14,000+ F5 BIG-IP APM Systems Vulnerable to RCE Attacks
▼ Summary
– Shadowserver has identified over 14,000 exposed BIG-IP APM instances vulnerable to active attacks exploiting a critical RCE flaw.
– The vulnerability, CVE-2025-53521, was initially classified as a denial-of-service bug but was reclassified as a remote code execution vulnerability in March 2026.
– Attackers are exploiting the flaw to execute code on unpatched systems that have access policies configured on a virtual server.
– CISA ordered federal agencies to patch their systems, and F5 advises compromised systems be rebuilt from a known good configuration source.
– BIG-IP systems have been historically targeted by advanced threat groups to breach networks, deploy malware, and steal data.
A significant number of F5 BIG-IP APM systems remain vulnerable to active attacks exploiting a critical remote code execution flaw. The Shadowserver Foundation has identified over 14,000 exposed instances online, highlighting a widespread security risk for organizations using this centralized access management proxy. The vulnerability, tracked as CVE-2025-53521, was initially disclosed last October as a denial-of-service issue but was reclassified over the weekend as a much more severe RCE vulnerability following new information.
F5 updated its advisory on Sunday, confirming that attackers are actively exploiting the bug to execute code remotely on unpatched systems. The flaw affects BIG-IP APM instances where access policies are configured on a virtual server, allowing unprivileged attackers to gain a foothold. While Shadowserver currently tracks over 17,100 IPs with BIG-IP APM fingerprints, it remains unclear how many of those have the specific vulnerable configuration enabling these attacks.
The urgency of the situation was underscored when the U. S. Cybersecurity and Infrastructure Security Agency added the flaw to its catalog of actively exploited vulnerabilities last Friday. CISA subsequently mandated that all federal agencies secure their affected BIG-IP APM systems by midnight on Monday. Despite this binding directive, the high number of exposed systems suggests many organizations, both public and private, have yet to apply the necessary patches or mitigations.
In response to the active exploitation, F5 has published indicators of compromise to help defenders identify breaches. The company advises administrators to thoroughly inspect device disks, system logs, and terminal history for signs of malicious activity. Furthermore, F5 provides explicit guidance for incident response, strongly recommending that any compromised system be rebuilt entirely from a known clean source. The warning emphasizes that configuration backups, known as user configuration set files, created after a compromise may themselves contain persistent malware, making a clean rebuild essential.
As a major technology provider serving over 23,000 customers, including numerous Fortune 50 companies, F5’s infrastructure is a high-value target. Historically, vulnerabilities in BIG-IP products have been aggressively targeted by both nation-state actors and cybercriminal groups. These attacks have led to network breaches, device hijackings, deployment of data-wiping malware, internal network mapping, and theft of sensitive information. The reclassification of this particular flaw to critical RCE status signals a renewed and immediate threat to the extensive customer base relying on these access policy managers for network and application security.
(Source: BleepingComputer)
