CVE-2025-53521: F5 BIG-IP APM Critical RCE Flaw Under Active Exploitation
Summary
CISA added CVE-2025-53521, a critical unauthenticated remote code execution vulnerability in F5 BIG-IP Access Policy Manager (APM), to its KEV catalog on March 28, 2026. The flaw carries CVSS scores of 9.8 (v3.1) and 9.3 (v4.0), affecting BIG-IP APM versions 15.1.0 through 17.5.1. F5 published indicators of compromise and patches have been available since October 2025.
Threat Analysis
CVE-2025-53521 is a critical unauthenticated remote code execution (RCE) vulnerability in F5 BIG-IP Access Policy Manager (APM). CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on March 28, 2026, with a remediation deadline of March 30, 2026 for federal agencies.
Affected Products: F5 BIG-IP APM versions 17.5.0 to 17.5.1, 17.1.0 to 17.1.2, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10. The vulnerability exists in the 'apmd' process.
CVSS Scores: 9.8 (v3.1) and 9.3 (v4.0) — Critical severity.
Exploitation Status: Actively exploited in the wild. The Dutch National Cyber Security Center confirmed active abuse. F5 has published indicators of compromise (IOC: 'malicious software c05d5254') to help organizations detect compromise.
Recommended Mitigations: Apply F5 patches released in October 2025 immediately. Review F5's published IOCs to check for signs of compromise. Restrict management interface access. Monitor BIG-IP APM logs for anomalous activity. Organizations that have not yet patched should treat this as an emergency remediation priority.