14,000+ F5 BIG-IP APM Instances Exposed as RCE Exploits Surge

Internet threat-monitoring non-profit Shadowserver has identified more than 14,000 F5 BIG-IP Access Policy Manager (APM) instances still exposed online and vulnerable to active attacks exploiting a critical-severity Remote Code Execution (RCE) vulnerability, even after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated federal remediation.

A Five-Month-Old Flaw, Newly Weaponized

The vulnerability, tracked as CVE-2025-53521, was first disclosed on October 15, 2025, and initially classified as a relatively lower-risk Denial of Service (DoS) flaw with a CVSS score of 7.5.

This misclassification had real-world consequences: many system administrators deprioritized patching, underestimating its threat level.

However, in March 2026, F5 dramatically revised its advisory, confirming that the same flaw enables full unauthenticated Remote Code Execution.

https://twitter.com/Shadowserver/status/2039330895270715500?ref_src=twsrc%5Etfw

“Due to new information obtained in March 2026, the original vulnerability is being re-categorized to an RCE with CVSS scores of 9.8 (CVSS v3.1) and 9.3 (CVSS v4.0),” F5 stated in its updated security advisory (K000156741).

The vulnerability resides within the apmd process which handles live traffic and affects BIG-IP APM versions 15.1.0 through 17.5.1, including systems running in Appliance mode.

Mass Exposure and Active Exploitation

Shadowserver’s internet-wide scanning detected over 17,100 IP addresses globally carrying BIG-IP APM fingerprints as of late March 2026.

Of those, more than 14,000 instances are specifically assessed as vulnerable to CVE-2025-53521 exploitation.

This staggering number confirms that a large portion of the enterprise security community failed to apply October 2025 patches before the vulnerability’s severity was escalated.

Attackers are exploiting the flaw without requiring any credentials or user interaction. Once inside, threat actors have been observed deploying webshells, establishing persistence, tampering with F5’s system integrity checker (sys-eicheck), and using fileless techniques to evade detection.

F5 also warned that systems upgraded from a vulnerable version to a fixed one may still be compromised, as malware can persist post-upgrade.

Adding to the urgency, the reclassification coincides with a previously reported nation-state intrusion into F5’s internal environment in which attackers gained access to BIG-IP source code, raising the possibility that threat actors had advanced knowledge of the flaw’s RCE potential long before the public advisory was updated.

CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog on March 27, 2026, ordering all U.S. federal civilian agencies to remediate by March 30, 2026.

The UK’s National Cyber Security Centre (NCSC) has also issued an alert urging organizations to take immediate action, regardless of when their systems were last updated.

Security teams should treat this as a critical incident and act without delay:

• Apply patches immediately — Install the latest fixes detailed in F5 advisory K000156741; patches released in October 2025 remain valid and address the RCE.
• Audit system logs — Review for unauthorized access, suspicious file creation, unusual administrative commands, and indicators of compromise published by F5.
• Restrict management access — Block public internet access to the BIG-IP management interface using strict firewall rules.
• Monitor outbound traffic — Look for anomalous connections originating from BIG-IP appliances that could signal post-exploitation activity.
• Enforce MFA — Implement multi-factor authentication on all administrative accounts to limit credential-based lateral movement.

F5 BIG-IP APM sits at the edge of enterprise networks, managing VPN connections, secure web gateways, and zero-trust access enforcement.

A compromise of these appliances is not just a device takeover; it is a direct, high-privileged gateway into internal corporate infrastructure.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post 14,000+ F5 BIG-IP APM Instances Exposed as RCE Exploits Surge appeared first on Cyber Security News.