F5 BIG-IP Flaw Upgraded to RCE After Active Exploitation Confirmed

A vulnerability in F5 BIG-IP Access Policy Manager that was originally classified as denial-of-service has been reclassified to remote code execution after new exploitation intelligence emerged this month. CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on March 27, giving federal agencies until March 30 to assess exposure and mitigate.

The Reclassification

F5 initially published an advisory for CVE-2025-53521 in October 2025, categorizing it as a denial-of-service vulnerability with a CVSS v4 score of 8.7. Based on "new information obtained in March 2026," the company has now upgraded the severity assessment to remote code execution with CVSS scores of 9.8 (v3.1) and 9.3 (v4.0).

The flaw affects the apmd process in BIG-IP APM. When an access policy is configured on a virtual server, specially crafted traffic can trigger arbitrary code execution without authentication. Systems running in Appliance mode are also vulnerable.

Affected Versions

BIG-IP Version	Patched In
17.5.0 - 17.5.1	17.5.1.3
17.1.0 - 17.1.2	17.1.3
16.1.0 - 16.1.6	16.1.6.1
15.1.0 - 15.1.10	15.1.10.8

Patches have been available since October 2025. Organizations that applied the original fixes are already protected—the vulnerability itself hasn't changed, only the understanding of its exploitability.

What Attackers Are Doing

Following the CISA KEV listing, security researchers have observed acute scanning activity targeting the /mgmt/shared/identified-devices/config/device-info endpoint, a BIG-IP REST API path that reveals device configuration details. This reconnaissance phase typically precedes exploitation attempts.

F5 has documented indicators of compromise including:

• Modifications to /usr/bin/umount and /usr/sbin/httpd
• Suspicious entries in /var/log/restjavad-audit.[NUMBER].log
• SELinux being disabled unexpectedly
• Webshells operating in memory without disk artifacts
• Changes to the sys-eicheck system integrity checker
• Modifications to WebTop renderer PHP files

The memory-only webshell technique makes detection particularly challenging. Attackers are achieving code execution and establishing persistence without leaving traditional filesystem indicators.

Why This Matters

BIG-IP appliances sit at critical network boundaries, handling load balancing, SSL termination, and access control for enterprise applications. A pre-authentication RCE in the Access Policy Manager component means attackers can potentially compromise these devices without any credentials, then pivot into protected network segments.

This isn't the first time a BIG-IP vulnerability has caught organizations off guard. The authentication bypass we covered in FortiGate appliances followed a similar pattern—initial classification as lower severity, followed by evidence of active exploitation forcing a reassessment. Network edge devices remain high-value targets precisely because they're often overlooked in patch cycles.

The tight federal deadline—just three days from the KEV listing—reflects CISA's assessment of active exploitation severity. Similar urgency accompanied recent CISA BOD 26-02 requirements around edge device security, suggesting the agency sees a pattern of network appliance compromises that demands faster remediation timelines.

Detection and Response

Organizations running BIG-IP APM should:

1. Verify patch status—systems should be running 17.5.1.3, 17.1.3, 16.1.6.1, or 15.1.10.8 depending on branch
2. Review F5's IOC documentation for the specific file paths and log entries indicating compromise
3. Audit access policies configured on virtual servers to understand attack surface
4. Monitor the REST API endpoint being targeted in current reconnaissance

If compromise indicators are present, assume full device compromise and initiate incident response procedures. Given the memory-resident webshell techniques being used, forensic analysis will require memory acquisition rather than disk imaging alone.

For organizations that haven't patched since October, the window for pre-exploitation remediation has likely closed. The immediate priority is detection of existing compromise, followed by remediation and hardening.