CISA Warns of F5 BIG-IP Vulnerability Actively Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed vulnerability affecting F5 BIG-IP systems to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is being actively leveraged in real-world attacks.

The vulnerability, tracked as CVE-2025-53521, was officially listed on March 27, 2026, with a remediation deadline of March 30, 2026, for federal agencies.

CVE-2025-53521 is described as an unspecified vulnerability within F5 BIG-IP Access Policy Manager (APM) that could allow remote code execution (RCE).

While technical details remain limited, the potential for unauthenticated or low-complexity exploitation has raised significant concern across the cybersecurity community, particularly given the widespread deployment of BIG-IP devices in enterprise and government networks.

F5 BIG-IP Vulnerability Exploited

CISA’s inclusion of the vulnerability in the KEV catalog confirms that threat actors are already exploiting the issue in the wild. Although there is currently no confirmed attribution or evidence linking the flaw to ransomware campaigns, the agency emphasized that vulnerabilities enabling RCE are frequently weaponized in post-compromise activities, including lateral movement and data exfiltration.

Historically, F5 BIG-IP vulnerabilities have been attractive targets for both financially motivated groups and state-sponsored actors due to their role in traffic management, authentication, and secure application delivery. Exploitation of such systems can provide attackers with a high level of control over network infrastructure.

CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply vendor-provided mitigations immediately or discontinue use of affected systems if patches or workarounds are unavailable.

The directive falls under Binding Operational Directive (BOD) 22-01, which mandates the rapid remediation of vulnerabilities listed in the KEV catalog.

F5 has issued guidance to address the issue, and organizations are strongly advised to follow official mitigation steps without delay. Security teams should also review logs and monitor for signs of compromise, particularly unusual administrative activity or unauthorized configuration changes within BIG-IP environments.

The rapid addition of CVE-2025-53521 to the KEV catalog highlights a continuing trend of attackers targeting edge devices and network infrastructure components.

These systems often sit at critical junctions within enterprise environments, making them high-value targets for initial access and persistence.

Given the lack of detailed public disclosure, defenders should assume exploitation techniques may evolve quickly. Proactive measures such as network segmentation, strict access controls, and continuous monitoring are essential to reduce exposure.

Organizations using F5 BIG-IP products should treat this vulnerability as a high-priority risk and act immediately to mitigate potential compromise.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of F5 BIG-IP Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.