Secure Cyber Vulnerability Management

31/03/2026
Qualys-Threat-Protect

CISA Warns about Active Exploitation of F5 BIG-IP Vulnerability (CVE-2025-53521)

by Deepanshu Jha

CISA added a critical vulnerability in F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities catalog on Friday, based on evidence of ongoing exploitation. Tracked as CVE-2025-53521, successful exploitation of the vulnerability could allow a threat actor to achieve remote code execution. CISA urges users to patch the vulnerability before March 30, 2026.

F5 BIG-IP Access Policy Manager (APM) is a flexible, high-performance access management solution from F5 Networks. It acts as a secure proxy to control and enforce unified access policies for users, devices, applications, networks, cloud resources, and APIs across remote, mobile, LAN, web, and virtual environments.

Vulnerability Details

The vulnerability has a critical severity rating with a CVSSv4.0 score of 9.3. The vendor mentioned in the advisory that when a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can allow an attacker to achieve remote code execution.

The vendor initially addressed the vulnerability in Oct 2025, when it was classified as a denial-of-service vulnerability. Later in March, the vendor updated the advisory to acknowledge the active exploitation of the vulnerability.

F5 has also listed many indicators of compromise to show whether the system is vulnerable. The IoCs are divided into different categories; some of them are listed below:

  1. Files on disk
  • Presence of /run/bigtlog.pipe and/or /run/bigstart.ltm. 
  • Mismatch of file hashes when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
  1. Log entries
  • /var/log/restjavad-audit.<NUMBER>.log

[ForwarderPassThroughWorker{“user”: “local/f5hubblelcdadmin”, “method”: “POST”, “uri”: “http://localhost:8100/mgmt/tm/util/bash”, “status”:200, “from”: “Unknown”}

This entry shows a local user accessing the iControl REST API from localhost.

  • /var/log/auditd/audit.log.<NUMBER> 

msg=’avc: received setenforce notice (enforcing=0) exe=”/usr/lib/systemd/systemd” sauid=0 hostname=? addr=? terminal=?’ 

This entry shows a local user accessing the iControl REST API from localhost to disable SELinux.

  1. Command output
  •  lsof –n

The output of this command contains entries for /run/bigtlog.pipe.

  1. TTPs
  •  The user may observe HTTP/S traffic from the BIG-IP system that contains HTTP 201 response codes and CSS content-type to disguise the attacker’s activities.

Affected and Patched Versions

Product Branch Affected Versions Patched Versions
BIG-IP APM 17.x 17.5.0 – 17.5.1
17.1.0 – 17.1.2		 17.5.1.3
17.1.3
16.x 16.1.0 – 16.1.6 16.1.6.1
15.x 15.1.0 – 15.1.10 15.1.10.8

Customers can refer to the F5 security advisory for more information about the patches issued for this vulnerability.

Qualys Detection

Qualys customers can scan their devices with QID 385564 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.

References
https://my.f5.com/manage/s/article/K000156741
https://my.f5.com/manage/s/article/K000160486

Comments are closed.

You may also like