Critical RCE vulnerability in F5 BIG-IP APM, active exploitation
Summary
The NCSC issued an urgent advisory regarding CVE-2025-53521, a critical unauthenticated remote code execution vulnerability in F5 BIG-IP Access Policy Manager that is being actively exploited. All UK organisations using BIG-IP APM are urged to take immediate mitigation action including isolation, investigation for compromise, and patching to the latest version.
What changed
F5 has recategorised a previously disclosed vulnerability in BIG-IP APM as an unauthenticated RCE vulnerability (CVE-2025-53521). When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to remote code execution. F5 is aware of active exploitation in the wild. The NCSC is working to understand UK impact and potential cases of active exploitation affecting UK networks.
Organisations using BIG-IP APM must immediately: (1) isolate affected systems if possible and replace with fully up-to-date versions, (2) fully investigate for evidence of compromise using vendor Indicators of Compromise, (3) if compromised, report to NCSC via gov.uk/guidance/where-to-report-a-cyber-incident, (4) update to the latest patched version, (5) apply security hardening before re-enabling systems, and (6) perform continuous threat hunting. Systems should be erased and rebuilt if investigation is not possible. The NCSC recommends investigating for compromise regardless of when the system was last updated.
What to do next
- Isolate affected F5 BIG-IP APM systems immediately
- Investigate for compromise using F5 Indicators of Compromise (IoCs)
- Update to the latest patched version of BIG-IP APM
- Report any suspected compromise to NCSC via gov.uk/guidance/where-to-report-a-cyber-incident
- Perform continuous threat hunting activities
Source document (simplified)
News Download & print article PDF
Vulnerability affecting F5 BIG-IP APM
Organisations have been encouraged to take action against a vulnerability affecting F5 BIG-IP Access Policy Manager.
The NCSC is encouraging UK organisations to take immediate action to mitigate an unauthenticated remote code execution vulnerability affecting F5 BIG-IP Access Policy Manager (CVE-2025-53521). F5 BIG-IP APM is a common component, especially within large enterprises.
What has happened?
F5 has published an updated security advisory explaining that a previously disclosed vulnerability in BIG-IP APM has been recategorised as an unauthenticated remote code execution vulnerability
CVE-2025-53521: When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).
Exploitation
F5 is aware of active exploitation of CVE-2025-53521 affecting BIG-IP APM.
The NCSC is working to fully understand UK impact and any potential cases of active exploitation affecting UK networks.
The NCSC recommends investigating for compromise on all affected products regardless of when the system was updated. F5 have published Indicators of Compromise.
Who is affected?
All organisations using BIG-IP APM are affected by this vulnerability.
What should I do?
The NCSC recommends following vendor best-practice advice to mitigate vulnerabilities. In this case due to reports of in the wild exploitation, if you use an affected product, you should take these priority actions:
- Read the security advisory and Indicators of Compromise.
- If possible, isolate the affected system(s) and replace with a new, fully up-to-date system (NOTE: this may cause service outage).
- Fully investigate for evidence of compromise following the vendor guidance (an assured Cyber Incident Response provider can assist) Where this isn’t possible; the affected system should be erased/destroyed and rebuilt as new.
- If you believe you have been compromised, and are in the UK, you should report it and consider using an assured Cyber Incident Response provider. You can also report the compromise to the vendor to assist their investigation.
- Update to the latest version of the affected product.
- Apply any appropriate security hardening.
- Re-enable/reintroduce the affected system(s).
- Perform continuous threat hunting activities.
Further resources
The following NCSC guidance and services will help to secure systems:
- Find an assured Cyber Incident Response provider.
- Follow NCSC guidance including vulnerability management and preventing lateral movement.
- If your organisation is in the UK, you can sign up to the free NCSC Early Warning service to receive notifications of potential cyber threats on your network. If you are already an Early Warning user, please check your MyNCSC portal.
- The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.
Download & print article PDF Share Share Facebook LinkedIn X Copy Link
Published
30 March 2026
Written for
Cyber security professionals Large organisations
News type
Alert
Was this article helpful?
25 Mar 2026
Vulnerabilities affecting Citrix NetScaler ADC and Citrix NetScaler Gateway
UK organisations encouraged to take immediate action to mitigate two recently disclosed vulnerabilities affecting Citrix NetScaler ADC and Citrix NetScaler Gateway.
News
25 Feb 2026
Exploitation of Cisco Catalyst SD-WAN
Agencies strongly encourage immediate investigation of potential compromise of Cisco Catalyst SD-WAN.
Blog Post
10 Feb 2026
Improving your response to vulnerability management
How to ensure the ‘organisational memory’ of past vulnerabilities is not lost.
Named provisions
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when UK NCSC Alerts & Advisories publishes new changes.