As critical infrastructure faces increasing cyber threats, F5 BIG-IP vulnerability CVE-2025-53521 has been added to the Known Exploited Vulnerabilities catalog following confirmed real world attacks.
The Cybersecurity and Infrastructure Security Agency has officially listed the flaw in its KEV catalog, citing active exploitation targeting F5 BIG-IP Access Policy Manager deployments. The vulnerability, now rated with a high severity score of 9.3, allows attackers to achieve remote code execution under specific conditions.
Originally identified as a denial of service issue, the vulnerability was later reclassified by F5 after new findings revealed its potential for pre authentication remote code execution. The flaw occurs when a BIG-IP APM access policy is configured on a virtual server, enabling attackers to send specially crafted traffic that can trigger exploitation.
F5 confirmed that the vulnerability has already been exploited in affected versions, though it has not disclosed details about the threat actors involved. The company has released updated guidance and indicators of compromise to help organizations identify potential breaches.
Among the key indicators are suspicious files such as system pipes and modified binaries, discrepancies in file hashes and timestamps for critical system components, and unusual log entries indicating unauthorized access to internal REST APIs. Additional signs include attempts to disable security mechanisms and HTTP traffic patterns designed to conceal malicious activity.
Security researchers have also observed attackers modifying core system components, which can disrupt integrity checking tools and signal deeper compromise. In some cases, webshells have been deployed, although they may operate in memory without leaving persistent traces on disk, making detection more challenging.
The vulnerability impacts multiple versions of BIG-IP software, with patches now available for affected releases. Organizations running vulnerable systems are strongly advised to upgrade immediately to the fixed versions provided by F5.
Federal agencies have been given a strict deadline to remediate the issue, reflecting the urgency of the threat. Security experts warn that the risk profile has significantly changed since the vulnerability was first disclosed.
“When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn’t immediately signal urgency, and many system administrators likely prioritized it accordingly,” said Benjamin Harris, CEO of watchTowr. “Fast forward to today’s big ‘yikes’ moment: the situation has changed significantly. What we’re observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That’s a very different risk profile than what was initially communicated.”
Researchers have also reported active scanning activity targeting exposed BIG-IP systems, particularly through REST API endpoints used to retrieve system level information. This suggests attackers are actively probing for vulnerable devices to exploit.
The inclusion of F5 BIG-IP vulnerability CVE-2025-53521 in the KEV catalog underscores the urgency for organizations to prioritize patching and strengthen monitoring. With active exploitation underway, failure to remediate could result in full system compromise, data exposure, and potential lateral movement across enterprise networks.
Recommended Cyber Technology News:
- Philippines Strengthens Cybersecurity in Insurance
- Cybersecurity Startup Finds $400K Security Bug
- Embee Software Boosts Microsoft Security Stack with Zero Trust
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
