Full Report
A vulnerability has been discovered in F5 Products that could allow for remote code execution. F5 BIG IP APM is an access policy management solution designed to enforce secure access to applications, APIs, and sensitive data. It is commonly deployed by enterprises, financial institutions, and government or public sector organizations to centrally control authentication, authorization, and user access across internal and remote environments.Successful exploitation of this vulnerability could lead to remote code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: F5 BIG-IP APM Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2025-53521
- **CVSS Score:** Not explicitly listed in text (Assessed as HIGH/CRITICAL based on RCE impact)
- **CWE:** Not specified (Technique: T1190 - Exploit Public-Facing Application)
## Affected Systems
- **Products:** F5 BIG-IP Access Policy Manager (APM)
- **Versions:**
- 15.x: 15.1.0 through 15.1.10
- 16.x: 16.1.0 through 16.1.6
- 17.x: 17.1.0 through 17.1.2 and 17.5.0 through 17.5.1
- **Configurations:** Systems where a BIG-IP APM access policy is configured on a virtual server.
## Vulnerability Description
A vulnerability exists in the BIG-IP APM module where specific malicious network traffic can trigger Remote Code Execution (RCE). The flaw allows an unauthenticated or authenticated attacker (depending on the specific environment) to execute commands on the underlying operating system. If the service is running with administrative privileges, the attacker could gain full control of the device, including the ability to modify data, install programs, or create new high-privileged accounts.
## Exploitation
- **Status:** **Exploited in the wild.** (F5 has confirmed active exploitation).
- **Complexity:** Not specified (Likely Low to Medium).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Full access to view/extract data).
- **Integrity:** High (Ability to change/delete data and install programs).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
F5 has released fixed versions for all affected branches. Organizations should upgrade to:
- **15.1.10.8**
- **16.1.6.1**
- **17.1.3**
- **17.5.1.3**
### Workarounds
The advisory does not provide specific configuration workarounds. Immediate patching is the primary recommendation. General mitigations include:
- Implementing segmentation and least privilege via secure network architecture.
- Enabling anti-exploitation features (DEP, SIP) where supported.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative account creation or unexpected program installation on BIG-IP devices.
- **Detection methods and tools:**
- Perform automated unauthenticated and authenticated scans using SCAP-compliant tools.
- Utilize Exploit Protection capabilities (M1050) to detect and block malicious traffic patterns associated with this exploit.
- Conduct periodic external penetration testing.
## References
- **F5 Advisory:** hxxps://my[.]f5[.]com/manage/s/article/K000156741
- **CVE Record:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2025-53521
- **CIS Advisory:** MS-ISAC ADVISORY NUMBER 2026-026