Full Report
Internet security watchdog Shadowserver has found over 14,000 BIG-IP APM instances exposed online amid ongoing attacks exploiting a critical-severity remote code execution (RCE) vulnerability. [...]
Analysis Summary
# Vulnerability: F5 BIG-IP APM Remote Code Execution (RCE)
## CVE Details
- **CVE ID:** CVE-2025-53521
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Not specified in article (Reclassified from DoS to RCE)
## Affected Systems
- **Products:** F5 BIG-IP Access Policy Manager (APM)
- **Versions:** Specific unpatched versions (exact version numbers not listed in article, but fixed versions are available).
- **Configurations:** Systems with access policies configured on a virtual server.
## Vulnerability Description
Originally disclosed in October 2024 as a Denial-of-Service (DoS) vulnerability, CVE-2025-53521 was reclassified as a Remote Code Execution (RCE) flaw in March 2026. The vulnerability allows an unauthenticated attacker to execute arbitrary code on the target BIG-IP APM system. The flaw resides in the way APM handles specific requests when an access policy is active on a virtual server, allowing for full system compromise.
## Exploitation
- **Status:** **Exploited in the wild.** Evidence of active exploitation led to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog.
- **Complexity:** Low (Unprivileged attackers can trigger the flaw).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full access to sensitive data and network credentials).
- **Integrity:** High (Ability to modify system configurations and deploy malware).
- **Availability:** High (Potential for system wipe or operational shutdown).
## Remediation
### Patches
- F5 has released fixed versions for BIG-IP APM. Users are urged to upgrade to the latest validated secure releases immediately.
- *Note: F5 confirms that the original remediation provided for the DoS classification also addresses the RCE threat.*
### Workarounds
- The article does not list specific workarounds (such as iRules or configuration changes); immediate patching or rebuilding compromised systems is the primary recommendation.
## Detection
### Indicators of Compromise (IOCs)
- F5 has published specific IOCs accessible via their security portal.
- Defenders should inspect:
- **Disk Integrity:** Check for unauthorized files or modifications.
- **Logs:** Review system and access logs for unusual patterns.
- **Terminal History:** Audit command-line history for suspicious activity.
### Detection Methods and Tools
- **Shadowserver:** Can be used to check if an organization's public IPs are flagged as exposed BIG-IP APM instances.
- **System Rebuilds:** If compromise is suspected, F5 recommends rebuilding the system from a verified "known good" source, as User Configuration Set (UCS) backups may contain persistent malware if created after the breach.
## References
- **Vendor Advisory:** hxxps[://]my[.]f5[.]com/manage/s/article/K000160486
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Shadowserver Statistics:** hxxps[://]dashboard[.]shadowserver[.]org/statistics/iot-devices/time-series/