Blog Details

​Cybersecurity company F5 Networks has reclassified a BIG-IP APM denial-of-provider (DoS) vulnerability as a excessive-severity a long way flung code execution (RCE) flaw, warning that attackers are exploiting it to deploy webshells on unpatched devices.

BIG-IP APM (instant for Web correct of entry to Coverage Supervisor) is a centralized receive correct of entry to management proxy solution that enables admins to to find and manage user receive correct of entry to to their organizations’ networks, cloud, purposes, and utility programming interfaces (APIs).

Tracked CVE-2025-53521, this security flaw shall be exploited by attackers with out privileges to receive a long way flung code execution when targeting BIG-IP APM programs with receive correct of entry to policies configured on a digital server.

Moreover to flagging the vulnerability as being exploited in the wild, F5 published indicators of compromise (IOCs) and knowledgeable defenders to analysis their BIG-IP programs’ disks, logs, and terminal historical past for signs of malicious assignment.

“This known vulnerability was previously categorized and remediated as a Denial-of-Service (DoS) vulnerability. Due to new information obtained in March 2026, the original vulnerability is being re-categorized to an RCE. The original CVE remediation has been validated to address the RCE in the fixed versions. We have learned that this vulnerability has been exploited in the vulnerable BIG-IP versions,” F5 warned in an advisory update published this Sunday.

“F5 strongly recommends that you consult your corporate security policy for guidelines about incident handling procedures including but not limited to forensic best practices, that are specific to your organization. More specifically, review the policies to ensure that they comply with evidence collection and forensics procedures for a security incident before you attempt to recover the system,” the company added.

Web threat-monitoring non-profit group Shadowserver now tracks over 240,000 BIG-IP instances uncovered on-line; nonetheless, there isn’t very such a thing as a records on what number of absorb a susceptible configuration or absorb already been secured towards CVE-2025-53521 attacks.

​The U.S. Cybersecurity and Infrastructure Safety Company (CISA) also added the vulnerability to its list of actively exploited flaws on Friday and ordered federal businesses to to find their BIG-IP APM programs by midnight on Monday, March 30.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” it warned.

“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

In most modern years, BIG-IP vulnerabilities had been exploited by nation-utter and cybercrime threat teams to breach corporate networks, map internal servers, deploy records-wiping malware, hijack devices, and rob sensitive documents from victims’ networks.

F5 is a Fortune 500 skills big that supplies cybersecurity, utility supply networking (ADN), and diverse a mode of providers to bigger than 23,000 clients worldwide, along with Forty eight of the Fortune 50 companies.