Over 14,000 F5 BIG‑IP APM Instances Exposed to Critical RCE Vulnerability (CVE‑2025‑53521)
What Happened – Shadowserver identified more than 14 k publicly‑exposed BIG‑IP APM devices that are vulnerable to CVE‑2025‑53521, a critical remote‑code‑execution flaw. The vulnerability, originally disclosed as a DoS issue, was re‑classified in March 2026 after evidence of active exploitation.
Why It Matters for TPRM –
- Unpatched APM gateways can be leveraged to pivot into corporate networks, compromising data and services of any downstream third‑party.
- The flaw is actively exploited in the wild; exposure counts indicate a large attack surface across many vendors and customers.
- Federal guidance (CISA) now mandates remediation, highlighting regulatory risk for organizations that rely on F5 appliances.
Who Is Affected – Enterprises across all sectors that use F5 BIG‑IP APM for access management, especially cloud‑hosted workloads, SaaS platforms, and network‑edge services.
Recommended Actions –
- Verify that all BIG‑IP APM instances run a patched version that addresses CVE‑2025‑53521.
- Conduct an inventory of exposed IPs; block any internet‑facing APM endpoints not required for public access.
- Review logs and disk artifacts for signs of compromise; rebuild from known‑good configurations where compromise is suspected.
Technical Notes – The RCE is triggered via unauthenticated requests to the APM virtual server when a vulnerable version is exposed. The vulnerability was first disclosed in October 2025 (CVE‑2025‑53521) as a DoS, later upgraded to RCE after exploitation was observed. No specific CVE‑based mitigations beyond patching are available; F5 recommends full system rebuild if compromise is detected. Source: BleepingComputer