F5 BIG-IP DoS Bug - Critical RCE Under Active Exploitation
Basically, a bug in F5 BIG-IP software now lets hackers take control of systems remotely.
A critical vulnerability in F5 BIG-IP has been exploited in the wild. Organizations using affected versions must patch immediately to avoid severe consequences. Stay vigilant for signs of compromise.
What Happened
A vulnerability in F5 BIG-IP Access Policy Manager (APM) has evolved from a denial-of-service (DoS) issue to a critical pre-authentication remote code execution (RCE) flaw. Initially disclosed in October 2025 with a CVSS score of 7.5, it has now been reclassified to a staggering 9.8 due to new findings. This change underscores the urgency of the situation, as hackers are actively exploiting this flaw to deploy persistent malware with root privileges.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog, indicating that organizations need to take immediate action. The vulnerability affects several versions of BIG-IP APM, and F5 has released patches to mitigate the risks associated with this exploit.
Who's Affected
The vulnerability impacts a wide range of organizations using F5 BIG-IP APM, including enterprises, service providers, and government agencies. Currently, the Shadowserver Foundation tracks over 240,000 instances of F5 BIG-IP online, but the exact number of vulnerable systems is unclear. With the potential for widespread exploitation, system administrators must prioritize patching and assessing their environments for any signs of compromise.
Benjamin Harris, CEO of watchTowr, emphasized the shift in risk perception. What was once seen as a manageable DoS issue has escalated to a critical threat, requiring immediate attention from security teams.
What Data Was Exposed
Successful exploitation of this vulnerability allows attackers to gain root-level access to the underlying operating system. This level of access can lead to significant data breaches and system compromises. The malware deployed by attackers, tracked as “c05d5254,” modifies critical system binaries and creates files that could facilitate further exploitation.
Indicators of compromise include unusual log entries, such as the user “f5hubblelcdadmin” accessing the iControl REST API from localhost, and suspicious commands logged in auditd. Organizations must be vigilant in monitoring their systems for these signs to detect any unauthorized access.
What You Should Do
Organizations running vulnerable versions of BIG-IP APM must act quickly to patch their systems. F5 has released updates in versions 17.1.3, 17.5.1.3, 16.1.6.1, and 15.1.10.8 to address the RCE vector. However, simply applying patches may not be sufficient; organizations should conduct a thorough compromise assessment.
F5 recommends rebuilding configurations from scratch if there’s any uncertainty regarding the compromise timeframe. The sys-eicheck utility can help identify integrity failures, but attackers may have tampered with the components this tool relies on. It is crucial for organizations to take these steps to ensure their systems are secure and to prevent further exploitation.