Full Report
F5 has reclassified a BIG-IP APM denial-of-service (DoS) vulnerability as a critical-severity remote code execution (RCE) flaw, warning that attackers are exploiting it to deploy webshells on unpatched devices. [...]
Analysis Summary
# Vulnerability: F5 BIG-IP APM Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2025-53521
- **CVSS Score:** 9.8 (Critical) - *Reclassified from original DoS rating*
- **CWE:** Not specified (Technically pertains to Remote Code Execution)
## Affected Systems
- **Products:** F5 BIG-IP Access Policy Manager (APM)
- **Versions:** Vulnerable versions include those released prior to the March 2026 reclassification update. (Note: Specific version numbers are not listed in the text, but F5 indicates "fixed versions" are available).
- **Configurations:** Systems where BIG-IP APM has access policies configured on a virtual server.
## Vulnerability Description
Originally identified and patched as a Denial-of-Service (DoS) flaw, new intelligence in March 2026 revealed that the underlying vulnerability allows for unauthenticated Remote Code Execution (RCE). The flaw exists in the BIG-IP APM module, a centralized access management proxy. Attackers can bypass authentication to execute arbitrary commands on the underlying system, frequently resulting in the deployment of webshells for persistent access.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by F5 and CISA).
- **Complexity:** Low (Exploitable without privileges).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full access to system data and potential network pivoting).
- **Integrity:** High (Ability to deploy webshells and modify system files).
- **Availability:** High (Initially rated as DoS; provides full control over device availability).
## Remediation
### Patches
- F5 has confirmed that the remediation previously released for the DoS vulnerability effectively addresses the RCE flaw. Users should update to the latest "fixed versions" provided in the F5 security advisory.
### Workarounds
- No specific software workarounds are provided in the article; immediate patching is the primary recommendation.
- CISA mandates federal agencies discontinue use of the product if mitigations cannot be applied by the deadline.
## Detection
- **Indicators of Compromise:** F5 has published specific IOCs including malicious webshell signatures.
- **Detection Methods and Tools:**
- Inspect BIG-IP system disks for unauthorized files.
- Review system and access logs for unusual activity.
- Audit terminal history for suspicious command execution.
- Monitor for unauthorized virtual server configuration changes.
## References
- F5 Security Advisory (K000156741): hxxps[://]my[.]f5[.]com/manage/s/article/K000156741
- F5 IOC Guidance (K000160486): hxxps[://]my[.]f5[.]com/manage/s/article/K000160486
- CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- NVD Entry: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2025-53521