Overview
CVE-2025-53521 is a critical remote code execution vulnerability in F5 BIG-IP's Access Policy Manager (APM) module. When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can trigger arbitrary code execution on the affected appliance. The flaw carries a CVSS v3.1 score of 9.8 and a CVSS v4.0 score of 9.3, both rated CRITICAL.
CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalogue on March 27, 2026, confirming active exploitation in the wild. All organizations running BIG-IP APM across versions 15.1.0 through 17.5.1 should treat this as an emergency patching priority.
Technical Details
The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). When an APM access policy is active on a virtual server, the BIG-IP appliance fails to properly handle certain crafted requests, leading to a resource exhaustion condition that escalates to code execution.
Key characteristics of the vulnerability:
- Attack Vector: Network — remotely exploitable without local access
- Authentication Required: None — no credentials needed to trigger the vulnerability
- User Interaction: None required
- Attack Complexity: Low — does not require special conditions or race conditions
- Scope: High impact on confidentiality, integrity, and availability
The F5 advisory (K000156741) confirms the flaw is triggered by malicious traffic directed at a virtual server with an APM access policy attached. End-of-Technical-Support BIG-IP versions are excluded from the CVSS evaluation scope but are equally at risk.
Affected Versions
| Product | Affected Versions |
|---|---|
| F5 BIG-IP (APM) | 15.1.0 – 17.5.1 |
| F5 BIG-IP (AFM) | 15.1.0 – 17.5.1 |
| F5 BIG-IP (ASM) | 15.1.0 – 17.5.1 |
| F5 BIG-IP (SSL Orchestrator) | 15.1.0 – 17.5.1 |
| F5 BIG-IP (Analytics) | 15.1.0 – 17.5.1 |
Versions that have reached End of Technical Support (EoTS) are not evaluated in the official CVSS scoring but remain vulnerable and should be upgraded immediately.
CVSS Score Breakdown
| Metric | CVSS v3.1 | CVSS v4.0 |
|---|---|---|
| Base Score | 9.8 Critical | 9.3 Critical |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| User Interaction | None | None |
| Confidentiality Impact | High | High |
| Integrity Impact | High | High |
| Availability Impact | High | High |
| CWE | CWE-770 | CWE-770 |
Active Exploitation
CISA's addition to the KEV catalogue on March 27, 2026 confirms that threat actors are actively exploiting this vulnerability in production environments. BIG-IP appliances are high-value targets — they are widely deployed as load balancers, application delivery controllers, and security devices in enterprise, government, and critical infrastructure networks.
Given the zero-authentication requirement and network-accessible attack surface, this vulnerability is particularly dangerous for any BIG-IP deployment where APM access policies are in use on internet-facing virtual servers.
Patch & Mitigation
Primary remediation: Apply the patch referenced in F5 Security Advisory K000156741 immediately.
Interim mitigations if immediate patching is not possible:
- Restrict network access to BIG-IP management interfaces and virtual servers with APM policies configured.
- Audit APM access policies and temporarily disable or restrict those on internet-facing virtual servers until patching is complete.
- Enable BIG-IP AFM rules to detect and block anomalous traffic patterns targeting APM virtual servers.
- Monitor F5 system logs for unusual crashes, restarts, or unexpected process activity on the Traffic Management Microkernel (TMM).
- Segment management networks to limit the blast radius if exploitation occurs.
Recommendations
Organizations using F5 BIG-IP with APM policies enabled should:
- Patch immediately using the fix provided in F5 advisory K000156741
- Review BIG-IP deployment posture — verify which virtual servers have APM access policies attached and assess their internet exposure
- Investigate any anomalous behaviour on BIG-IP appliances that occurred prior to patching, including unexpected reboots or session anomalies
- Subscribe to F5 security advisories at my.f5.com for ongoing vulnerability notifications
- Report exploitation indicators to CISA if active exploitation is detected in your environment
BIG-IP devices form a critical part of many organizations' network security perimeters. Compromise of a BIG-IP appliance can enable attackers to intercept, manipulate, or redirect traffic across the entire application delivery infrastructure.