A critical remote code execution (RCE) vulnerability in F5's BIG-IP Access Policy Manager (APM) is being actively exploited in the wild, prompting urgent calls for patching. The flaw, tracked as CVE-2025-53521, carries a CVSS score of 9.8, underscoring its severity. It was officially published on October 15, 2025, and has since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of March 27, 2026, highlighting the threat it poses to organizations using affected systems.
The vulnerability arises when a BIG-IP APM access policy is configured on a virtual server. Malicious traffic can exploit this configuration to achieve remote code execution, potentially allowing attackers to take full control of the affected systems. This flaw is classified under CWE-121, which pertains to stack-based buffer overflows, a common vector for RCE attacks.
The exploitation of CVE-2025-53521 was detected within 162 days of its disclosure, a relatively rapid timeline that emphasizes the need for swift defensive measures. The Exploit Prediction Scoring System (EPSS) for this vulnerability is 0.062, indicating a moderate likelihood of exploitation, yet the active exploitation in the wild suggests a higher immediate risk.
F5 BIG-IP systems are widely used in enterprise environments for load balancing, application delivery, and security. The impact of this vulnerability is significant, as it could allow attackers to bypass security controls, access sensitive data, and disrupt critical services. Organizations using BIG-IP APM should prioritize applying patches to mitigate this risk.
F5 has released patches to address this vulnerability, but systems that have reached End of Technical Support (EoTS) are not evaluated, leaving them potentially exposed. Security teams should verify the version of BIG-IP in use and ensure that it is updated to a supported version with the latest security patches applied.
In light of the active exploitation, security professionals are advised to review their BIG-IP configurations, monitor for unusual traffic patterns, and apply the necessary patches immediately. Organizations should also consider implementing additional security measures such as network segmentation and intrusion detection systems to further protect their environments from potential exploitation.
CSURFACE