F5 BIG-IP Security Vulnerability Patched, Critical RCE Exploitation Reported
Critical Remote Code Execution Flaw Found in F5 BIG-IP Appliances
The United States Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning about a critical remote code execution (RCE) vulnerability affecting F5 Networks BIG-IP appliances. This flaw, identified as CVE-2025-53521, carries a CVSS score of 9.3 and has been exploited in the wild.
Initial Disclosure and Re-Classification
Initially disclosed in October 2025 as a high-severity denial-of-service (DoS) issue, the vulnerability was later reclassified as an RCE due to its increased severity. F5 Networks updated its advisory to reflect this change, acknowledging that attackers can exploit the bug on BIG-IP Application Policy Manager (APM) systems configured with an access policy on a virtual server.
Affected Versions and Patches
CVE-2025-53521 affects several BIG-IP APM versions: 17.5.0 through 17.5.1, 17.1.0 through 17.1.2, 16.1.0 through 16.1.6, and 15.1.0 through 15.1.10. F5 released patches addressing these issues in versions 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8.
CISA Action and Indicators of Compromise
CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog, prompting federal agencies to patch the vulnerability within three days. F5 published indicators of compromise (IOCs) related to the malicious activity targeting vulnerable BIG-IP systems. These IOCs include the presence of suspicious files, inconsistencies in file hashes, sizes, or timestamps, and anomalous log entries and command outputs.
- Organizations of all types are advised to implement fixes for CVE-2025-53521 and prioritize mitigation strategies for all vulnerabilities listed in the CISA KEV catalog.
About Author
English