• Home
  • cyber
  • F5 and Federal Agencies: CISA Warns of Actively Exploited F5 BIG-IP Vulnerability in Ongoing Attacks
cyber Vulnerability

F5 and Federal Agencies: CISA Warns of Actively Exploited F5 BIG-IP Vulnerability in Ongoing Attacks

Mar 27, 2026 2 min read
F5 and Federal Agencies: CISA Warns of Actively Exploited F5 BIG-IP Vulnerability in Ongoing Attacks

CISA Issues Critical Alert for Actively Exploited F5 BIG-IP Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding CVE-2025-53521, a severe remote code execution (RCE) flaw in F5 BIG-IP AMP systems that is being actively exploited in the wild. The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on March 27, 2026, indicating real-world attacks are underway.

The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable devices, granting full control over affected systems. Since F5 BIG-IP appliances often serve as load balancers, firewalls, and application gateways at network perimeters, they are prime targets for threat actors. Successful exploitation could enable attackers to intercept traffic, manipulate application requests, or establish a foothold for deeper network infiltration a risk compounded by the difficulty of detecting such intrusions with standard endpoint security tools.

While it remains unclear whether ransomware groups are currently leveraging this exploit, vulnerabilities of this nature are frequently targeted by initial access brokers to sell network access to other malicious actors.

Under Binding Operational Directive (BOD) 22-01, federal agencies must patch or mitigate the flaw by March 30, 2026, though CISA strongly recommends all organizations public and private prioritize remediation. If patches are unavailable, administrators are advised to disconnect vulnerable systems until a fix is deployed. The exact technical details of the vulnerability remain undisclosed, but the severity of active exploitation underscores the urgency of addressing this threat.

Source: https://gbhackers.com/cisa-warns-of-actively-exploited-f5-big-ip-vulnerability/

F5 cybersecurity rating report: https://www.rankiteo.com/company/f5

Federal Communications Commission cybersecurity rating report: https://www.rankiteo.com/company/federal-communications-commission

"id": "F5FED1774851985",
"linkid": "f5, federal-communications-commission",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'name': 'F5 BIG-IP users (public and private '
                                'organizations)',
                        'type': 'Organizations'}],
 'attack_vector': 'Unauthenticated remote exploitation',
 'date_publicly_disclosed': '2026-03-27',
 'description': 'The Cybersecurity and Infrastructure Security Agency (CISA) '
                'has issued an urgent alert regarding CVE-2025-53521, a severe '
                'remote code execution (RCE) flaw in F5 BIG-IP AMP systems '
                'that is being actively exploited in the wild. The '
                'vulnerability allows unauthenticated attackers to execute '
                'arbitrary code on vulnerable devices, granting full control '
                'over affected systems. Successful exploitation could enable '
                'attackers to intercept traffic, manipulate application '
                'requests, or establish a foothold for deeper network '
                'infiltration.',
 'impact': {'operational_impact': 'Interception of traffic, manipulation of '
                                  'application requests, deeper network '
                                  'infiltration',
            'systems_affected': 'F5 BIG-IP AMP systems (load balancers, '
                                'firewalls, application gateways)'},
 'initial_access_broker': {'entry_point': 'F5 BIG-IP AMP systems'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'corrective_actions': 'Apply patches, disconnect '
                                                  'vulnerable systems if '
                                                  'necessary, and monitor for '
                                                  'exploitation attempts.',
                            'root_causes': 'Unpatched F5 BIG-IP AMP '
                                           'vulnerability (CVE-2025-53521)'},
 'recommendations': 'Prioritize remediation of CVE-2025-53521; federal '
                    'agencies must patch or mitigate by March 30, 2026 under '
                    'BOD 22-01.',
 'references': [{'source': 'CISA Alert'}],
 'regulatory_compliance': {'regulatory_notifications': 'CISA Known Exploited '
                                                       'Vulnerabilities (KEV) '
                                                       'catalog'},
 'response': {'containment_measures': 'Disconnect vulnerable systems if '
                                      'patches are unavailable',
              'remediation_measures': 'Apply patches or mitigations by March '
                                      '30, 2026 (federal agencies under BOD '
                                      '22-01)'},
 'stakeholder_advisories': 'CISA strongly recommends all organizations (public '
                           'and private) prioritize remediation.',
 'title': 'CISA Issues Critical Alert for Actively Exploited F5 BIG-IP '
          'Vulnerability (CVE-2025-53521)',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2025-53521'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.