CVE-2025-53521

Overview

Actively Exploited. CVE-2025-53521 is a remote code execution (RCE) vulnerability in F5 BIG-IP Access Policy Manager (APM). When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to unauthenticated remote code execution. This is a data plane issue — no control plane exposure. BIG-IP systems in Appliance mode are also vulnerable.

Recategorization to Critical RCE

This CVE was originally published on October 15, 2025 and categorized as a Denial-of-Service (DoS) vulnerability with CVSS scores of 7.5 (v3.1) and 8.7 (v4.0). In March 2026, based on new information, F5 re-categorized it as RCE — elevating it to CVSS 9.8 (v3.1) / 9.3 (v4.0) — CRITICAL. F5 simultaneously published an Indicators of Compromise article (K000160486), confirming in-the-wild exploitation.

Key implications of the recategorization:

• Initially underestimated: Publicly known since October 2025 as a lower-priority DoS issue. The March 2026 upgrade to RCE indicates attackers discovered the full exploitation potential — likely through active exploitation.
• 5+ months of exposure: Organizations that treated this as a DoS fix may have remained unpatched for months.
• Historical pattern: This follows a pattern seen with other network appliance vulnerabilities where initial DoS classifications are later found to be exploitable for full RCE — similar to past Citrix, Fortinet, and Ivanti disclosures.

Vulnerability Description

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution. The root cause is CWE-770: Allocation of Resources Without Limits or Throttling. The vulnerable apmd process fails to properly limit resource allocation when processing specific crafted traffic directed at a virtual server with an APM access policy configured. An unauthenticated remote attacker can send malicious traffic to the data plane to trigger this flaw, achieving arbitrary code execution.

Pre-condition: The BIG-IP system must have an APM access policy configured on a virtual server to be vulnerable. Systems without APM access policies are not affected. Systems initially installed with a fixed BIG-IP version are not vulnerable.

Affected Products

Only F5 BIG-IP Access Policy Manager (APM) is affected. BIG-IQ, BIG-IP Next, F5OS, NGINX, F5 Distributed Cloud, and Traffix SDC are not vulnerable.

Impact

BIG-IP APM appliances serve as VPN gateways, application access controllers, and authentication proxies for enterprise networks. Compromising a BIG-IP system can give attackers a foothold into the entire internal network, access to authentication credentials, and the ability to intercept or modify traffic for all applications behind the device.

Indicators of Compromise

F5 published IOC article K000160486 for all systems that were upgraded from a vulnerable version or are currently running a vulnerable version. Systems installed from scratch with a fixed BIG-IP version are not vulnerable and do not need IOC review.

If compromise is suspected, refer to K11438344 for incident response guidance. F5 strongly recommends rebuilding the configuration from scratch rather than restoring from UCS backups — backups from compromised systems can contain persistent malware.

Remediation

1. Upgrade immediately to one of the patched firmware versions listed above.
2. Review Indicators of Compromise — check K000160486 for all systems that were upgraded from or are running vulnerable versions.
3. No vendor-provided mitigation exists — patching is the only remediation.
4. If compromise is suspected: rebuild the configuration from scratch rather than restoring from UCS backups.

Acknowledgments: F5 credited Kristian Vlaardingerbroek, Hugo Trippaers, and other members of Schuberg Philis; Bart Vrancken; Fox-IT; and the National Cyber Security Centre (NCSC) Netherlands for their assistance and coordinated disclosure.