CISA has added a critical remote code execution vulnerability in F5 BIG-IP Access Policy Manager to its list of known exploited flaws. Originally dismissed as a denial-of-service issue, the vulnerability is now confirmed to be under active exploitation by unknown threat actors.
The Cybersecurity and Infrastructure Security Agency has officially updated its Known Exploited Vulnerabilities catalog to include a significant flaw affecting F5 BIG-IP Access Policy Manager. This security hole, identified as CVE-2025-53521, carries a critical severity rating due to its ability to allow unauthorized users to execute code remotely. The move by CISA signals that organizations using the affected hardware must prioritize patching to prevent potential network compromises.
Initial assessments of the vulnerability suggested it primarily caused system crashes or service disruptions, leading to a lower severity classification. However, new information surfaced in March 2026 that prompted F5 to re-evaluate the impact of the flaw. The company subsequently upgraded the risk level to critical after discovering that malicious traffic could be used to gain full control over the virtual servers where the access policy is configured.
Evidence of active exploitation has forced F5 to update its security advisories, confirming that attackers are already targeting vulnerable versions of the software. While the identity of those responsible for the attacks remains unknown, the methods used suggest a sophisticated approach to maintaining access. In some instances, attackers have deployed webshells that operate entirely within the system memory to avoid leaving a permanent footprint on the disk.
To help administrators identify compromised systems, F5 has released a series of technical indicators that suggest a breach may have occurred. These include the presence of unexpected pipe files and discrepancies in file hashes or timestamps for core system utilities like those used for mounting drives or managing web traffic. Discrepancies often indicate that the underlying system integrity tools have been tampered with to hide the attacker’s presence.
Additional warning signs involve unusual log entries showing local users accessing internal management APIs to disable security features like SELinux. Attackers are also reportedly masking their communications by using standard HTTP response codes and styling content types to blend in with legitimate web traffic. Organizations are urged to review these forensic markers and apply the latest security updates immediately to protect their infrastructure.
Source: https://my.f5.com/manage/s/article/K000156741