Critical BIG-IP APM RCE Exploited (CVE-2025-53521)
▼ Summary
– CISA warns that a critical unauthenticated RCE vulnerability (CVE-2025-53521) in F5’s BIG-IP APM is being actively exploited.
– The flaw stems from a prior F5 data breach where a China-linked threat actor accessed BIG-IP source code and vulnerability information for over a year.
– The vulnerability affects specific BIG-IP APM versions and was re-categorized in March 2026 from a denial-of-service flaw to a critical remote code execution flaw.
– F5 has provided patches and indicators of compromise, noting the threat actor deployed malware and attempted to disable system integrity checks.
– CISA has ordered U.S. federal agencies to assess their exposure and mitigate risks from this vulnerability by March 30.
A severe security flaw in F5’s BIG-IP Access Policy Manager is now being actively weaponized by attackers. The U.S. Cybersecurity and Infrastructure Security Agency has confirmed active exploitation of CVE-2025-53521, an unauthenticated remote code execution vulnerability, adding it to its mandatory Known Exploited Vulnerabilities catalog. This action follows an updated advisory from F5, which originally disclosed the issue in October 2025 alongside news of a major data breach.
That earlier breach involved a highly sophisticated nation-state threat actor who accessed BIG-IP source code and details on undisclosed vulnerabilities. Investigations later attributed the activity to a China-linked group that maintained access inside F5’s network for over a year. The attackers may have used this foothold to deploy the Brickstorm backdoor onto the systems of F5 customers.
The vulnerability resides in the apmd process, which handles live traffic, for multiple BIG-IP APM versions. This software is a critical component for enforcing access policies, widely used by major enterprises, financial institutions, and government agencies. Initially classified as a denial-of-service issue, the threat was reassessed in March 2026. F5 now categorizes it as a critical remote code execution flaw, assigning it CVSS scores of 9.8 and 9.3. The company warns that systems with an APM access policy configured on a virtual server are vulnerable, including those in Appliance mode.
Patches released by F5 in October 2025 remain effective. Organizations that applied these updates promptly are likely protected. However, the advisory does not specify when active exploitation began, only that it was confirmed this month. This timeline suggests some unpatched systems may have already been compromised.
In response, F5 has published a list of indicators of compromise tied to malicious software identified as “c05d5254.” Customers are urged to scrutinize their BIG-IP systems for specific files, unexpected file modifications, and log entries showing the SELinux security module being disabled locally. The company also noted evidence of in-memory webshells that may not leave traces on disk, making detection more challenging.
Further investigation revealed the threat actor tampered with sys-eicheck, the system integrity checker. Modifications were made in one system partition but not replicated in another. Consequently, when a customer performed an upgrade and rebooted into the clean partition, these malicious changes did not persist.
CISA has mandated that all U. S. federal civilian agencies evaluate their exposure and implement mitigations against this vulnerability by Monday, March 30.
(Source: Help Net Security)
