Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2025-53521 (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution. "When a
Analysis Summary
# Vulnerability: F5 BIG-IP APM Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2025-53521
- **CVSS Score:** 9.3 (Critical) - CVSS v4.0
- **CWE:** CWE-287 (Improper Authentication) / CWE-288 (Authentication Bypass) – *Note: Specific weakness relates to authentication handling within the APM module.*
## Affected Systems
- **Products:** F5 BIG-IP Access Policy Manager (APM)
- **Versions:**
- 17.1.0 - 17.1.1
- 16.1.0 - 16.1.5
- 15.1.0 - 15.1.10
- **Configurations:** Systems configured with an Access Profile (specifically those utilizing certain authentication sub-modules).
## Vulnerability Description
CVE-2025-53521 is a critical vulnerability in the F5 BIG-IP APM that stems from improper handling of authentication cookies or session tokens. Under specific conditions, an unauthenticated attacker with network access to the BIG-IP system can bypass authentication mechanisms. This allows the attacker to gain unauthorized access to protected resources and potentially execute arbitrary code on the target system with high privileges.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA KEV Catalog)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to session data and internal resources)
- **Integrity:** High (Ability to modify system configurations and execute code)
- **Availability:** High (Potential for system instability or denial of service)
## Remediation
### Patches
F5 has released the following fixed versions. It is strongly recommended to upgrade immediately:
- **BIG-IP 17.x:** Upgrade to 17.1.1.4 or later
- **BIG-IP 16.x:** Upgrade to 16.1.5.1 or later
- **BIG-IP 15.x:** Upgrade to 15.1.10.3 or later
### Workarounds
*Note: Workarounds reduce the attack surface but do not fix the underlying vulnerability.*
- Restrict access to the APM login interfaces to trusted IP ranges only.
- Disable unused Access Profiles.
- Implement ingress filtering to block suspicious traffic targeting the APM endpoints.
## Detection
- **Indicators of Compromise (IoCs):** Monitor for unusual session creation patterns in APM logs (`/var/log/apm`).
- **Detection methods and tools:**
- Audit `/var/log/ltm` for unexpected process restarts or segmentation faults.
- Use F5's BIG-IP iHealth diagnostic tool to verify system health and vulnerability status.
- Threat hunters should look for unauthorized administrative commands executed via the APM context.
## References
- **F5 Security Advisory:** hxxps[://]my[.]f5[.]com/manage/s/article/K000147634
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2025-53521