The US cybersecurity agency CISA on Friday warned that threat actors have been exploiting a critical-severity F5 BIG-IP vulnerability in the wild.
Tracked as CVE-2025-53521 (CVSS score of 9.3), the flaw was publicly disclosed in October 2025 as a high-severity denial-of-service (DoS) issue, but was reclassified as a remote code execution (RCE) vulnerability last week.
F5 has updated its original advisory to reflect the bug’s severity, noting that attackers can exploit it on BIG-IP APM systems that have an access policy configured on a virtual server.
“This vulnerability allows an unauthenticated attacker to perform remote code execution. The BIG-IP system in Appliance mode is also vulnerable. This is a data plane issue; there is no control plane exposure,” F5 notes.
CVE-2025-53521 impacts BIG-IP APM versions 17.5.0 – 17.5.1, 17.1.0 – 17.1.2, 16.1.0 – 16.1.6, and 15.1.0 – 15.1.10, and was addressed in versions 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8.
“We have learned that this vulnerability has been exploited in the vulnerable BIG-IP versions. The original CVE remediation has been validated to address the RCE in the fixed versions,” F5 notes in its advisory.
On Friday, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days.
Simultaneously, F5 published indicators of compromise (IOCs) associated with the malicious activity targeting vulnerable BIG-IP systems.
These include the presence of rogue files, mismatches in file hashes, mismatches in file sizes or timestamps, and different file sizes and timestamps across releases and Engineering Hotfix (EHF) releases.
The presence of specific log entries and command outputs on vulnerable systems, as well as outbound HTTP/S traffic containing CSS content-type and HTTP 201 response codes, also indicates successful compromise.
Organizations of all types are advised to apply fixes for CVE-2025-53521 and to prioritize mitigations for all vulnerabilities in CISA’s KEV list.
Related: QNAP Patches Four Vulnerabilities Exploited at Pwn2Own
Related: CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List
Related: Critical Quest KACE Vulnerability Potentially Exploited in Attacks
Related: Critical Langflow Vulnerability Exploited Hours After Public Disclosure
