CISA Alerts on Actively Exploited F5 BIG-IP Flaw Targeting Organizations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert after adding a newly identified vulnerability in F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog.

Flaw, tracked as CVE-2025-53521, is confirmed to be actively leveraged by threat actors in real-world attacks, placing enterprise and government networks at significant risk.

Vulnerability Overview

• CVE Identifier: CVE-2025-53521
• Affected Product: F5 BIG-IP AMP
• Vulnerability Impact: Remote Code Execution (RCE)
• Ransomware Status: Unknown deployment in ransomware campaigns
• KEV Addition Date: March 27, 2026
• Remediation Deadline: March 30, 2026

CVE-2025-53521 targets the F5 BIG-IP APM module and enables remote code execution when an access policy is configured on a virtual server.

According to F5’s updated advisory, “specific malicious traffic can lead to Remote Code Execution (RCE)” under these conditions.

Critically, the vulnerability does not require prior authentication, meaning an unauthenticated remote attacker can exploit it directly from the internet.

From Denial-of-Service to Critical RCE:

What makes this vulnerability especially alarming is its dramatic upgrade in severity. When CVE-2025-53521 was first patched in October 2025, it was classified as a comparatively lower-risk Denial-of-Service (DoS) flaw with a CVSS score of just 7.5.

Many system administrators, applying standard triage, would have treated remediation as a lower priority a decision that has proven consequential.

Due to new information uncovered in March 2026, F5 reclassified the vulnerability as a full Remote Code Execution flaw, elevating its CVSS v3.1 score to 9.8 and confirming active exploitation in the wild.

F5 BIG-IP appliances occupy a strategically critical position within enterprise networks, functioning as load balancers, application delivery controllers, SSL offloaders, and access policy gateways.

Because these devices sit at the network perimeter and handle all inbound application traffic, a successful compromise grants an attacker unparalleled visibility and control.​

An attacker who successfully exploits CVE-2025-53521 can intercept sensitive web traffic, manipulate application requests, harvest credentials passing through the device, and use the compromised appliance as a beachhead to pivot laterally into the internal corporate network.

Standard Endpoint Detection and Response (EDR) tools have limited visibility into network edge appliances, making post-exploitation activity on these devices notoriously difficult to detect.

Security researchers at Defused Cyber have already confirmed observing “acute scanning activity” for vulnerable F5 BIG-IP devices following the KEV addition, with attackers probing the /mgmt/shared/identified-devices/config/device-info REST API endpoint to fingerprint vulnerable systems.

Indicators of Compromise (IOCs)

F5 has published a set of indicators organizations should actively monitor within BIG-IP environments:​

• File modifications affecting /usr/bin/umount and/or /usr/sbin/httpd, causing failures in the sys-eicheck system integrity checker
• HTTP/S traffic from the BIG-IP system containing HTTP 201 response codes with CSS content-type headers, used to disguise attacker activity
• Presence of hash C05d5254 and related activity, indicating potential malicious software installation
• Unexpected administrative configuration changes or unauthorized access within BIG-IP management interfaces

F5 has confirmed exploitation in vulnerable BIG-IP versions and has released patched builds. The following version is confirmed fixed:

• BIG-IP 15.1.0 – 15.1.10 → Fixed in version 15.1.10.8​

Organizations running earlier version branches should consult the official F5 security advisory for their specific branch patch status.

Note that software versions that have reached End of Technical Support (EoTS) are not evaluated by F5.​

CISA’s inclusion of CVE-2025-53521 in the KEV catalog triggers mandatory action under Binding Operational Directive (BOD) 22-01.

Under this directive, all Federal Civilian Executive Branch (FCEB) agencies are legally required to apply patches or approved mitigations by March 30, 2026.

While BOD 22-01 legally binds only federal agencies, CISA strongly urges all private-sector organizations, critical infrastructure operators, and network defenders to treat this vulnerability with equal urgency.

Recommended actions include:​

• Apply vendor patches immediately — upgrade to BIG-IP version 15.1.10.8 or the applicable fixed version for your branch
• Audit BIG-IP access policy configurations — check whether access policies are configured on virtual servers, as this is the triggering condition for exploitation
• Review IOCs — examine logs for suspicious HTTP 201 response codes, CSS content-type anomalies, and sys-eicheck failures
• Restrict management interface access — limit exposure of the BIG-IP management plane (/mgmt/ endpoints) to trusted IP ranges only
• Disconnect if unpatched — if patching is not immediately feasible, CISA directs organizations to temporarily take the vulnerable BIG-IP product offline until a secure fix is deployed
• Implement network segmentation — isolate BIG-IP appliances with strict access controls to limit lateral movement potential in the event of compromise

Organizations should also assume that scanning and exploitation attempts are already underway, given the confirmed in-the-wild activity and active reconnaissance observed following the KEV listing.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post CISA Alerts on Actively Exploited F5 BIG-IP Flaw Targeting Organizations appeared first on Cyber Security News.