Security researchers and network defenders are tracking an escalated risk regarding F5's BIG-IP application security product line. A vulnerability in the BIG-IP Access Policy Manager (APM), originally identified in October 2025 as a high-severity denial-of-service (DoS) issue, has been reclassified as a critical remote code execution (RCE) vulnerability. F5 confirms the flaw is currently being targeted in the wild.
F5 updated its security advisory on Saturday, designating CVE-2025-53521 as an RCE flaw with a CVSS v3.1 score of 9.8. When initially disclosed and patched on October 15, the issue carried a CVSS score of 7.5. The vendor cited "new information obtained in March 2026" as the basis for the elevated severity rating, though the specific technical details of that new information have not been publicly detailed.
Technical details and affected versions
According to F5's documentation, an unauthorized party can leverage this vulnerability by sending "specific malicious traffic" to virtual servers configured with BIG-IP APM. Successful utilization grants remote code execution capabilities on the affected device.
The exposure affects BIG-IP APM versions 17.5.0 to 17.5.1, 17.1.0 to 17.1.2, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10. F5 notes that BIG-IP systems operating in appliance mode, a configuration designed to restrict administrative access to the systems, remain vulnerable to this flaw.
Indicators of compromise and scanning activity
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog on Friday. To assist security teams with detection and incident response, F5 published indicators of compromise (IoCs) related to this activity.
Organizations evaluating their systems should monitor for a specific software tool tracked as c05d5254. System anomalies indicating unauthorized access may include the presence of unexpected files on disk, specifically /run/bigtlog.pipe and /run/bigstart.ltm. Defenders should also verify the file sizes, hashes, and timestamps of /usr/bin/umount and /usr/sbin/httpd against known good configurations, as mismatches indicate potential modification.
Security firm Defused reported observing scanning activity targeting this vulnerability shortly after its addition to the CISA KEV catalog. In a public update on the social media platform X, Defused noted that unauthorized scanning frequently targets the /mgmt/shared/identified-devices/config/device-info endpoint. This specific BIG-IP REST API endpoint returns system-level information, including hostnames, machine IDs, and base MAC addresses.
Simo Kohonen, founder and CEO of Defused, stated that while their BIG-IP honeypot infrastructure regularly records unauthorized access attempts, the recent activity shows distinct changes in how threat actors fingerprint F5 instances.
"Generic mass exploiters consistently use the same type of payload, but we've observed minor deviations to the payloads in the past week, which suggests more actors out there are looking at mapping out F5 infrastructure," Kohonen said.
Remediation and next steps
F5 infrastructure remains a high-value target for threat actors mapping enterprise perimeters. Last year, state-sponsored groups gained unauthorized access to F5 systems, resulting in the exposure of sensitive data that included source code for the BIG-IP platform.
Given the reclassification and active targeting of CVE-2025-53521, organizations should prioritize upgrading vulnerable BIG-IP APM instances to a fixed version. Security teams must also review system logs and file integrity based on the provided IoCs to ensure no unauthorized access has occurred prior to patching.