A critical unauthenticated remote code execution vulnerability (CVE-2025-53521) in F5’s BIG-IP Access Policy Manager (APM) solution is under active exploitation, the US Cybersecurity and Infrastructure Security Agency warned on Friday.
CISA added the flaw to its Known Exploited Vulnerabilities catalog after F5 updated the related security advisory,
The advisory was initially published on October 15, 2025, when F5 confirmed a data breach that resulted in a “highly sophisticated nation-state threat actor” accessing – among other things – BIG-IP source code and information about undisclosed vulnerabilities.
It was later revealed that the attackers are linked to China, were in the company’s network for at least 12 months, and may have deployed the Brickstorm backdoor on F5 customers’ systems.
About CVE-2025-53521
F5 BIG-IP APM provides access policy enforcement to secure access to apps, APIs, and data. It’s primarely used by enterprises, financial institutions, and government and public sector organizations.
CVE-2025-53521 affects the apmd process – which processes live traffic – in BIG-IP APM versions 17.5.0 to 17.5.1, 17.1.0 to 17.1.2, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10.
It was initially believed that CVE-2025-53521 could only lead to a disruption of the normal functioning of BIG-IP APM systems (i.e., “denial of service”).
“Due to new information obtained in March 2026, the original vulnerability is being re-categorized to an RCE with CVSS scores of 9.8 (CVSS v3.1) and 9.3 (CVSS v4.0),” F5 now says.
“When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to remote code execution. The BIG-IP system in Appliance mode is also vulnerable.”
The patches provided by the company in October 2025 work as intended, though, and customers who have quickly updated to one of the fixed versions might have avoided compromise.
Indicators of compromise are available
Unfortunately, the advisory does not say when the exploitation of the flaw began, only that it was discovered in March 2026. It’s possible, then, that some of the BIG-IP APM systems out there might have been compromised before they were patched.
F5 has published a list of known indicators of compromise associated with “malicious software c05d5254” and related activity, and is urging customers to check their BIG-IP systems.
Customers may discover specific files on disk, changes to files, log entries that point to a local user disabling the SELinux security module, and specific HTTP/S traffic from the BIG-IP system.
“We have observed cases of webshell being written to disk; however, the webshells have been observed to work in memory only, meaning the files listed [in the document] might not be modified,” the company noted.
F5 has also detected the threat actor making modifications that would affect the functioning of sys-eicheck, the BIG-IP system integrity checker.
“Our understanding at this time is that the threat actor modified [specific] components in one partition (original running version compromised) but failed to make the same modifications on the second partition (destination for upgrade). When the customer upgraded and rebooted into the second partition, the modifications to sys-eicheck components did not persist.”
CISA has ordered US federal civilian agencies to assess exposure and mitigate risks related to CVE-2025-53521 exploitation by Monday (March 30).
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
