CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated concerns about a critical F5 BIG-IP Access Policy Manager vulnerability by adding CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog. The move comes after evidence emerged of active exploitation targeting the vulnerability, which has been reclassified from a denial-of-service issue to a severe remote code execution (RCE) flaw with a CVSS v4 score of 9.3.

Originally discovered and patched as a DoS vulnerability, the flaw in F5 BIG-IP APM has taken on new urgency following revelations in March 2026 that threat actors can achieve remote code execution through specific malicious traffic when access policies are configured on virtual servers. F5 has confirmed that the vulnerability "has been exploited in the vulnerable BIG-IP versions," though the company has not disclosed details about the attackers or their motivations.

Federal agencies face a critical deadline, with the Cybersecurity and Infrastructure Security Agency requiring Federal Civilian Executive Branch (FCEB) organizations to apply patches by March 30, 2026. The vulnerability affects multiple BIG-IP versions:

• Versions 17.5.0 through 17.5.1 (fixed in 17.5.1.3)
• Versions 17.1.0 through 17.1.2 (fixed in 17.1.3)
• Versions 16.1.0 through 16.1.6 (fixed in 16.1.6.1)
• Versions 15.1.0 through 15.1.10 (fixed in 15.1.10.8)

Security experts warn that the reclassification represents a significant escalation in risk. "When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn't immediately signal urgency, and many system administrators likely prioritized it accordingly," said Benjamin Harris, CEO and founder of watchTowr. "Fast forward to today's big 'yikes' moment: the situation has changed significantly. What we're observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That's a very different risk profile than what was initially communicated."

F5 has published detailed indicators to help organizations detect potential compromises. File-related indicators include the presence of /run/bigtlog.pipe and /run/bigstart.ltm, along with mismatches in file hashes, sizes, or timestamps for /usr/bin/umount and /usr/sbin/httpd when compared to known good versions. Log-related indicators involve entries in audit logs showing local user access to the iControl REST API from localhost, including attempts to disable SELinux.

Additional tactics observed by F5 include modifications to system integrity checker components, HTTP/S traffic containing HTTP 201 response codes and CSS content-type to disguise attacker activities, and changes to specific webtop renderer files. While webshells have been observed being written to disk, F5 notes that these webshells often operate in memory only, meaning file modifications may not always be present.

Security monitoring firm Defused Cyber has reported "acute scanning activity" for vulnerable F5 BIG-IP devices following the KEV listing. The scanning activity targets the /mgmt/shared/identified-devices/config/device-info endpoint, a REST API used to retrieve system-level information including hostname, machine ID, and base MAC address.

The escalation of CVE-2025-53521 to KEV status underscores the critical importance of timely patch management for network infrastructure devices. Organizations running affected F5 BIG-IP versions should prioritize applying the available security updates immediately, as the combination of pre-authentication requirements and remote code execution capabilities makes this vulnerability particularly dangerous for attackers seeking to establish persistent access to network environments.

For organizations unable to immediately patch, F5 recommends implementing network segmentation, monitoring for the indicators of compromise described in their advisory, and considering temporary mitigation strategies while planning for comprehensive remediation. The incident serves as a stark reminder that vulnerabilities can evolve in severity as new exploitation techniques emerge, making continuous security assessment essential for maintaining robust network defenses.