Overview
- CISA, which added the flaw to its Known Exploited Vulnerabilities list Friday, warned that attackers are now targeting F5 BIG-IP Access Policy Manager systems on the open internet.
- F5 revised its advisory to say an unauthenticated attacker can run code on BIG-IP APM when an access policy is configured on a virtual server, with Appliance mode affected and exposure limited to the data plane.
- CVE-2025-53521 is fixed in BIG-IP APM versions 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8, and organizations running earlier 17.5.x, 17.1.x, 16.1.x, or 15.1.x releases should upgrade to the listed builds.
- F5 published indicators of compromise that include rogue files, file-hash or size mismatches, suspicious log entries and command outputs, and unusual outbound HTTP or HTTPS traffic marked as CSS with HTTP 201 responses.
- Attackers are using the bug to plant webshells on unpatched devices, a risk heightened by more than 240,000 BIG-IP systems exposed online that administrators may now need to patch and forensically check for prior compromise.