CP
cyberpings
VulnerabilitiesCRITICAL

CVE-2025-53521 - Critical F5 BIG-IP APM Exploitation Alert

THThe Hacker News
CVE-2025-53521F5 BIG-IPremote code executionCISAnetwork security
🎯

Basically, a serious flaw in F5 BIG-IP software lets hackers take control of systems remotely.

Quick Summary

CISA has flagged a critical flaw in F5 BIG-IP APM, allowing remote code execution. Organizations using affected versions must act quickly to patch their systems. This vulnerability poses a serious risk to network security.

The Flaw

CISA has recently added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability affects the F5 BIG-IP Access Policy Manager (APM) and has a CVSS v4 score of 9.3, indicating its critical nature. Initially classified as a denial-of-service (DoS) issue, it has now been re-evaluated to allow for remote code execution (RCE), which poses a significantly greater risk.

The flaw arises when a BIG-IP APM access policy is configured on a virtual server. Specific malicious traffic can exploit this configuration, leading to RCE. F5 has confirmed that this vulnerability has been actively exploited in various versions of the BIG-IP software, prompting urgent action from organizations utilizing these systems.

What's at Risk

The vulnerability impacts multiple versions of F5 BIG-IP, specifically:

  • 17.5.0 - 17.5.1 (Fixed in version 17.5.1.3)
  • 17.1.0 - 17.1.2 (Fixed in version 17.1.3)
  • 16.1.0 - 16.1.6 (Fixed in version 16.1.6.1)
  • 15.1.0 - 15.1.10 (Fixed in version 15.1.10.8)

Organizations using these versions are at high risk of unauthorized access and potential system compromise. The Federal Civilian Executive Branch (FCEB) agencies have been given a deadline of March 30, 2026, to apply necessary patches to secure their networks.

Patch Status

F5 has updated its advisory to reflect the new classification of this vulnerability. The company has provided indicators that can help system administrators identify if their systems have been compromised. These include file-related indicators, such as the presence of specific files and mismatches in file hashes, as well as log-related indicators that signal unauthorized access attempts.

F5's proactive measures include releasing patches and advising users to monitor their systems closely. However, the urgency of the situation has changed since the vulnerability was first reported, highlighting the need for immediate action from network administrators.

Immediate Actions

Organizations must prioritize applying the patches released by F5 to mitigate the risks associated with CVE-2025-53521. Key steps include:

  • Assessing current BIG-IP versions in use and comparing them against the patched versions.
  • Monitoring system logs for any suspicious activity, particularly entries related to the iControl REST API.
  • Conducting a thorough review of file integrity to ensure no unauthorized changes have occurred.

As Benjamin Harris, CEO of watchTowr, stated, the situation has evolved from a mere DoS concern to a critical RCE vulnerability. This shift in risk profile necessitates immediate attention and action from all affected organizations to safeguard their networks against potential exploitation.

🔒 Pro insight: The reclassification of this vulnerability underscores the importance of continuous monitoring and prompt patching to prevent exploitation.

Original article from

The Hacker News

Read Full Article

Share

Related Pings

HIGHVulnerabilities

F5 BIG-IP AMP Vulnerability - CISA Adds to Exploited Catalog

CISA has added a critical vulnerability in F5 BIG-IP AMP to its exploited catalog. This flaw allows remote code execution, posing risks to organizations. Immediate action is required to mitigate potential threats.

Security Affairs·
HIGHVulnerabilities

Vulnerabilities in PDF Engines - New Risks Uncovered

New research reveals 16 vulnerabilities in PDF engines, challenging the notion of PDFs as safe. This discovery highlights significant risks for enterprises relying on PDF technology.

CyberWire Daily·
HIGHVulnerabilities

Windows 11 - Update Blocks Untrusted Kernel Drivers by Default

Microsoft is enhancing security by blocking untrusted kernel drivers in Windows 11 and Server 2025. This update protects against legacy vulnerabilities and malicious attacks. Users should ensure their drivers are compliant with the new standards.

Cyber Security News·
CRITICALVulnerabilities

Vulnerabilities - CISA Adds Aquasecurity Trivy Scanner Flaw

CISA has added a critical vulnerability in Aquasecurity's Trivy scanner to its KEV catalog. This flaw allows unauthorized access to sensitive CI/CD environments. Organizations must act quickly to mitigate risks and protect their infrastructure.

Cyber Security News·
CRITICALVulnerabilities

Critical Langflow AI Bug - Exploited Within 20 Hours

A critical vulnerability in the Langflow AI framework was exploited within 20 hours of its disclosure. Organizations using this tool face serious risks. Immediate action is essential to mitigate potential exposure and protect sensitive data.

SC Media·
HIGHVulnerabilities

CVE-2025-53521 - CISA Adds Critical Vulnerability Alert

CISA has added CVE-2025-53521 to its vulnerability catalog due to active exploitation. This flaw affects F5 BIG-IP systems, posing risks to federal and private sectors. Timely remediation is crucial to prevent potential cyberattacks.

CISA Advisories·