Big-IP APM Remote Code Execution Vulnerability Exploited by Attackers CVE-2025-53521
US Government Warns of Actively Exploited Vulnerability in BIG-IP APM Systems
The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding an actively exploited remote code execution vulnerability (CVE-2025-53521) in F5’s BIG-IP Access Policy Manager (APM) solution.
Vulnerability Overview
The critical flaw was added to CISA’s Known Exploited Vulnerabilities catalog following an update to the related security advisory by F5. Initially disclosed on October 15, 2025, the vulnerability allowed a highly sophisticated nation-state threat actor, linked to China, to gain unauthorized access to F5’s BIG-IP source code and information about previously undisclosed vulnerabilities.
Scope of Impact
- The affected versions of BIG-IP APM (17.5.0 to 17.5.1, 17.1.0 to 17.1.2, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10) allow malicious traffic to lead to remote code execution due to a vulnerability in the apmd process.
- BIG-IP APM provides essential access policy enforcement to secure access to applications, APIs, and data for enterprises, financial institutions, and government and public sector organizations.
Recommendations for Customers
- Review the list of indicators of compromise (IOCs) published by F5, which includes suspicious files, file modifications, log entries, and specific HTTP/S traffic patterns.
- C05d5254 and related activity may indicate the presence of the malicious software.
- F5 has observed instances where the threat actor made modifications affecting the functioning of sys-eicheck, the BIG-IP system integrity checker. Although these modifications did not persist across reboots, customers should remain vigilant and take necessary precautions to mitigate potential risks.
Timeline for Mitigation
US federal civilian agencies have been directed by CISA to assess exposure and mitigate risks related to CVE-2025-53521 exploitation by Monday, March 30.
About Author
English