CISA Warns of Active Exploitation: Critical RCE Flaw in F5 BIG-IP APM Added to KEV

TL;DR: CISA has added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog. Originally thought to be a DoS issue, the flaw is now confirmed as a critical Remote Code Execution (RCE) vulnerability (CVSS 9.3) being actively exploited in the wild. F5 has released patches and indicators of compromise (IoCs).

---

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog. The move follows evidence that threat actors are actively exploiting the vulnerability, identified as CVE-2025-53521, to gain unauthorized control over affected systems.

From DoS to RCE: A Shift in Risk

The vulnerability was initially categorized and remediated as a denial-of-service (DoS) flaw with a CVSS v4 score of 8.7. However, following "new information obtained in March 2026," F5 reclassified the issue as a Remote Code Execution (RCE) vulnerability, significantly increasing its severity to a CVSS v4 score of 9.3.

The flaw manifests when a BIG-IP APM access policy is configured on a virtual server. In this configuration, specific malicious traffic can be leveraged by a threat actor to achieve RCE. Benjamin Harris, CEO of watchTowr, noted that the reclassification represents a massive shift in risk profile for administrators who may have previously de-prioritized the patch when it was labeled as a DoS issue.

Active Exploitation and Tactics

F5 confirmed that the vulnerability is being exploited in the wild, though the company has not yet disclosed the identity of the threat actors involved. Cybersecurity firm Defused Cyber has already reported "acute scanning activity" targeting the /mgmt/shared/identified-devices/config/device-info endpoint, which is used to gather system-level metadata like hostnames and MAC addresses.

Attackers have been observed using sophisticated methods to maintain persistence and evade detection, including:

• Memory-Only Webshells: While some webshells are written to disk, others operate solely in memory, leaving fewer traces for traditional file-based scanners.
• Traffic Disguise: Using HTTP 201 response codes and CSS content-types to hide malicious HTTP/S traffic.
• System Integrity Tampering: Modifying components that the system integrity checker (sys-eicheck) relies on, such as /usr/bin/umount and /usr/sbin/httpd, to prevent the system from detecting unauthorized changes.

Indicators of Compromise (IoCs)

F5 has published several indicators to help organizations determine if their BIG-IP systems have been breached:

File-Related Indicators:

• Presence of /run/bigtlog.pipe or /run/bigstart.ltm.
• Mismatched file hashes, sizes, or timestamps for /usr/bin/umount and /usr/sbin/httpd.

Log-Related Indicators:

• Entries in /var/log/restjavad-audit.<NUMBER>.log showing local users accessing the iControl REST API from localhost.
• Audit logs showing a local user attempting to disable SELinux.
• Log messages in /var/log/audit reflecting executed commands.

Impacted Versions and Remediation

The vulnerability affects the following versions of F5 BIG-IP:

• 17.5.0 - 17.5.1: Fixed in 17.5.1.3
• 17.1.0 - 17.1.2: Fixed in 17.1.3
• 16.1.0 - 16.1.6: Fixed in 16.1.6.1
• 15.1.0 - 15.1.10: Fixed in 15.1.10.8

Due to the severity of the flaw and its active exploitation, CISA has set a deadline of March 30, 2026, for Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates.

Conclusion

The transition of CVE-2025-53521 from a DoS vulnerability to a critical RCE serves as a stark reminder of how the understanding of security flaws can evolve. With active scanning and exploitation confirmed, organizations using F5 BIG-IP APM must prioritize these patches immediately and audit their systems for the listed indicators of compromise.

Source: The Hacker News