Critical RCE in F5 BIG‑IP APM (CVE‑2025‑53521) Added to CISA KEV Catalog
What It Is — A remote‑code‑execution (RCE) flaw in F5 BIG‑IP Access Policy Manager (APM) that is triggered by specially crafted malicious traffic when an access policy is enabled on a virtual server. The vulnerability is tracked as CVE‑2025‑53521 and carries a CVSS v3.1 score of 9.8.
Exploitability — Actively exploited in the wild; CISA has placed the flaw in its Known Exploited Vulnerabilities (KEV) catalog. Proof‑of‑concept traffic has been observed against vulnerable BIG‑IP versions.
Affected Products — F5 BIG‑IP APM (any version with an enabled access policy; versions that have reached End‑of‑Technical‑Support are excluded).
TPRM Impact — Because BIG‑IP APM sits at the edge of many enterprise networks, a successful RCE can give attackers foothold to pivot into downstream services, compromise data, and disrupt business‑critical applications, creating a supply‑chain risk for any organization that relies on F5‑managed traffic.
Recommended Actions —
- Inventory all BIG‑IP APM instances and confirm firmware versions.
- Patch immediately with the F5 security update that addresses CVE‑2025‑53521.
- For devices that are out of support, migrate to a supported platform or isolate the asset.
- Update vulnerability‑management and SIEM rules to flag this CVE as critical and monitor for related IOCs.
- Ensure compliance with CISA BOD 22‑01 deadlines (federal agencies must remediate by 30 Mar 2026).
Source: Security Affairs