Critical RCE Vulnerability in F5 BIG-IP Under Exploitation

CVE-2025-53521 could allow an unauthenticated attacker to execute code remotely

Threat ID:: CC-4763
Threat Severity:: High
Published:: 30 March 2026 10:24 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2025-53521 could allow an unauthenticated attacker to execute code remotely

Affected platforms

The following platforms are known to be affected:

F5 BIG-IP

BIG-IP APM (Access Policy Manager)

15.x: prior to version 15.1.10.8
16.x: prior to version 16.1.6.1
17.1: prior to version 17.1.3
17.5: prior to version 17.5.1.3

CVE-2025-53521 only affects devices configured on a virtual server.

Note: F5 does not evaluate vulnerabilities against devices that have reached End of Technical Support (EoTS).

Threat details

CVE-2025-53521 Under Exploitation

F5 has reported exploitation of CVE-2025-53521 in the wild, and the US Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog. The NHS England National CSOC assesses it is almost certain there will be further exploitation in the immediate future.

Edge devices like F5 BIG-IP are often internet-facing by design and are highly attractive targets to attackers, and there are an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers. The NHS England National CSOC assesses it is highly likely vulnerabilities discovered in edge devices will continue to be exploited as zero-day vulnerabilities, or shortly after vendor disclosure.

Organisations are strongly encouraged to follow NCSC's vulnerability management guidance, including patching edge devices as soon as possible if a critical vulnerability is identified.

Introduction

In October 2025, F5 published a security advisory for CVE-2025-53521, reporting it as a denial-of-service vulnerability. F5 has now updated their advisory to reflect that CVE-2025-53521 could allow an unauthenticated attacker to execute code remotely. CVE-2025-53521 is under exploitation.

CVE-2025-53521 - Remote Code Execution vulnerability - CVSSv4 base score: 9.3

Remediation advice

Affected organisations must review F5 security advisory K000156741 and follow the remediation steps below.

Remediation steps

Type	Step
Patch	Required: Patch Organisations must upgrade BIG-IP APM to a fixed version. Fixed versions include: 15.x: version 15.1.10.8 or later 16.x: version 16.1.6.1 or later 17.1: version 17.1.3 or later 17.5: version 17.5.1.3 or later Note: F5 does not evaluate vulnerabilities against devices that have reached End of Technical Support (EoTS). Organisations running an EoTS version must upgrade to a supported version. https://my.f5.com/manage/s/article/K000156741
Action	Strongly Recommended: Compromise Assessment Organisations that are running a vulnerable version of BIG-IP APM, or have upgraded from a vulnerable version, are strongly encouraged to review F5 security advisory K000160486 and perform a compromise assessment of their appliance. If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. https://my.f5.com/manage/s/article/K000160486

Type

Step

Patch

Required: Patch

Organisations must upgrade BIG-IP APM to a fixed version. Fixed versions include:

15.x: version 15.1.10.8 or later
16.x: version 16.1.6.1 or later
17.1: version 17.1.3 or later
17.5: version 17.5.1.3 or later

Note: F5 does not evaluate vulnerabilities against devices that have reached End of Technical Support (EoTS). Organisations running an EoTS version must upgrade to a supported version.

https://my.f5.com/manage/s/article/K000156741

Action

Strongly Recommended: Compromise Assessment

Organisations that are running a vulnerable version of BIG-IP APM, or have upgraded from a vulnerable version, are strongly encouraged to review F5 security advisory K000160486 and perform a compromise assessment of their appliance.

If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected].

https://my.f5.com/manage/s/article/K000160486

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-53521

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Last edited: 30 March 2026 10:24 am