Overview
- F5 now says CVE-2025-53521 lets unauthenticated attackers run code on BIG-IP Access Policy Manager when an access policy is set on a virtual server.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog on Friday and told federal agencies to secure affected systems by March 30.
- F5’s updated advisory reports webshell deployments on unpatched devices and lists indicators of compromise that include rogue files, telltale log entries, and outbound HTTP traffic labeled as CSS with 201 responses.
- The vulnerability affects BIG-IP APM versions 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, and 15.1.0–15.1.10, with fixes in 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8.
- The UK’s NCSC urged immediate patching and forensic checks, as Shadowserver counts more than 240,000 BIG-IP devices on the internet, raising risk to login gateways many workers use every day.