Full Report
F5 security advisory (AV25-669) - Update 1
Analysis Summary
# Vulnerability: Critical Security Update for F5 BIG-IP and NGINX Products
## CVE Details
- **CVE ID:** CVE-2025-53521
- **CVSS Score:** Not explicitly listed in advisory, but categorized as high priority due to KEV inclusion.
- **CWE:** Not specified in the provided text.
## Affected Systems
- **Products:**
- BIG-IP (All modules, AFM, APM, ASM, Next SPK, Next CNF, Next for Kubernetes, PEM, SSL Orchestrator)
- F5OS (F5OS-A and F5OS-C)
- NGINX App Protect WAF
- **Versions:**
- **BIG-IP:** 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, 15.1.0–15.1.10
- **BIG-IP Next:** CNF (1.1.0–2.1.0), SPK (1.7.0–2.1.0), Kubernetes (2.0.0–2.1.0)
- **F5OS-A:** 1.5.1–1.5.3, 1.8.0–1.8.1
- **F5OS-C:** 1.6.0–1.6.2, 1.8.0–1.8.1
- **NGINX App Protect WAF:** 4.5.0–4.6.0
- **Configurations:** Systems with managed interfaces exposed to the public internet are at heightened risk.
## Vulnerability Description
While the advisory focuses on the impact, CVE-2025-53521 is identified as a vulnerability within the BIG-IP Access Policy Manager (APM). In conjunction with a reported security incident (K000154696), threat actors have successfully exfiltrated files from BIG-IP products. The vulnerability allows for unauthorized access or data exfiltration when management interfaces are improperly secured.
## Exploitation
- **Status:** **Exploited in the wild.** (Added to CISA Known Exploited Vulnerabilities (KEV) Catalog on March 27, 2026).
- **Complexity:** Low (Inferred from active mass exploitation).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Confirmed exfiltration of files by threat actors).
- **Integrity:** High.
- **Availability:** High.
## Remediation
### Patches
F5 has released security updates to address these flaws. Administrators should upgrade to:
- **BIG-IP:** Versions subsequent to 17.5.1, 17.1.2, 16.1.6, or 15.1.10.
- **BIG-IP Next:** Versions subsequent to 2.1.0.
- **F5OS-A/C:** Versions subsequent to 1.8.1 or 1.6.2/1.5.3.
### Workarounds
- **Isolate Management Interfaces:** Ensure that the BIG-IP management interface is not exposed to the public internet.
- **Hardening:** Follow the F5 hardening guidelines provided in K53108777.
## Detection
- **Indicators of Compromise (IoC):** See F5 advisory K000160486 for specific technical indicators.
- **Detection Methods:**
- Review logs for unusual file access or unauthorized administrative logins.
- Evaluate all networked managed interfaces for unauthorized exposure.
- Monitor for egress traffic to unknown or suspicious IP addresses (data exfiltration).
## References
- F5 Security Incident K000154696: hxxps://my[.]f5[.]com/manage/s/article/K000154696
- BIG-IP APM CVE-2025-53521: hxxps://my[.]f5[.]com/manage/s/article/K000156741
- Indicators of Compromise: hxxps://my[.]f5[.]com/manage/s/article/K000160486
- CISA KEV Catalog: hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521
- F5 System Hardening: hxxps://my[.]f5[.]com/manage/s/article/K53108777