Protect.Computer
NEWS

CISA adds CVE-2025-53521 (F5 BIG-IP APM) to KEV after active exploitation

· 1 min read · Network safety Device safety
CISA adds CVE-2025-53521 (F5 BIG-IP APM) to KEV after active exploitation

Photo by Wikimedia on Wikimedia Commons

What happened

CISA added CVE-2025-53521 (affecting F5 BIG-IP APM) to the Known Exploited Vulnerabilities (KEV) catalog on 2026-03-27, which means exploitation has been observed in the wild.

KEV inclusion is a practical priority signal: this is no longer a theoretical bug, and exposed systems should be treated as urgent remediation work.

Why this matters

BIG-IP APM is often deployed on internet-facing authentication and access paths. When a flaw in this area is actively exploited, it can create risk for remote access availability and potentially deeper compromise if mitigation is delayed.

Even organizations outside federal mandates should treat KEV-listed edge/authentication vulnerabilities as near-term patch priorities.

How to check if you’re affected

You are likely affected if you operate F5 BIG-IP appliances and use APM (Access Policy Manager) on reachable virtual servers.

  1. Inventory F5 BIG-IP exposure

    • Identify all internet-facing BIG-IP systems and confirm whether APM policies are enabled.

  2. Match versions against vendor guidance

    • Compare your deployed versions with the fixed/mitigated versions listed by F5 in advisory K000156741.

  3. Review logs for suspicious behavior

    • Check for unexplained service instability, crashes/restarts, or unusual requests targeting APM paths.

  4. Prioritize edge-facing systems first

    • Patch/mitigate external-facing appliances before internal-only instances.

  5. Apply compensating controls if patching is delayed

    • Restrict exposure to trusted networks, enforce strict access controls, and increase monitoring until full remediation is complete.

Immediate defensive actions

  • Apply vendor mitigations/patches for CVE-2025-53521 immediately.
  • Validate that internet-exposed APM entry points are minimized and tightly controlled.
  • Alert SOC/IR teams to watch for signs of exploitation attempts around BIG-IP APM traffic.

Sources

Bottom line

If your organization runs F5 BIG-IP APM, treat CVE-2025-53521 as a same-day remediation item. KEV status means attackers are already using this path, so speed matters.

Related reading

News
CISA flags SolarWinds, Ivanti, and Workspace ONE flaws as actively exploited

CISA added three actively exploited vulnerabilities—CVE-2025-26399, CVE-2026-1603, and CVE-2021-22054—to the KEV catalog, with near-term federal remediation deadlines.

News
Over 14,000 F5 BIG-IP APM systems still exposed after active CVE-2025-53521 exploitation alerts

F5 BIG-IP APM CVE-2025-53521 is in CISA KEV and confirmed exploited; thousands of internet-facing systems remain exposed, making patch verification urgent.

News
CISA adds Wing FTP CVE-2025-47813 to KEV catalog after active exploitation

CISA added Wing FTP Server CVE-2025-47813 to the Known Exploited Vulnerabilities catalog, signaling active exploitation risk and urgent patching priority.

News
CISA adds two Google Chrome zero-days to KEV catalog

CISA added CVE-2026-3909 and CVE-2026-3910 in Google Chrome to KEV, signaling active exploitation risk.