CP
cyberpings
VulnerabilitiesHIGH

F5 BIG-IP APM - Over 14,000 Instances Exposed to RCE Attacks

Featured image for F5 BIG-IP APM - Over 14,000 Instances Exposed to RCE Attacks
BCBleepingComputer
CVE-2025-53521F5BIG-IP APMShadowserverRemote Code Execution
🎯

Basically, many F5 devices are open to attacks that let hackers run harmful code remotely.

Quick Summary

A critical RCE vulnerability exposes over 14,000 F5 BIG-IP APM instances. Organizations must act quickly to secure their systems against potential attacks. F5 has issued guidance to help mitigate risks.

What Happened

Internet security watchdog Shadowserver has reported that over 14,000 F5 BIG-IP APM instances are still exposed online. This exposure is due to a critical-severity remote code execution (RCE) vulnerability, tracked as CVE-2025-53521. Initially disclosed as a denial-of-service (DoS) flaw in October 2025, it was recently reclassified as an RCE vulnerability after new information emerged in March 2026.

Who's Affected

F5 BIG-IP APM (Access Policy Manager) is widely used for centralized access management. It helps organizations secure access to networks, applications, and APIs. With over 17,100 IPs identified with BIG-IP APM fingerprints, many organizations are at risk if they have not patched their systems. This includes a significant number of federal agencies, as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that these systems be secured immediately.

What Data Was Exposed

The vulnerability allows attackers to gain remote code execution on unpatched BIG-IP APM systems. This means that unauthorized users can execute malicious code, potentially leading to data breaches, system hijacking, or deployment of malware. The exact number of affected instances with vulnerable configurations remains unclear, but the risk is substantial.

What You Should Do

F5 has issued guidance for organizations to secure their systems. Here are key steps:

  • Check for Malicious Activity: Review logs and terminal history for any signs of compromise.
  • Rebuild Affected Systems: If evidence of compromise is found, F5 recommends rebuilding systems from a known good source, as backups may contain malware.
  • Stay Updated: Ensure that all systems are patched to the latest version to mitigate risks associated with this vulnerability.

F5 has also shared indicators of compromise (IOCs) to help organizations identify potential breaches. The urgency to act is critical, as the longer these systems remain exposed, the greater the risk of exploitation by threat actors, including nation-state and cybercrime groups.

Conclusion

The ongoing threat posed by the CVE-2025-53521 vulnerability highlights the importance of timely updates and vigilance in cybersecurity practices. Organizations must prioritize securing their F5 BIG-IP APM instances to protect against remote code execution attacks.

🔒 Pro insight: The reclassification of this vulnerability underscores the necessity for continuous monitoring and timely patching in enterprise environments.

Original article from

BCBleepingComputer· Sergiu Gatlan
Read Full Article

Share

Related Pings

CRITICALVulnerabilities

Cisco Smart Software Manager Vulnerability - Critical Flaw Exposed

Cisco has alerted users about a critical vulnerability in its Smart Software Manager. This flaw allows attackers to execute commands remotely, affecting many organizations. Immediate software upgrades are essential to mitigate risks.

Cyber Security News·
CRITICALVulnerabilities

PX4 Autopilot Vulnerability - Attackers Can Control Drones

A critical vulnerability in PX4 Autopilot software allows attackers to gain full control over drones. This flaw poses serious risks to critical infrastructure. CISA has issued urgent recommendations for operators to secure their systems.

Cyber Security News·
HIGHVulnerabilities

TrueConf Zero-Day Vulnerability - Malware Delivery Exploit

A zero-day vulnerability in TrueConf allows attackers to deliver malware through fake updates. Southeast Asian government networks are particularly at risk. Organizations must act quickly to patch this vulnerability and secure their systems.

Help Net Security·
HIGHVulnerabilities

iOS 18.7.7 Update - Apple Expands to Block DarkSword Exploit

Apple has expanded the iOS 18.7.7 update to more devices. This update addresses the DarkSword exploit, which poses significant risks to older devices. Users are urged to enable auto-updates for vital security protections.

The Hacker News·
CRITICALVulnerabilities

Cisco IMC Vulnerability - Critical Authentication Bypass Flaw

Cisco disclosed a critical vulnerability in its IMC software, allowing attackers to bypass authentication. This flaw affects multiple hardware products, posing severe risks. Immediate updates are necessary to mitigate potential exploitation.

Cyber Security News·
HIGHVulnerabilities

Symantec DLP Agent Vulnerability - Privilege Escalation Risk

A severe vulnerability in Symantec's DLP Agent allows local attackers to escalate privileges. Organizations must update to the latest versions to mitigate risks. Immediate action is essential to maintain security.

Cyber Security News·