CISA flags actively exploited F5 BIG-IP flaw as agencies race to patch

CISA has added CVE-2025-53521, an F5 BIG-IP Access Policy Manager vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The agency listed it on March 27, 2026, and gave federal civilian agencies until March 30, 2026 to apply mitigations under Binding Operational Directive 22-01.

This is a high-priority issue because the flaw can lead to remote code execution when a BIG-IP APM access policy is configured on a virtual server. F5’s advisory says an unauthenticated attacker can exploit the bug, while the NVD now describes the issue as remote code execution caused by specific malicious traffic.

The case also stands out because the public description changed over time. Older public records described CVE-2025-53521 as a denial-of-service issue that could terminate TMM, but F5 and NVD later updated the description to remote code execution. That shift helps explain why the KEV listing drew immediate attention from defenders.

What CISA and F5 are saying

CISA’s KEV entry confirms active exploitation, but it does not publicly name the threat actor or describe the exact attack chain. The agency also says it does not yet know whether ransomware groups are using the flaw, which means defenders should not assume the risk is limited to one type of campaign.

F5’s advisory identifies the affected component as BIG-IP APM and says the bug allows unauthenticated remote code execution. The vendor also notes that BIG-IP systems running in Appliance mode are affected.

Because BIG-IP often sits on the network edge and handles authentication, traffic management, and secure application delivery, a successful compromise can give attackers a strong foothold inside sensitive environments. That is one reason edge-device flaws keep attracting both financially motivated actors and state-backed operators. This last point is an inference based on the role BIG-IP plays in enterprise networks and CISA’s repeated warnings about edge-device exploitation.

Why this flaw matters

BIG-IP APM is widely used to control access to applications and services, which makes it a valuable target. If attackers can exploit an unauthenticated remote code execution bug on an exposed appliance, they may gain a path into authentication flows, privileged sessions, and internal services that trust the device. This is an inference from the product’s role and the documented RCE impact.

The short remediation window also shows how seriously CISA views the threat. Federal agencies had only three days, from March 27 to March 30, to apply vendor mitigations or stop using affected products if fixes were not available.

That urgency fits a larger pattern. Attackers continue to focus on perimeter systems that sit between the public internet and internal networks, especially devices that provide remote access, load balancing, or application security.

CVE-2025-53521 at a glance

Source basis: CISA KEV catalog, CISA alert, F5 advisory, NVD.

What defenders should do now

Organizations that use BIG-IP APM should treat this as an emergency patching issue. F5 has already published guidance, and CISA says federal agencies must remediate immediately or remove affected systems from service.

Security teams should also review logs and administrative activity around BIG-IP systems for signs of compromise. Because public technical details remain limited, defenders should assume exploitation methods may spread quickly now that the flaw is in KEV and widely discussed. This is a forward-looking inference, but it matches common post-KEV behavior.

Immediate priorities

• apply F5’s vendor guidance without delay
• review internet-exposed BIG-IP APM instances first
• inspect logs for unusual admin actions or configuration changes
• segment or restrict access to affected appliances where possible
• prepare incident response steps in case patching happens after compromise

FAQ