CVE-2025-53521 lands in CISA's KEV catalog: F5 BIG-IP RCE under active exploitation
CISA added CVE-2025-53521 to the Known Exploited Vulnerabilities catalog on 27 March 2026 after confirming active exploitation of this CVSS 9.8 RCE in F5 BIG-IP. Affected versions span three major branches.
CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on 27 March 2026. The vulnerability is a remote code execution flaw in F5 BIG-IP, assigned a CVSS 3.1 base score of 9.8 and a CVSS 4.0 score of 9.3. It requires no authentication, no user interaction and no elevated privileges. Exploitation has been confirmed in the wild.
The KEV listing means this is no longer a theoretical risk. Threat actors are actively weaponising it.
What the vulnerability does
CVE-2025-53521 affects F5 BIG-IP systems where an Access Policy Manager (APM) access policy is configured on a virtual server. When that condition is met, an attacker can send specifically crafted traffic to the virtual server and achieve remote code execution at the system level.
F5 classified the root cause as CWE-770: Allocation of Resources Without Limits or Throttling. The NVD entry, sourced from F5's own SIRT team, confirms the attack vector is network-based with low complexity. No attack chain, no pre-existing foothold, no social engineering. The attacker sends traffic; the appliance executes code.
The CVSS 4.0 vector string tells the full story:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Every impact metric is high. Every barrier to exploitation is absent. This is as close to a worst-case scoring as the framework allows for a single-system vulnerability.
What is affected
The vulnerability spans three major BIG-IP branches and affects nearly every module in the product line. According to F5's advisory K000156741, the affected versions are:
- 15.1.x: versions 15.1.0 through 15.1.10.8
- 16.1.x: versions 16.1.0 through 16.1.6
- 17.1.x: versions 17.1.0 through 17.1.3
- 17.5.x: versions 17.5.0 through 17.5.1
The affected module list is extensive: APM, Advanced Firewall Manager, Advanced WAF, Analytics, Application Acceleration Manager, ASM, Carrier-Grade NAT, Container Ingress Services, DDoS Hybrid Defender, DNS, Edge Gateway, Fraud Protection Service, Global Traffic Manager, Link Controller, Local Traffic Manager, Policy Enforcement Manager, SSL Orchestrator, WebAccelerator and WebSafe.
That list covers essentially everything BIG-IP does. Any organisation running BIG-IP with an APM access policy on a virtual server, across any of those version ranges, is exposed.
Why BIG-IP vulnerabilities are different
A remote code execution vulnerability in a web application is serious. A remote code execution vulnerability in a BIG-IP appliance is structurally worse, for reasons that go beyond the CVSS score.
BIG-IP devices occupy a privileged position in network architecture. They sit at the perimeter, terminating SSL/TLS connections, performing load balancing, enforcing access policies and inspecting traffic before it reaches backend systems. An attacker who achieves code execution on a BIG-IP instance does not merely own one device. They gain access to a platform that can:
- Decrypt TLS traffic in transit
- Access stored SSL certificates and private keys
- Read and modify HTTP request and response bodies
- Harvest credentials passing through authentication proxies
- Pivot into internal networks that the appliance bridges
These are not theoretical capabilities. They are the appliance's normal operating functions. Compromise turns them from defensive tools into offensive ones.
The architecture also creates a monitoring blind spot. BIG-IP appliances typically do not run endpoint detection and response agents. They generate logs, but those logs are often shipped to a SIEM that is tuned for application-layer events, not for detecting code execution on the appliance itself. Mandiant's research into the BRICKSTORM backdoor campaigns documented this problem in detail: the average dwell time on compromised edge appliances was 393 days precisely because detection tooling does not cover them.
The UNC5221 context
This vulnerability arrives in a threat landscape that has already been shaped by the F5 source code breach. In October 2025, F5 disclosed that UNC5221, a China-nexus threat actor, had maintained persistent access to F5's internal network for over twelve months. The attackers stole BIG-IP source code across all modules, information about undisclosed vulnerabilities and internal engineering documentation.
CISA issued Emergency Directive ED-26-01 in response, the first emergency directive triggered by a vendor source code theft rather than active exploitation. F5's subsequent quarterly security advisory disclosed 44 vulnerabilities, 27 rated High, as the company attempted to patch flaws the attackers already knew about.
I covered the full scope of that breach in a previous post on the UNC5221 source code theft. The relevant point here is that a nation-state adversary has had access to BIG-IP source code for months. Whether CVE-2025-53521 was among the undisclosed vulnerabilities stolen in that breach is unknown. But the possibility that it was, and that the active exploitation CISA has now confirmed is connected to that stolen knowledge, cannot be dismissed.
The timeline is suggestive. CVE-2025-53521 was published on 15 October 2025, the same day as the source code theft disclosure. It was last modified on 27 March 2026, the day CISA added it to the KEV catalog. Five months elapsed between disclosure and confirmed exploitation. That is a long window, but it is also consistent with the operational tempo observed in UNC5221 campaigns: patient, measured and strategically timed.
BOD 22-01 and the federal mandate
CISA's Binding Operational Directive 22-01 requires all Federal Civilian Executive Branch agencies to remediate known exploited vulnerabilities within timeframes set by CISA. For critical-severity vulnerabilities like CVE-2025-53521, the typical deadline is 15 days from the KEV listing date.
That deadline is not optional. Agencies running affected BIG-IP versions must either patch or remove the affected systems from their networks. The practical challenge is that BIG-IP appliances often underpin critical services: authentication gateways, load balancers for high-availability clusters, SSL offload for web application stacks. Taking them offline for patching is not trivial. It requires maintenance windows, failover testing and coordination with application teams.
This creates the gap that attackers exploit. The vulnerability is public, exploitation is confirmed and defenders need time that the adversary has already used.
What to do
Organisations running F5 BIG-IP should treat this as an immediate priority regardless of whether they fall under BOD 22-01.
Patch. F5's advisory K000156741 identifies the fixed versions for each branch. Upgrade to 15.1.10.8, 16.1.6, 17.1.3 or beyond 17.5.1, depending on your deployment. If you are running versions that have reached End of Technical Support, F5 has not evaluated them: assume they are vulnerable and plan migration.
Audit APM configurations. The vulnerability is conditional on an APM access policy being configured on a virtual server. Identify which virtual servers have APM policies attached. Those are your exposure surface.
Restrict management access. Ensure BIG-IP management interfaces are not exposed to the internet. This should already be the case, but CISA's ED-26-01 guidance from October 2025 found that many federal deployments had management ports accessible from untrusted networks.
Hunt for indicators. If patching is delayed, look for anomalous behaviour on BIG-IP appliances: unexpected processes, unusual outbound connections, modifications to configuration files. The detection gap on these devices is real, but basic file integrity monitoring and network flow analysis can surface the most obvious indicators.
Review the BRICKSTORM indicators. Mandiant released detection guidance and a scanner tool for the BRICKSTORM backdoor following the source code theft. If your BIG-IP appliances were unpatched during the period between October 2025 and now, the possibility of pre-existing compromise is not academic.
The pattern that repeats
F5 BIG-IP has been here before. CVE-2020-5902, CVE-2021-22986, CVE-2022-1388, CVE-2023-46747. Each one was a critical vulnerability in a network appliance that sits in the most privileged position in the architecture. Each one was exploited in the wild. Each one forced the same uncomfortable conversation about how to patch a device that everything depends on.
CVE-2025-53521 is the latest entry in a series that shows no signs of ending. The underlying problem is architectural: organisations continue to place devices with vast implicit trust at their network boundaries and then struggle to maintain them with the urgency that their position demands. The source code theft makes this harder. An adversary with the blueprints does not need to wait for a CVE to find exploitable flaws.
The question for defenders is not whether the next BIG-IP vulnerability will arrive. It is whether the infrastructure will be ready to absorb the patch when it does.
Newsletter
One email a week. Security research, engineering deep-dives and AI security insights - written for practitioners. No noise.