Changeflow GovPing Data Privacy & Cybersecurity F5 BIG-IP RCE Vulnerability (CVE-2025-53521)
Urgent Notice Added Final

F5 BIG-IP RCE Vulnerability (CVE-2025-53521)

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published March 28th, 2026
Detected March 28th, 2026
Email

Summary

CISA has issued a notice regarding a critical RCE vulnerability (CVE-2025-53521) in F5 BIG-IP APM. The vulnerability has a CVSS score of 9.8 and is actively exploited. Affected versions require immediate attention.

View original document View source feed page

What changed

CISA has added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation of a critical Remote Code Execution (RCE) vulnerability in F5 BIG-IP APM. The vulnerability, with a CVSS score of 9.8, arises when a BIG-IP APM access policy is configured on a virtual server, allowing specific malicious traffic to trigger RCE. Affected versions include specific releases within the 17.5, 17.1, 16.1, and 15.1 product lines.

Organizations utilizing F5 BIG-IP APM with the specified configurations must immediately review their systems. CISA's inclusion in the KEV catalog implies a significant threat, and immediate patching or mitigation is strongly advised. Refer to the F5 Networks vendor advisory (K000156741) for precise version details and recommended remediation steps to prevent exploitation.

What to do next

  1. Review F5 BIG-IP APM configurations for affected versions.
  2. Apply vendor-provided patches or implement mitigations as per F5 Networks advisory K000156741.
  3. Monitor systems for signs of exploitation.

Source document (simplified)

Required CVE Record Information

CNA: F5 Networks

Description

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).  

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE 1 Total

Learn more
- CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

CVSS 2 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 9.8 | CRITICAL | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 9.3 | CRITICAL | 4.0 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |

Product Status

Learn more Versions 4 Total

Default Status: unknown

affected

  • affected from 17.5.0 before 17.5.1.3

  • affected from 17.1.0 before 17.1.3

  • affected from 16.1.0 before 16.1.6.1

  • affected from 15.1.0 before 15.1.10.8

Credits

  • F5 finder

References 1 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-28

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2025-10-15 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521 (2026-03-27)

Related changes

Favicon for www.cisa.gov CISA Adds CVE-2025-53521 to Known Exploited Vulnerabilities Catalog
Priority review Mar 28, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov WAGO Industrial Managed Switches Vulnerability Disclosed
Priority review Mar 26, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds CVE-2026-33634 to Known Exploited Vulnerabilities Catalog
Priority review Mar 26, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.nist.gov Draft NIST Cyber AI Profile for Cybersecurity Guidelines
Priority review Mar 28, 2026 NIST News Data Privacy & Cybersecurity
Favicon for usdaoig.oversight.gov USDA IT Security Directives Lack Relevance and Effectiveness
Priority review Mar 28, 2026 USDA OIG Reports Agriculture & Food Safety
Favicon for usdaoig.oversight.gov USDA Web Application Security Vulnerabilities Inspection Report
Priority review Mar 28, 2026 USDA OIG Reports Agriculture & Food Safety

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
March 28th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CVE-2025-53521

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Network Security Vulnerability Management
Threshold
BIG-IP APM access policy configured on a virtual server
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Vulnerability Management Network Security

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 264 Consumer Protection 44 Courts & Legal 356 Data Privacy & Cybersecurity 69 Defense & National Security 52 Education 20 Energy 106 Environment 85 Government & Legislation 274 Healthcare 136 Housing 16 Immigration 9 Insurance 56 Labor & Employment 114 Legal & Courts 1 Pharma & Drug Safety 101 Securities & Markets 86 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.