Patch Critical F5 BIG-IP Flaw Exploited by Hackers
▼ Summary
– F5 has upgraded a BIG-IP APM vulnerability from a denial-of-service flaw to a critical remote code execution flaw.
– Attackers are actively exploiting this vulnerability in the wild.
– The exploitation involves deploying webshells onto compromised systems.
– The vulnerability affects BIG-IP APM devices that have not been patched.
– The company has issued a public warning about these active attacks.
F5 Networks has elevated the severity rating of a previously identified vulnerability affecting its BIG-IP Access Policy Manager (APM). The issue, originally classified as a denial-of-service flaw, is now confirmed as a critical remote code execution vulnerability. Security teams are on high alert as evidence confirms active exploitation in the wild, with attackers leveraging the flaw to install persistent webshell backdoors on vulnerable appliances.
The vulnerability, tracked as CVE-2025-xxxx, allows unauthenticated attackers to execute arbitrary system commands. This shift in classification underscores the significant risk posed to organizations using unpatched BIG-IP systems, which are widely deployed as critical network security and application delivery gateways. Successful exploitation provides attackers with a powerful foothold within a corporate network.
According to the company’s updated advisory, the flaw resides within the APM component. Threat actors are not just crashing services, they are using the RCE capability to deploy malicious webshells. These backdoors grant persistent access, enabling data theft, lateral movement, and further network compromise long after the initial attack. F5 has stated it is aware of limited, targeted exploitation attempts.
The urgency for remediation is paramount. F5 has released fixed software versions for affected BIG-IP lines. Administrators must immediately apply the relevant patches, which are available for BIG-IP versions 17.x, 16.x, and 15.x. There are no available workarounds for this specific vulnerability, making patching the only definitive solution.
For organizations unable to patch immediately, implementing strict network controls is a crucial temporary measure. This includes segmenting BIG-IP management interfaces from untrusted networks and restricting access to these systems to only essential, authorized IP addresses. Continuous monitoring for unusual outbound connections or unexpected processes on BIG-IP devices is also strongly recommended.
This incident highlights the evolving threat landscape for network infrastructure. A vulnerability initially perceived as a service disruption risk can rapidly transform into a severe compromise vector. It serves as a critical reminder for all enterprises to maintain vigilant patch management practices for all perimeter and security devices, ensuring they are not left exposed to such high-severity threats.
(Source: BleepingComputer)
