '
                'flaws enable unauthenticated remote code execution (RCE), '
                'posing significant risks to enterprise networks.',
 'impact': {'operational_impact': 'Potential unauthorized access, arbitrary '
                                  'code execution',
            'systems_affected': 'Enterprise networks, critical infrastructure'},
 'recommendations': ['Isolate affected systems immediately',
                     'Update to the latest patched version or rebuild systems '
                     'from scratch if updates are not feasible',
                     'Investigate for compromise, even if systems were '
                     'recently updated',
                     'Report incidents to F5 and UK authorities if a breach is '
                     'suspected',
                     'Apply vendor patches without delay',
                     'Monitor for signs of compromise, including unusual '
                     'network activity or unauthorized access',
                     'Enable continuous threat hunting to detect '
                     'post-exploitation activity',
                     'Follow NCSC’s hardening guidance to reduce attack '
                     'surfaces',
                     'Leverage the NCSC Early Warning service for real-time '
                     'threat notifications'],
 'references': [{'source': 'UK National Cyber Security Centre (NCSC)'},
                {'source': 'F5'},
                {'source': 'Citrix'}],
 'response': {'containment_measures': ['Isolate affected systems',
                                       'Monitor for signs of compromise'],
              'enhanced_monitoring': 'Continuous threat hunting',
              'remediation_measures': ['Apply vendor patches',
                                       'Update to latest patched version',
                                       'Rebuild systems from scratch if '
                                       'updates are not feasible'],
              'third_party_assistance': 'Assured Cyber Incident Response '
                                        'providers (recommended)'},
 'stakeholder_advisories': 'NCSC guidance and hardening recommendations',
 'title': 'Critical Vulnerabilities in F5 BIG-IP and Citrix NetScaler Demand '
          'Immediate Action from UK Organizations',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': ['CVE-2025-53521',
                             'Citrix NetScaler ADC/Gateway vulnerabilities']}