CISA Flags F5 BIG-IP APM Flaw as Actively Exploited

March 30, 2026 Faeem BLOGS 0

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog, confirming evidence of active exploitation against F5 BIG-IP Access Policy Manager (APM) systems.

Initially classified as a denial-of-service (DoS) issue, the flaw has now been reclassified as remote code execution (RCE) following new intelligence in March 2026.

What the Vulnerability Does

  • Condition: When a BIG-IP APM access policy is configured on a virtual server, malicious traffic can trigger RCE.
  • Severity: CVSS v4 score upgraded from 8.7 (DoS) to 9.3 (RCE).
  • Impact: Attackers can run arbitrary commands remotely, potentially compromising critical infrastructure.

Indicators of Compromise

F5 has published several forensic markers to help defenders assess compromise:

  • File anomalies: Unexpected changes in /usr/bin/umount or /usr/sbin/httpd.
  • Log entries: Local user access to iControl REST API from localhost, including attempts to disable SELinux.
  • Traffic patterns: HTTP 201 responses with CSS content-type disguising attacker activity.
  • Webshell activity: In-memory webshells observed, sometimes without file modifications.

Affected Versions

  • 17.5.0 – 17.5.1 (fixed in 17.5.1.3)
  • 17.1.0 – 17.1.2 (fixed in 17.1.3)
  • 16.1.0 – 16.1.6 (fixed in 16.1.6.1)
  • 15.1.0 – 15.1.10 (fixed in 15.1.10.8)

Federal agencies have until March 30, 2026 to apply patches.

Why This Matters

  • Reclassification risk: What looked like a DoS bug is now confirmed as RCE.
  • Active exploitation: Defenders are already seeing scanning and exploitation attempts.
  • Critical infrastructure exposure: BIG-IP appliances are widely deployed in enterprise and government networks.

Benjamin Harris, CEO of watchTowr, summarized the shift:

“Fast forward to today’s big ‘yikes’ moment: the situation has changed significantly. What we’re observing now is pre-auth remote code execution and evidence of in-the-wild exploitation.”

Defensive Actions

  • Patch immediately: Upgrade to fixed versions listed above.
  • Audit logs and files: Look for anomalies in /usr/bin/umount, /usr/sbin/httpd, and REST API logs.
  • Monitor traffic: Watch for disguised CSS responses or suspicious HTTP 201 codes.
  • Harden systems: Restrict access to management interfaces and enforce SELinux policies.

Final Thought

CVE-2025-53521 is a reminder that vulnerability classifications can change drastically as new intelligence emerges. What starts as a low-priority DoS issue can escalate into a critical RCE with active exploitation. Organizations running F5 BIG-IP APM must patch immediately and treat management interfaces as high-value targets.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.