Critical Vulnerability Under Active Exploitation in F5 BIG-IP APM (CVE-2025-53521)
Executive Summary
On March 28th, F5 published an advisory updating the severity of a previously reported vulnerability in BIG-IP APM (CVE-2025-53521) to a CVSS score of 9.8. Initially classified as a denial-of-service (DoS) vulnerability, it was discovered that the bug was instead being actively used for remote code execution (RCE). BIG-IP devices are commonly deployed on network perimeters, so successful compromise can provide threat actors initial access into an organization’s network.
The bug was initially reported in October 2025 along with a large number of other F5 product vulnerabilities exposed by an APT breach that we previously reported on. As predicted, threat actors appear to have used the stolen data to develop vulnerabilities and deploy weaponized exploits.
While there are no known publicly available proof of concept (PoC) exploits available for CVE-2025-53521 at time of writing, the vulnerability is already being actively exploited in the wild as confirmed by its addition to the CISA KEV catalogue. Beazley Security strongly recommends affected organizations apply the security fixes released by F5.
Affected Systems and Products
CVE-2025-53521 affects BIG-IP devices where Access Policy Manager (APM) has been enabled. For more details on that system see the product documentation.
Mitigations and Workarounds
No mitigations or workarounds aside from the security patches were reported for CVE-2025-53521.
Patches
Patches have been available for some time now, review the table above for specific version numbers and the vendor advisory for guidance on applying upgrades.
Indicators of Compromise (IOCs)
F5 provided a detailed article documenting IOCs observed in an incident referenced by their CVE-2025-53521 advisory. We will summarize some of those here.
File Activity
- Presence of new files
/run/bigtlog.pipeand/or/run/bigstart.ltm - Changes to existing files
/usr/bin/umountand/or/usr/sbin/httpd
Log Activity
- Log file: /var/log/restjavad-audit.<NUMBER>.log
[ForwarderPassThroughWorker{"user":"local/f5hubblelcdadmin","method":"POST","uri":"http://localhost:8100/mgmt/tm/util/bash","status":200,"from":"Unknown"}
- Log file: /var/log/auditd/audit.log.<NUMBER>
msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'- Log file: /var/log/audit
user=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash <VARIABLE_COMMAND>Command Output
- sys-eicheck: An integrity check application that was observed reporting failures for the files
/usr/bin/umount and /usr/sbin/httpdmentioned above - lsof -n: The common ‘list open files’ application was observed showing entries for the above mentioned
/run/bigtlog.pipefile
Technical Details
No in-depth technical details of the vulnerability or proof-of-concept exploit code are known at time of writing.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
Aware of an incident impacting your industry? Let us know: