The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw affecting the F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2025-53521 (CVSS v4 score: 9.3), which could allow an attacker to execute remote code.
According to the flaw description on CVE.org, “When BIG-IP APM access policies are configured on a virtual server, certain malicious traffic could lead to remote code execution (RCE).”
The flaw was originally classified and fixed as a denial of service (DoS) vulnerability with a CVSS v4 score of 8.7, but F5 said it was reclassified as an RCE case in light of “new information obtained in March 2026.”
The company has since updated its advisory to confirm that the vulnerability was “exploited on vulnerable BIG-IP versions.” He did not provide further details about who was behind the exploit.
However, F5 has published a number of metrics that can be used to assess whether a system has been compromised.
File-related indicators – presence of /run/bigtlog.pipe and/or /run/bigstart.ltm. File hash mismatch when compared to known good versions of /usr/bin/umount and /usr/sbin/httpd. File size or timestamp discrepancies when compared to known good versions of /usr/bin/umount and /usr/sbin/httpd. Each release and EHF may have different file sizes and timestamps. Log-related indicators – Entries in “/var/log/restjavad-audit..log” that indicate a local user is accessing the iControl REST API from localhost. Entries in “/var/log/auditd/audit.log”. Shows a local user accessing the iControl REST API from localhost to disable SELinux. Log messages in “/var/log/audit” display the results of commands executed in the audit log. Other TTPs observed include: – Changes to the underlying components that the system integrity checker sys-eicheck depends on. As a result, tools (specifically /usr/bin/umount and/or /usr/sbin/httpd) will fail, indicating unexpected changes to the system software as described above. HTTP/S traffic from BIG-IP systems, including HTTP 201 response codes and CSS content types to disguise attacker activity. Make changes to the following three files: However, its presence alone does not indicate a security issue – /var/sam/www/webtop/renderer/apm_css.php3 /var/sam/www/webtop/renderer/full_wt.php3 /var/sam/www/webtop/renderer/webtop_popup_css.php3
“We have observed cases where the web shell is written to disk, but it has been observed that the web shell operates only in memory, which means the above files may not be modified,” F5 warned.
This issue affects the following versions:
17.5.0 – 17.5.1 (fixed in version 17.5.1.3) 17.1.0 – 17.1.2 (fixed in version 17.1.3) 16.1.0 – 16.1.6 (fixed in version 16.1.6.1) 15.1.0 – 15.1.10 (fixed in version 17.1.3) 15.1.10.8)
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have until March 30, 2026 to apply patches to secure their networks.
“When F5 CVE-2025-53521 first emerged as a denial of service issue last year, it was not immediately urgent, and many system administrators likely prioritized it accordingly,” WatchTowr CEO and Founder Benjamin Harris said in a statement shared with The Hacker News.
“Fast forward to today’s big ‘haha’ moment. Things have changed a lot. What we are now seeing is evidence of exploitation in the field with pre-authentication remote code execution and a CISA KEV list to back it up. This is a very different risk profile than was initially communicated.”
Defused Cyber also confirmed in the X post that there has been “acute scanning activity” for vulnerable F5 BIG-IP devices after CVE-2025-53521 was added to the KEV catalog.
“The attacker is attacking /mgmt/shared/identified-devices/config/device-info, an F5 BIG-IP REST API endpoint used to obtain system-level information such as hostname, machine ID, and base MAC address.”
Source link
