Protect.Computer
NEWS

Over 14,000 F5 BIG-IP APM systems still exposed after active CVE-2025-53521 exploitation alerts

· 1 min read · Network safety Device safety
Over 14,000 F5 BIG-IP APM systems still exposed after active CVE-2025-53521 exploitation alerts

Photo by FlyD on Unsplash

What happened

Security teams are warning that more than 14,000 internet-facing F5 BIG-IP APM instances appear to remain exposed while CVE-2025-53521 is already being treated as actively exploited.

The risk level increased after this issue was reclassified from a denial-of-service condition to remote code execution (RCE) and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Why this matters

BIG-IP APM often sits at critical network access points (remote access, auth gateways, and internal app entry points). If an exposed device is vulnerable, attackers may be able to gain privileged footholds and pivot deeper into internal systems.

Because this is now a KEV-listed issue with active exploitation signals, organizations should treat this as an urgent remediation and validation task, not just a routine patch cycle.

How to check if you’re affected

You are likely affected if you run F5 BIG-IP APM and have not fully patched and validated against CVE-2025-53521.

  1. Confirm whether BIG-IP APM is deployed

    • Inventory internet-facing and internal BIG-IP systems.
    • Prioritize systems handling VPN, SSO, or external user access.

  2. Check your running BIG-IP version

    • Compare your versions against F5’s affected/fixed versions in advisory K000156741.
    • If you are on an affected branch without the fixed build, assume exposure.

  3. Verify exposure of management and service interfaces

    • Ensure admin/management interfaces are not publicly reachable.
    • Restrict access using network ACLs/firewall controls.

  4. Review compromise indicators from F5 guidance

    • Check logs and file integrity indicators referenced in the vendor advisory.
    • Investigate suspicious webshell-like artifacts or unusual local API activity.

  5. Reboot/patch validation and post-fix monitoring

    • After patching, confirm the upgraded partition is active.
    • Continue monitoring for follow-on exploitation attempts.

Immediate defensive actions

  • Apply F5’s latest fixed version for your supported branch immediately.
  • Isolate or tightly filter BIG-IP management paths.
  • Run compromise checks even if patching is complete (to detect pre-patch intrusion).
  • Escalate incident response if any indicator of compromise is found.

Sources

Bottom line

If your organization runs BIG-IP APM, treat CVE-2025-53521 as an active-exploitation priority: patch, validate, and perform compromise checks immediately.

Related reading

News
CISA adds CVE-2025-53521 (F5 BIG-IP APM) to KEV after active exploitation

CISA added CVE-2025-53521 affecting F5 BIG-IP APM to the KEV catalog, signaling active exploitation and urgent patch/mitigation action.

News
CISA adds Wing FTP CVE-2025-47813 to KEV catalog after active exploitation

CISA added Wing FTP Server CVE-2025-47813 to the Known Exploited Vulnerabilities catalog, signaling active exploitation risk and urgent patching priority.

News
CISA adds two Google Chrome zero-days to KEV catalog

CISA added CVE-2026-3909 and CVE-2026-3910 in Google Chrome to KEV, signaling active exploitation risk.

News
CISA flags SolarWinds, Ivanti, and Workspace ONE flaws as actively exploited

CISA added three actively exploited vulnerabilities—CVE-2025-26399, CVE-2026-1603, and CVE-2021-22054—to the KEV catalog, with near-term federal remediation deadlines.