The Shadowserver Foundation has revealed that more than 14,000 F5 BIG-IP Access Policy Manager (APM) instances remain exposed online, despite ongoing exploitation of a critical remote code execution (RCE) vulnerability tracked as CVE-2025-53521.
Background
- Initial disclosure: October 2025, originally classified as a denial-of-service (DoS) flaw.
- Reclassification: March 2026, upgraded to RCE after new evidence of exploitation.
- Severity: Attackers without privileges can gain remote code execution on unpatched BIG-IP APM systems with access policies configured on a virtual server.
Current Exposure
- Shadowserver tracks 17,100 IPs with BIG-IP APM fingerprints.
- Of these, 14,000+ remain exposed to exploitation attempts.
- This comes even after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch by March 31, 2026, under its Known Exploited Vulnerabilities (KEV) directive.
F5 Guidance
F5 has published indicators of compromise (IOCs) and urged defenders to:
- Check disks, logs, and terminal history for malicious activity.
- Rebuild compromised systems from scratch, as UCS backups may contain persistent malware.
- Validate configurations against known-good sources to ensure integrity.
Why It Matters
F5 is a Fortune 500 company serving 23,000+ customers, including 48 of the Fortune 50. BIG-IP vulnerabilities have historically been exploited by both nation-state and cybercrime groups to:
- Breach corporate networks.
- Hijack devices.
- Deploy destructive malware.
- Map internal infrastructure.
- Steal sensitive data.
Final Thought
The persistence of 14,000+ exposed BIG-IP APM systems highlights the challenge of patch adoption in critical infrastructure. With active exploitation confirmed, organizations must treat this vulnerability as urgent — rebuilding compromised systems, rotating credentials, and ensuring patches are applied without delay.
Leave a Reply