Critical Unauthenticated RCE in F5 BIG‑IP Access Policy Manager (CVE‑2025‑53521) Actively Exploited
What It Is – A critical unauthenticated remote‑code‑execution (RCE) flaw (CVE‑2025‑53521) resides in the apmd process of F5 BIG‑IP Access Policy Manager (APM). The vulnerability allows attackers to execute arbitrary code on the appliance, potentially compromising the entire network perimeter.
Exploitability – The U.S. CISA has listed the flaw in its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Public PoCs have been observed, and the CVSS v3.1 score is 9.8 (Critical).
Affected Products – F5 BIG‑IP APM versions 15.1.0‑15.1.10, 16.1.0‑16.1.6, 17.1.0‑17.1.2, and 17.5.0‑17.5.1 (including appliance mode).
TPRM Impact – The flaw directly affects third‑party risk for organizations that rely on F5 APM for secure access to applications, APIs, and data. Compromise can lead to lateral movement, credential theft, and exposure of downstream vendor data.
Recommended Actions –
- Verify that all BIG‑IP APM instances are running a patched version released in October 2025 or later.
- Immediately apply the latest security patches if any systems remain on vulnerable releases.
- Review CISA’s Indicators of Compromise (IoC) list and scan logs, file integrity, and SELinux status for signs of the Brickstorm backdoor or web‑shell activity.
- Conduct a rapid risk assessment of any third‑party services that depend on the affected APM appliances and consider temporary network segmentation.
- Update incident‑response playbooks to include this RCE vector and rehearse containment procedures.
Source: Help Net Security – Attackers are exploiting RCE vulnerability in BIG‑IP APM (CVE‑2025‑53521)