Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
Claude Chrome Extension Zero-Click Prompt Injection Flaw
March 27, 2026
Rewterz
Pro-Iranian Threat Actor Allegedly Compromises Dubai International Airport
March 31, 2026

F5 BIG-IP Vulnerability Actively Targeted, CISA Warns

Severity

High

Analysis Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed vulnerability affecting F5 BIG-IP systems, tracked as CVE-2025-53521, to its Known Exploited Vulnerabilities (KEV) catalog. Officially listed on March 27, 2026, the vulnerability carries a federal remediation deadline of March 30, 2026. This inclusion signals that threat actors are actively leveraging the flaw in real-world attacks, highlighting the urgency for organizations using BIG-IP devices to take immediate protective measures.

CVE-2025-53521 is an unspecified flaw within F5 BIG-IP Access Policy Manager (APM) that could enable remote code execution (RCE). Although technical details remain limited, the vulnerability is considered high risk due to its potential for unauthenticated or low-complexity exploitation. Given the widespread deployment of BIG-IP devices across enterprise and government networks, the flaw poses a significant threat to network security and operational integrity.

Historically, F5 BIG-IP vulnerabilities have been targeted by both financially motivated attackers and state-sponsored actors. Exploiting these systems can provide high-level control over critical network infrastructure, enabling post-compromise activities such as lateral movement, data exfiltration, and manipulation of authentication or traffic management systems. The KEV catalog listing underscores the real-world exploitation potential, even though no confirmed ransomware or specific actor attribution has yet been reported.

CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply vendor-provided mitigations immediately or discontinue the use of affected systems if patches or workarounds are unavailable, in line with Binding Operational Directive (BOD) 22-01. Organizations are strongly advised to follow official F5 guidance, monitor logs for unusual administrative activity, enforce strict access controls, and implement network segmentation. Given the strategic position of BIG-IP devices within enterprise networks, proactive defense and rapid remediation are critical to minimizing exposure to compromise.

Impact

  • Code Execution
  • Gain Access

Indicators of Compromise

CVE

  • CVE-2025-53521

Remediation

  • Apply F5’s official patches to affected BIG-IP APM systems immediately.
  • If patches or workarounds are unavailable, take affected devices offline or isolate them from critical networks.
  • Review logs for unusual administrative actions, unauthorized configuration changes, or abnormal network traffic.
  • Segment BIG-IP systems from sensitive internal networks to limit exposure.
  • Ensure only authorized personnel have administrative access and enforce strong authentication.
  • Use intrusion detection and security monitoring tools to identify early signs of compromise.
  • Update incident response plans to quickly address potential exploitation.
  • Track new public disclosures or exploit techniques related to this vulnerability.