“When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn’t immediately signal urgency, and many system administrators likely prioritized it accordingly,” Benjamin Harris, CEO of offensive security firm watchTowr, told CSO. “Fast-forward to today’s big ‘yikes’ moment: The situation has changed significantly. What we’re observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That’s a very different risk profile than what was initially communicated.”
Patching is only part of the equation and the immediate focus for security teams should be on determining whether the flaw has already been exploited in their environments, Harris noted.
The vulnerability affects BIG-IP APM versions 17.1.0 to 17.1.2, 17.5.0 to 17.5.1, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10. F5 released patches in versions 17.1.3, 17.5.1.3, 16.1.6.1, and 15.1.10.8. The company also published a knowledge base article with indicators of compromise, attacker TTPs, and hardening guidance against the observed malware.
