Overview
- CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog and directed federal civilian agencies to patch by March 30 under its binding remediation rules.
- The bug lets an attacker run code on BIG-IP Access Policy Manager when an access policy is enabled on a virtual server, with CVSS scores of 9.8 (v3.1) and 9.3 (v4).
- F5 confirmed in-the-wild attacks and published indicators of compromise that include suspicious files, altered system binaries, local REST API access in logs, and signs of memory‑resident webshells.
- The issue affects BIG-IP APM 17.5.0–17.5.1 (fixed in 17.5.1.3), 17.1.0–17.1.2 (fixed in 17.1.3), 16.1.0–16.1.6 (fixed in 16.1.6.1), and 15.1.0–15.1.10 (fixed in 15.1.10.8).
- Security teams report sharp scanning of BIG-IP REST API endpoints, and admins who treated the flaw as a denial‑of‑service risk may now need urgent patches and forensic checks for tampering with the sys-eicheck integrity tool.