Patch Critical F5 BIG-IP Bug, NCSC Warns
▼ Summary
– A critical vulnerability (CVE-2025-53521) in F5’s BIG-IP APM is under active exploitation and can allow remote code execution.
– U.S. and UK cybersecurity agencies have urgently warned organizations to patch, with CISA adding it to its catalog of known exploited flaws.
– F5 reclassified the flaw from a denial-of-service issue to a critical 9.8-severity RCE vulnerability based on new information from March 2026.
– Guidance for compromised systems includes forensic investigation and rebuilding configurations from scratch, as backups may contain malware.
– Recommended actions for customers involve isolating systems, updating software, investigating for compromise, and reporting incidents.
UK organizations are being urged to apply an immediate security update for a critical vulnerability in F5’s BIG-IP Access Policy Manager (APM) that is now confirmed to be under active attack. The National Cyber Security Centre (NCSC) has issued the warning, stating it is continuing to assess the full impact on UK networks and any potential cases of exploitation.
The flaw, tracked as CVE-2025-53521, can allow for remote code execution (RCE) when a BIG-IP APM access policy is configured on a virtual server. F5’s own advisory notes the vulnerability was initially classified as a denial-of-service issue with a lower severity score. However, based on new information obtained in March 2026, the company has reclassified it as a critical RCE vulnerability with a CVSS score of 9.8.
Reflecting the heightened threat, the US Cybersecurity and Infrastructure Security Agency (CISA) has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog. It mandated that federal agencies apply the patch by March 30, warning that this type of flaw is a frequent and high-risk attack vector for malicious actors.
In its guidance, F5 strongly advises customers to consult their incident response plans. The company emphasizes that if a system’s compromise timeline is unclear, administrators should rebuild configurations from scratch rather than relying on potentially tainted backups. User configuration set (UCS) files from compromised systems can harbor persistent malware, making restoration from those files risky.
The NCSC has provided a list of actionable steps for affected organizations. First, administrators must read F5’s official security advisory and review the provided Indicators of Compromise. Where feasible, isolating affected systems and replacing them with fully updated builds is recommended, though this may cause temporary service disruption.
A thorough investigation for evidence of compromise should follow F5’s guidance. If a proper forensic investigation is not possible, the affected system should be completely erased and rebuilt from scratch. Any confirmed incidents must be reported to the NCSC.
After applying the update to the latest software version and implementing appropriate security hardening measures, organizations can safely reintroduce the affected systems. The NCSC also stresses the importance of performing continuous threat hunting in the environment afterward.
F5’s network appliances are consistently high-value targets for advanced threat actors, including nation-state groups. This latest warning follows an incident last October where F5 disclosed that a state-backed actor had maintained long-term access to its corporate systems, exfiltrating source code and sensitive data about product vulnerabilities.
(Source: Infosecurity Magazine)
