CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on March 27, 2026, confirming active exploitation in the wild. This is a critical pre-authentication remote code execution vulnerability in F5 BIG-IP Access Policy Manager (APM) with a CVSS 4.0 score of 9.3.

Critical context: This vulnerability was initially disclosed on October 15, 2025 as a denial-of-service (DoS) flaw. On March 27, F5 reclassified it as a remote code execution vulnerability affecting the apmd process. This reclassification reflects new information about actual exploitation and fundamentally changes the threat profile. The original October patches remain valid and effective for organizations that deployed them immediately. However, many systems remain unpatched.

CISA has ordered federal civilian agencies to assess exposure and mitigate risks by March 30, 2026. This binding operational directive signals that exploitation is ongoing and imminent. Organizations must assume their F5 BIG-IP APM systems are being actively scanned and targeted.

Vulnerability Overview

CVE-2025-53521

• CVE ID: CVE-2025-53521
• CVSS 4.0 Score: 9.3 (Critical)
• CVSS 3.1 Score: 9.8 (Critical)
• CVSS 4.0 Vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
• Vulnerability Type: Unspecified vulnerability in apmd process; remote code execution when BIG-IP APM access policy configured
• CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
• Affected Products: F5 BIG-IP Access Policy Manager (APM), all deployment modes including Appliance mode
• Exploitation Status: Actively exploited in the wild (confirmed March 27, 2026)
• Advisory: F5 K000156741, CISA KEV addition (March 27, 2026)

Affected Versions & Patches

CVE-2025-53521 affects BIG-IP APM versions 17.x, 16.x, and 15.x. F5 released patches in October 2025 (Quarterly Security Notification) and again in February 2026.

Vulnerable Versions

• 17.5.0 to 17.5.1 and 17.1.0 to 17.1.2 should be patched to 17.1.0.4 and later
• 16.1.0 to 16.1.6 should be patched to 16.1.4.3 and later
• 15.1.0 to 15.1.10 should be patched to 15.1.10.2 and later

Organizations running these versions and configured with BIG-IP APM access policies are vulnerable.

Context: The Reclassification and What It Means

When CVE-2025-53521 was disclosed on October 15, 2025, F5 classified it as a denial-of-service vulnerability. In the security triage hierarchy, DoS flaws typically rank lower than RCE vulnerabilities. Many organizations likely deprioritized patching accordingly.

The reclassification changes this entirely. F5 now states: "Due to new information obtained in March 2026, the original vulnerability is being re-categorized to an RCE with CVSS scores of 9.8 (CVSS v3.1) and 9.3 (CVSS v4.0)."

What changed? New evidence of exploitation. The vulnerability does not affect the network as a whole—it specifically compromises the apmd process when a BIG-IP APM access policy is configured on a virtual server. Exploitation grants attackers root-level access to the underlying operating system.

This is a fundamental shift in severity. Attackers who exploit this vulnerability can:

• Install persistent backdoors
• Exfiltrate data and credentials
• Intercept and modify traffic flowing through the appliance
• Disable security controls and cover tracks
• Pivot laterally into network segments behind the load balancer

Exploitation in the Wild

Evidence of Active Scanning

Defused Cyber confirmed "acute scanning activity" for vulnerable F5 BIG-IP devices following the KEV addition. "This actor is hitting /mgmt/shared/identified-devices/config/device-info which is a F5 BIG-IP REST API endpoint used to retrieve system-level information, such as hostname, machine ID, and base MAC address," the firm reported.

This is reconnaissance activity; threat actors are actively identifying vulnerable systems on the internet.

Indicators of Compromise

F5 has published specific IOCs to detect compromise, these are included at the bottom of this post. Organizations should scan for these indicators immediately.

Why This Matters: BIG-IP's Central Position

F5 BIG-IP devices are not peripheral network appliances. They sit at critical junctures:

• Access gateways for external-facing applications
• Policy enforcement points for identity and access management
• Traffic inspection and routing hubs
• Credential and session token processors (when configured as APM)

A compromised BIG-IP appliance provides attackers with visibility into and control over all traffic flowing through the device. This is a high-leverage compromise point. From a compromised BIG-IP APM, attackers can:

• Intercept and modify SSO tokens in transit
• Capture credentials for downstream applications
• Inject malicious policy decisions
• Monitor all user activity flowing through the appliance
• Move laterally into cloud services and SaaS platforms that trust the BIG-IP as their identity provider

Risk Assessment

Who Is At Risk

Direct risk: Any organization running F5 BIG-IP APM versions 15.x, 16.x, or 17.x that are:

1. Internet-exposed or reachable from untrusted networks
2. Configured with APM access policies
3. Not patched to the fixed versions listed above

Indirect risk: Organizations using BIG-IP APM as an SSO gateway to cloud services. A compromised BIG-IP APM can serve as an authentication oracle for attackers gaining access to downstream SaaS applications.

Patching Challenges

BIG-IP systems handle production traffic with strict availability requirements. Organizations must:

• Plan maintenance windows with minimal service impact
• Test patches in non-production environments first
• Implement redundancy to avoid service disruption
• Coordinate with application teams dependent on APM policies

Despite these challenges, the urgency is absolute. CISA's 48-hour federal deadline reflects the real-time threat.

Detection and Monitoring

Pre-Exploitation Scanning

Monitor for reconnaissance activity:

• Requests to /mgmt/shared/identified-devices/config/device-info from external IP ranges
• Unusual frequency of API requests from non-standard sources
• Attempts to enumerate BIG-IP configuration endpoints

Post-Exploitation Indicators

• Unexpected processes spawned by apmd
• New local user accounts created on the appliance
• SSH key files added to root's .ssh/authorized_keys
• Modifications to startup scripts
• Unusual outbound connections from the BIG-IP appliance
• Large amounts of data being exfiltrated from the appliance

Recommended Monitoring Approach

1. Forward BIG-IP logs and audit trails to an external SIEM
2. Create alerts for API endpoint access patterns (especially /mgmt/shared/identified-devices/config/device-info)
3. Monitor system integrity using tools like AIDE or Tripwire if available
4. Enable detailed audit logging on iControl REST API access
5. Establish baseline network traffic patterns and alert on deviations

Remediation Guidance

Immediate Actions (24-48 hour window)

1. INVENTORY — Identify all F5 BIG-IP APM systems in your environment. Confirm which versions are running and whether APM access policies are configured.

2. ASSESS EXPOSURE — Determine which systems are internet-reachable or accessible from untrusted networks. These are highest priority.

3. PATCH — Upgrade to fixed versions immediately:

• BIG-IP 17.x → 17.1.0.4 or later
• BIG-IP 16.x → 16.1.4.3 or later
• BIG-IP 15.x → 15.1.10.2 or later

4. HUNT — Search for the IOCs published by F5 (suspicious files, log entries, modified binaries).

Short-Term Actions (this week)

• Review audit logs for evidence of unauthorized API access or unusual iControl REST API activity
• Check for new user accounts or SSH keys on affected systems
• Verify integrity of critical system binaries
• Monitor outbound connections for signs of data exfiltration

Long-Term Hardening

• Restrict network access to BIG-IP management interfaces (port 443/HTTPS) to known admin IP ranges
• Implement strict firewall rules limiting which systems can reach BIG-IP APM virtual servers
• Enable multi-factor authentication for BIG-IP administrative access
• Forward all logs to external SIEM with retention and alerting
• Conduct forensic analysis on any systems showing IOC matches

If Compromise Is Confirmed

• Immediately isolate the BIG-IP appliance from the network
• Preserve evidence (memory dump, filesystem snapshots, logs)
• Engage F5 support and incident response
• Assume all credentials and tokens processed by the appliance since the compromise date have been exposed
• Revoke and rotate credentials for all downstream systems (cloud services, SaaS platforms, internal applications)
• Conduct broader network investigation for lateral movement

Threat Landscape Context

This vulnerability reflects a concerning trend: sophisticated threat actors targeting network infrastructure as a persistence layer. Benjamin Harris, CEO and founder of watchTowr, noted: "When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn't immediately signal urgency, and many system administrators likely prioritized it accordingly. Fast forward to today's big 'yikes' moment: the situation has changed significantly. What we're observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That's a very different risk profile than what was initially communicated."

The reclassification is instructive. Initial severity assessments can be incomplete or based on limited exploitation data. As threat actors weaponize vulnerabilities and new techniques emerge, reclassifications reflect operational reality. Organizations should not rely on initial CVSS scores alone—they should monitor for reclassifications and adjust response timelines accordingly.

BIG-IP devices will continue to be targeted because they occupy privileged network positions and often sit on the boundary between internet-exposed services and internal infrastructure. This makes them attractive for initial access and lateral movement.

Recommended Actions — Priority Order

This is an active exploitation event. Patch within 24 hours if possible.

1. DETECT — Run the inventory commands above. Confirm which BIG-IP systems are vulnerable and exposed.
2. HUNT — Search for F5 IOCs on all BIG-IP systems. Assume potential compromise for any systems matching indicators.
3. PATCH — Upgrade to fixed versions with minimal delay. Plan maintenance windows if needed, but treat this as urgent.
4. MONITOR — Implement the detection and monitoring approach above. Set alerts for anomalous API access and system modifications.
5. INVESTIGATE — If IOCs are found, engage incident response immediately.

Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs)

F5 has published extensive IOCs and TTPs for detecting compromise. Organizations should scan for these indicators immediately using filesystem integrity checks, SIEM queries, and baseline comparisons.

File-Based IOCs

Suspicious Files Created:

• /run/bigtlog.pipe — Common persistence mechanism observed in compromised systems
• Unexpected executables in temporary directories (/tmp/, /var/tmp/)
• Hidden files in root home directory (.ssh/authorized_keys, .history modifications)

Modified System Binaries:

• /usr/bin/umount — Check for hash mismatches or unexpected size changes
• /usr/sbin/httpd — Verify against F5's known-good binary hashes
• /sbin/init.d/tmm* startup scripts — Look for injected commands or modified execution paths

Critical: sys-eicheck Modifications

• F5 observed instances where the threat actor modified sys-eicheck, the BIG-IP system integrity checker
• These modifications did not persist across reboots, but indicate persistence evasion attempts
• Check modification timestamps and compare against known-good baseline

Log and Audit Trail IOCs

iControl REST API Access Patterns:

# Look for unexpected localhost access to iControl REST API

# Typically appears in /var/log/audit.log or /var/log/httpd/error_log

‍

POST /mgmt/shared/identified-devices/config/device-info

POST /mgmt/shared/icrs/session

POST /mgmt/tm/ltm/virtual

POST /mgmt/tm/sys/file/

‍

# Reconnaissance queries (threat actor enumerating system):

GET /mgmt/shared/identified-devices/config/device-info

GET /mgmt/tm/sys/global-settings

GET /mgmt/tm/sys/management-ip

Authentication Log Indicators:

• Unexpected successful SSH authentication for root or tmadmin from localhost (127.0.0.1)
• Multiple failed authentication attempts followed by success (brute-force patterns)
• SSH sessions spawning unexpected child processes (e.g., /bin/bash, /bin/sh)

System Integrity Checker (sys-eicheck) Logs:

• Missing or corrupted log entries during suspected compromise window
• Gaps in logging (entries jump from time X to time Y+N hours)
• sys-eicheck warnings about file hash mismatches not in maintenance window

Network-Based IOCs

Scanning Signature (Pre-Exploitation Reconnaissance):

# This is what attackers are actively using to identify vulnerable systems:

‍

User-Agent: curl/7.*, wget, Python-requests/*, or custom scanner

Method: GET

Target: /mgmt/shared/identified-devices/config/device-info

Response: 200 OK + JSON payload with device info

Intent: Enumerate hostname, machine ID, base MAC address, software version

‍

# Indicators: Multiple requests from non-standard IP ranges in short time window

Command & Control (Post-Exploitation):

• Outbound HTTPS connections to non-standard ports (8443, 9443, 443 with unusual SNI)
• DNS queries for suspicious domains from BIG-IP appliance (not expected behavior)
• Data exfiltration patterns: large sustained data transfers to external IPs
• Reverse shell connections: outbound TCP to uncommon destination IPs/ports

SSH Key Injection:

• Check /root/.ssh/authorized_keys for unexpected public keys
• Check /home/tmadmin/.ssh/authorized_keys (APM service account)
• Verify key timestamps align with known administrative activity
• Compare against organizational SSH key inventory

Process and Memory IOCs

Unexpected Process Activity:

# Monitor for:

- apmd spawning shell processes (/bin/bash, /bin/sh, /usr/bin/sh)

- apmd executing binaries outside standard paths

- apmd attempting to write to system directories (/usr/bin, /usr/sbin, /etc)

- Child processes of apmd with unusual privilege levels

Memory Artifacts:

• Core dumps or memory segments containing hardcoded credentials
• Injected shellcode in apmd process memory
• Abnormal memory consumption by apmd (potentially indicating persistence mechanism)

Threat Actor TTPs Observed

Initial Access (T1190 - Exploit Public-Facing Application)

• Technique: Unauthenticated exploitation of CVE-2025-53521 on internet-exposed BIG-IP APM instances
• Detection: Monitor for malformed traffic patterns to /mgmt/shared/ endpoints; correlate with apmd crashes or restarts
• Timing: Scanning activity accelerated immediately after KEV listing on March 27, 2026

Persistence (T1547 - Boot or Logon Autostart Execution)

• Technique: Modification of startup scripts and system initialization files
• Evidence: Changes to /etc/init.d/, /etc/rc.d/, and systemd service files
• Evasion: Threat actor modified sys-eicheck to avoid detection; modifications did not survive reboot, suggesting knowledge of integrity checking
• Detection: Compare startup script hashes; monitor for non-persistent modifications during runtime

Privilege Escalation (T1134 - Access Token Manipulation)

• Technique: Exploiting apmd running in elevated context to gain root access
• Result: Full system compromise with ability to install persistent backdoors
• Detection: Monitor for apmd process spawning unexpected children; track uid/gid transitions in process tree

Defense Evasion (T1027 - Obfuscated Files and Information)

• Technique: Modifying sys-eicheck to blind integrity checks
• Technique: Using legitimate management channels (iControl REST API) to avoid detection as anomalous traffic
• Technique: Non-persistent modifications (reboot eliminates forensic evidence)
• Detection: Compare runtime system state against known-good baseline; use forensic tools before reboot

Credential Access (T1056 - Input Capture)

• Technique: Intercepting iControl REST API credentials in transit
• Technique: Harvesting session tokens from BIG-IP APM processing
• Technique: Accessing /etc/passwd and shadow files for offline cracking
• Detection: Monitor for unexpected file reads of /etc/shadow, /etc/passwd; monitor HTTP traffic for credential patterns

Lateral Movement (T1570 - Lateral Tool Transfer)

• Technique: Using compromised BIG-IP APM as pivot point to downstream systems
• Technique: Extracting SSO tokens to impersonate users in downstream SaaS applications
• Technique: Moving from management network into production segments
• Detection: Monitor for unusual outbound connections from BIG-IP to internal/external systems; track token usage anomalies

Data Exfiltration (T1020 - Automated Exfiltration)

• Technique: Copying configuration files (containing credentials and policy rules) to external systems
• Technique: Harvesting logs and audit trails for operational intelligence
• Technique: Extracting SSO tokens in bulk
• Detection: Monitor outbound data volumes; flag sustained connections to suspicious destinations; implement DLP rules for credential patterns

Detection Queries (SIEM/Log Analysis)

Splunk - Detect API Reconnaissance

index=f5_logs sourcetype=f5:bigip:audit "device-info" 

| stats count by src_ip, http_method, uri_path 

| where count > 5 

| sort - count

Splunk - Detect iControl REST API Activity from Unexpected Sources

index=f5_logs sourcetype=f5:bigip:audit uri_path="/mgmt/*"

| where src_ip NOT IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, <KNOWN_ADMIN_RANGES>)

| table _time, src_ip, src_port, http_method, uri_path, http_status_code, username

Splunk - Detect SSH Key Additions

index=f5_logs sourcetype=f5:bigip:audit (file="/root/.ssh/authorized_keys" OR file="/home/tmadmin/.ssh/authorized_keys")

| where action="modified" OR action="created"

| table _time, file, action, user, src_ip

Splunk - Detect apmd Process Anomalies

index=f5_logs sourcetype=f5:bigip:process "apmd"

| where parent_process!="tmm" AND parent_process!="init"

| stats count by process_name, parent_process, command_line

Linux Shell (on-appliance) - Find IOCs

# Check for suspicious pipes

ls -la /run/bigtlog.pipe 2>/dev/null && echo "SUSPICIOUS FILE FOUND"

‍

# Verify binary hashes

md5sum /usr/bin/umount /usr/sbin/httpd | grep -v "<KNOWN_GOOD_HASH>" && echo "BINARY MISMATCH DETECTED"

‍

# Check SSH authorized keys

cat /root/.ssh/authorized_keys

cat /home/tmadmin/.ssh/authorized_keys

‍

# Look for unexpected init.d modifications

find /etc/init.d/ -newer /etc/init.d/tmm -type f

‍

# Check for recent user account creation

lastlog | grep -E "^[a-z]{3,8}\s+[0-9]{5}" | head -20