The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2025-53521 (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution.
"When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE)," according to a description of the flaw in CVE.org.
While the shortcoming was initially categorized and remediated as a denial-of-service (DoS) vulnerability with a CVSS v4 score of 8.7, F5 said it has been reclassified as a case of RCE in light of "new information obtained in March 2026."
The company has since updated its advisory to confirm that the vulnerability "has been exploited in the vulnerable BIG-IP versions." It did not share any additional details on who may be behind the exploitation activity.
However, F5 published a number of indicators that can be used to assess if the system has been compromised -
- File-related indicators -
- Presence of /run/bigtlog.pipe and/or /run/bigstart.ltm.
- Mismatch of file hashes when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
- Mismatch of file sizes or timestamps when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
- Each release and EHF may have different file sizes and timestamps.
- Log-related indicators -
- An entry in "/var/log/restjavad-audit.
- An entry in "/var/log/auditd/audit.log.
- Log messages in "/var/log/audit" show the results of a command being run in the audit log.
- Other TTPs observed include -
- Modifications to the underlying components that the system integrity checker, sys-eicheck, relies on, resulting in a failure of the tool, specifically /usr/bin/umount and/or /usr/sbin/httpd, indicating unexpected changes to the system software as mentioned above.
- HTTP/S traffic from the BIG-IP system that contains HTTP 201 response codes and CSS content-type to disguise the attacker's activities.
- Changes to the following three files, although their presence alone does not signal a security issue -
- /var/sam/www/webtop/renderer/apm_css.php3
- /var/sam/www/webtop/renderer/full_wt.php3
- /var/sam/www/webtop/renderer/webtop_popup_css.php3
"We have observed cases of webshell being written to disk; however, the webshells have been observed to work in memory only, meaning the files listed above might not be modified," F5 cautioned.
The issue impacts the following versions -
- 17.5.0 - 17.5.1 (Fixed in version 17.5.1.3)
- 17.1.0 - 17.1.2 (Fixed in version 17.1.3)
- 16.1.0 - 16.1.6 (Fixed in version 16.1.6.1)
- 15.1.0 - 15.1.10 (Fixed in version 15.1.10.8)
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been given until March 30, 2026, to apply the fixes to secure their networks.
"When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn't immediately signal urgency, and many system administrators likely prioritized it accordingly," watchTowr CEO and founder Benjamin Harris said in a statement shared with The Hacker News.
"Fast forward to today's big 'yikes' moment: the situation has changed significantly. What we're observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That's a very different risk profile than what was initially communicated."
Defused Cyber, in an X post, has also confirmed that it's seeing "acute scanning activity" for vulnerable F5 BIG-IP devices following the addition of CVE-2025-53521 to the KEV catalog.
"This actor is hitting /mgmt/shared/identified-devices/config/device-info which is a F5 BIG-IP REST API endpoint used to retrieve system-level information, such as hostname, machine ID, and base MAC address," it said.
Facts Only
CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog on March 2026.
The vulnerability affects F5 BIG-IP Access Policy Manager (APM) and allows remote code execution (RCE).
Initial classification was a denial-of-service (DoS) flaw with a CVSS v4 score of 8.7, later upgraded to RCE with a score of 9.3.
F5 confirmed active exploitation in vulnerable BIG-IP versions but did not disclose attacker details.
Indicators of compromise include presence of files like /run/bigtlog.pipe, mismatched hashes for /usr/bin/umount and /usr/sbin/httpd, and suspicious REST API access logs.
Affected versions include 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, and 15.1.0–15.1.10, with fixes in 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8.
Federal Civilian Executive Branch (FCEB) agencies must apply patches by March 30, 2026.
Security researchers report increased scanning activity targeting F5 BIG-IP devices, including REST API endpoint /mgmt/shared/identified-devices/config/device-info.
F5 noted webshells may operate in memory, leaving no disk modifications.
Executive Summary
Full Take
The strongest version of this narrative highlights a critical shift in threat severity—from a manageable DoS vulnerability to an actively exploited RCE flaw. CISA’s KEV listing and F5’s updated advisory provide credible evidence of in-the-wild exploitation, reinforcing the urgency for patching. The inclusion of specific indicators of compromise (IOCs) and observed attacker tactics (e.g., memory-resident webshells) adds technical depth, while the federal mandate for remediation underscores the systemic risk.
Pattern scan: The narrative avoids emotional exploitation or distortion, focusing on verifiable technical details. However, the lack of attribution for the exploitation activity leaves room for speculative framing by third parties. The shift in vulnerability classification could be leveraged to critique initial risk assessments, though the source material itself does not engage in such framing.
Root cause: The paradigm here is the evolving nature of cyber threats, where initial classifications may underestimate real-world impact. The assumption that DoS flaws are less critical than RCE is challenged by this case, revealing gaps in threat modeling. Historically, this echoes patterns where vulnerabilities are weaponized more effectively than initially anticipated (e.g., Log4j).
Implications: Human agency is tested in the race between patch deployment and attacker exploitation. Organizations face operational costs in urgent remediation, while attackers gain leverage through memory-based evasion techniques. Second-order consequences include potential supply chain risks if compromised BIG-IP devices are used in broader infrastructure.
Bridge questions: How might the initial misclassification of this vulnerability reflect broader systemic issues in threat intelligence? What incentives could improve the accuracy of early vulnerability assessments? If exploitation is confirmed but attackers remain unidentified, what does this say about the balance between transparency and operational security?
Counterstrike scan: A coordinated influence campaign might amplify fear around unpatched systems to drive vendor-specific solutions or policy changes. However, the content aligns with standard cybersecurity reporting—technical, attribution-agnostic, and focused on mitigation. No structural alignment with manipulation playbooks is detected.
Patterns detected: none
Sentinel — Human
The article is likely written by a human journalist, with signs of passion and personal voices present. However, the stylometric signals are slightly inconsistent, possibly due to the formal nature of the topic.