CISA adds updated F5 BIG‑IP APM vulnerability to the KEV catalog

Threat summary

On March 27, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog after noting active exploitation.

F5 originally published an advisory about the vulnerability in October 2025, designating it as a denial-of-service (DoS) issue. Following CISA's entry, F5 updated its advisory to reclassify the flaw as a remote code execution (RCE) vulnerability.

The affected technology is BIG-IP Access Policy Manager (APM), the BIG-IP module responsible for authentication, authorization, and VPN access across enterprise, service provider, and government environments. The vulnerability impacts BIG-IP APM versions:

• 17.5.0-17.5.1
• 17.1.0-17.1.2
• 16.1.0-16.1.6
• 15.1.0-15.1.10

The flaw is only exposed when APM is actively bound to a virtual server. Although APM may be licensed and enabled, the vulnerable code path is not reachable unless an access profile is attached to a virtual server. In that configuration, all incoming traffic is processed by APM logic, where the vulnerability resides. Systems with APM licensed but not attached to any virtual server are not exposed.

When the vulnerable configuration is present, an adversary can achieve unauthenticated RCE by sending malicious traffic to the APM-enabled virtual server. Successful exploitation can result in full system compromise, malicious command execution, and potential lateral movement.

Appliance-mode deployments are also affected, as appliance mode restricts administrative access but does not alter APM data-plane processing. F5 notes that the issue is limited to the data plane and does not impact the control plane. The CVSS score has been updated to 9.8 (v3.1), replacing the original 7.5 rating.

F5 released patches in versions:

• 17.5.1.3
• 17.1.3
• 16.1.6.1
• 15.1.10.8

F5 has confirmed that the original remediation also addresses the remote code execution vector.

Analysis

Applying the F5-issued patches eliminates exposure to this vulnerability and mitigates the risk of exploitation.

Determining whether a system is exposed requires confirming both the software version and whether APM is actively in use. This involves checking the system license for APM, reviewing configured access profiles, and verifying whether any virtual server has an access profile attached. APM is only exploitable when bound to a virtual server, so this configuration review provides a clear assessment of exposure. Reviewing APM logs and confirming active APM processes offers additional confirmation that the module is in use.

For environments that cannot upgrade immediately, consider the following steps:

• Limit access to APM-enabled virtual servers
• Remove or restrict exposure of APM services to untrusted networks
• Review access profiles and disable unused ones
• Validate that APM-enabled virtual servers are not internet‑facing unless required

Detection coverage can be strengthened by monitoring for indicators of compromise published by F5, including:

• Unexpected file changes or anomalous timestamps
• Unusual file hashes
• Outbound HTTPS traffic with CSS content-type and HTTP 201 responses

Integrating these checks into existing monitoring and threat-hunting workflows improves the likelihood of identifying exploitation attempts and supports ongoing risk reduction across BIG-IP deployments.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up