Protect.Computer
NEWS

CISA adds F5 BIG-IP CVE-2025-53521 to KEV after active exploitation

· 1 min read · Known exploited vulnerability Remote code execution
CISA adds F5 BIG-IP CVE-2025-53521 to KEV after active exploitation

Photo by Ordercrazy (Wikimedia Commons, CC0) on Wikimedia Commons

What happened

CISA updated its Known Exploited Vulnerabilities (KEV) catalog (version 2026.03.27) and added CVE-2025-53521 affecting F5 BIG-IP.

CISA’s entry describes this as an F5 BIG-IP vulnerability that can allow remote code execution and marks it as actively exploited. NVD also tracks the issue as affecting BIG-IP deployments where APM access policy handling can be abused by malicious traffic.

Why this matters

BIG-IP often sits at critical network choke points (VPN, access proxy, app delivery, WAF/edge functions). A KEV-listed flaw in this layer is high-priority because compromise can expose authentication paths and internal applications, not just a single host.

If internet-facing BIG-IP APM instances are exposed and unpatched, this is a practical intrusion path for initial access.

How to check if you’re affected

Potentially affected environments

  • Organizations running F5 BIG-IP with APM-enabled virtual servers.
  • Internet-exposed BIG-IP instances handling remote user/application access.
  • Environments still on versions that predate vendor remediations for CVE-2025-53521.

Concrete verification steps (15–30 minute triage)

  1. Inventory BIG-IP versions and modules now

    • List all BIG-IP instances and identify where APM is enabled.
    • Compare running versions against F5 remediation guidance for CVE-2025-53521.

  2. Map internet exposure

    • Confirm which BIG-IP virtual servers are reachable from the public internet.
    • Prioritize externally reachable APM entry points first.

  3. Review health and security telemetry

    • Check BIG-IP/TMM crash/restart events and unusual request patterns hitting APM policies.
    • Investigate any unexplained service instability around access-policy traffic.

  4. Patch and harden

    • Apply vendor fixes/mitigations on an emergency timeline.
    • Restrict access paths where possible (allowlists, segmentation, minimal exposure).

  5. Assume breach if suspicious signals exist

    • Rotate credentials/tokens that may have traversed compromised edge services.
    • Hunt for downstream lateral movement from BIG-IP-adjacent network zones.

Immediate defensive actions

  • Treat CVE-2025-53521 as KEV-priority and patch urgently.
  • Minimize public attack surface for BIG-IP/APM entry points until fully remediated.
  • Run compromise checks on internet-exposed F5 infrastructure before declaring closure.

Sources

Bottom line

A newly added KEV entry for a perimeter product should trigger immediate action. If you run F5 BIG-IP with APM in exposed paths, validate version status and remediation now—this is not a backlog item.

Related reading

News
Over 14,000 F5 BIG-IP APM systems still exposed after active CVE-2025-53521 exploitation alerts

F5 BIG-IP APM CVE-2025-53521 is in CISA KEV and confirmed exploited; thousands of internet-facing systems remain exposed, making patch verification urgent.

News
WAGO industrial managed switches exposed to critical hidden-CLI flaw (CVE-2026-3587)

CISA ICS advisory ICSA-26-085-01 warns that CVE-2026-3587 in multiple WAGO industrial switches can let unauthenticated remote attackers escape restricted CLI and fully compromise devices.

News
CISA adds CVE-2025-53521 (F5 BIG-IP APM) to KEV after active exploitation

CISA added CVE-2025-53521 affecting F5 BIG-IP APM to the KEV catalog, signaling active exploitation and urgent patch/mitigation action.

News
CISA adds Zimbra CVE-2025-66376 to KEV after active exploitation warning

CISA added Synacor Zimbra Collaboration Suite CVE-2025-66376 to the KEV catalog, signaling active exploitation risk and urgent remediation needs.